The Joomla! Extensions Directory ™

Brute Force Stop ComponentPlugin

This plugin provides means to avert Brute-Force-Attacks on your Joomla-Installation. For this purpose, the plugin stores information on failed login attempts, so that when reaching a configurable number of such failed login attempts the attacker's IP address can be blocked. Furthermore, you can configure notifications about failed logins and blocked IP addresses, as well as a configurable (optionally even adaptive) delay for a failed login attempt.

The component included in the package will allow you to view the blocked IP addresses and manage them, manage whitelists of IP addresses which will never be blocked, viewing failed log attempts and testing the notification.

New in Version 1.3.0:
- Allow showing IP address in blocked message
- Show hint to use reset password functionality
- small fixes

For a full list of changes in each version see the Changelog at

- pt-PT/pt-BR translations and various fixes by solrac (comproperty247(at)
- ca-ES translations by nouespai
- fr-FR translations by Flying_Lolo
- nl-NL translations and various fixes by Rob van Baal (info(at)
- es-ES translations by Aimagen (info(at)
- ru-RU translations by Raven (ravencrow(at)
- it-IT translations and various fixes by Stefano Buscaglia (info(at)
- old nl-NL translations by Agrusoft

Report Extension



Reviews: 2
I have used this extension for a while. It is great one, work as expected. It is also easy to set up. Now I used it on all of my sites. Thanks developer for your effort.
Reviews: 1
All I can say is that this program works great. Has stopped many login attempts from the back end which were clearly attempted attacks. I can then block IP address's permanently so I don't have to worry about repeated attempts. Had a question for developer and got an instant response. Thanks for a great extension.
Reviews: 2
This is a great component addition to Joomla. There are others that I have reviewed but this is my favorite and I install it on all Joomla sites I create. The support is also "second to none". Bernard goes way out of the way to support this. To have the level of support he provides for a free product is just amazing. I am trying to find out how to make a donation today.

Thank you Bernard!
Reviews: 5
This extension is now part of my standard installations. Simple to use, simple to install. All good!
Reviews: 5
Very appreciative of this developer's work, creating a critically important element to safeguard sites built using Joomla CMS. Easy install, and does what it says it will do. I would suggest some slight modifications to the language, to make it easier for sitebuilders and marketers to understand how to use it (as opposed to developers, who appreciate the challenge of figuring out what all the toggles do). Great job, now on my list of "must-have" extensions.
Owner's reply

Thank you very much for your feedback! Suggestions for language changes are always welcome. Being a developer, it is hard for me to think as a sitebuilder and/or marketer. I would therefore be very glad to hear more about your suggestions! Please contact me via mail ( or report an issue ( if you're interested in contributing!

Reviews: 7
Simple and easy install. Had problems with constant attempts at back-end. Before was using .htaccess and manually adding. This is just what I need. One feature I think would be helpful would be a way to whitelist IPs.

Thanks again!
Owner's reply

Thanks for your favourable review! A whitelist (for single IP addresses) is now available with version 1.1.0!

Reviews: 3
I have to say that I've tried other plugins and this is one of the best I've had. Great work doing this. The first day I got 20 people trying to log in...and what's great about this program it tells us who their trying to log in as. I would recommend this plugin to everyone. I've had no problems.
Thanks for this great plugin.
Reviews: 1
This is a great plugin. However a couple of things needed: for example removing a blocked ip from the failed login section.
Also, somehow I ended up blocking myself from the frontend when I put in the settings frontend/backend. I did not have failed logins and am not sure how I got blocked. But regardless, I went into the database and deleted my ip entry and it is still blocking me.
Not sure what happened nor why it is not unblocking me.
Owner's reply

Thanks for taking the time to write a review!
Regarding your problems with my extension, I would ask you to file a bug report at, or to contact me at so that we can discuss further steps to resolve these!
Furthermore I'm not sure I understand your comment about the removal of blocked IPs from the failed login section - the failed login list is supposed to be a log of all failed login attempts; one of its main purposes is to allow the administrator to see why an IP was blocked. If entries are removed from there once an IP is blocked, the administrator would have no opportunity to check these anymore! By the way there is a pending enhancement request to remove old entries ( If this is not what you had in mind (and also for other enhancement you think necessary), please go ahead and file a feature request (as an issue, also at! I can't guarantee that they will be implemented, but such requests will definitely be considered for future versions!

Reviews: 10
I agree with other reviewers; this is really good; does exactly what it says and yes, it should be part of Joomla! core.

Having said that, I can confirm the issue with Joomla 3.1.4 - uninstall it before upgrading Joomla. Hoping an update to BFStop isn't long in the pipeline. i will certainly installing it :-)
Reviews: 4
Other extensions typically just change the URL, which is fine but not enough for me.

I like bfstop for my sites where I didn't want to change URL because re-training users wasn't worth the pain.

The ability to tune the notification frequency and when an IP is blocked is great.

I like that he warns you also if you have your super admin set to "admin" and the newer additions of the administration component to view which IPs are block and the usernames they tried.

For straight up brute force protection, this is best extension out there.
Reviews: 5
Excellent, this will save me a lot of time. I have been blocking IP's using blacklists that I manually update, either using .htaccess or in firewall rules.

Works instantly in real time on 2.5 sites using the standard Joomla login, on Community Builder sites I'm using the CB Antispam plugin instead.

Reviews: 3
I think this should be integrated into the Joomla! core. It works exactly as advertised, is very configurable, and solves a very serious problem facing Joomla administrators.
Reviews: 2
Easy to install, easy to configure (if you read the instructions) and worked within 5 minutes. Highly recommend.
Reviews: 11
After some problems wirh Joomla 3 wich are corected in this version it works right away. After installing this version and setting the number of attempts the first block was a fact in a matter of seconds. Amazing how many people are hammering your website. Now they are all blocked automaticly.

Put it on your must-have list, because it is a must have once you see what's happening on your website's login.
Reviews: 9
This does exactly what it says, and has many options to do it even better. Thank you!
Reviews: 1
Great extension! It is easy to install an easy to use. With auto IP block i do not need to add custom htaccess lines anymore. Personal thanks to developers!
Reviews: 2
It is the best plugin. Fast, easy and secure ... congratulations!.
Reviews: 1
Thank you very much for this very useful plugin! Especially because there are a lot of Brute Force Attacks against Joomla websites at the moment.

Best regards!
Reviews: 8
I sought this out because I run a server that hosts a couple hundred websites with Joomla in place. After analyzing my apache logs I noticed that brute force attempts were very common.

While my company sticks to pretty strong security policies such as never having an "admin" account and a daily password change ( yes, daily.. automated password changes ) .. I still don't like the idea of someone sending hundreds of POST requests per hour trying to break into one of our sites.

I had written a script to analyze the apache logs for x number of POST requests in an hour to ban them from the server ENTIRELY but while that's been successful.. it's had one or two false positives and it still doesn't prevent someone from getting in a hundred or so tries before the script catches them.

In comes this plugin! I love it because it's more specific, it doesn't just count POSTs per hour it counts failed login attempts in a row and allows you to temp ban them as well as get notified.. I have it set up to ban after only 4 attempts for a period of an hour which I think is fair.. I get notified so if I see abuse I can permanently ban them myself.

Great job! I'm glad I found it so I didn't have to write it myself =)
Reviews: 1
Thank You for this plugin! IT is awsome and works! Great!
God bless You!
Owner's reply

Thank you for taking the time to write a review!
If you should have any questions, problems or enhancement requests, just go over to!