Welcome to the new directory. If you find a bug, please report it on our Issue Tracker.

Arrow up
Arrow down

Joomla! Extensions Directory


This plugin provides means to avert Brute-Force-Attacks on your Joomla-Installation. For this purpose, the plugin stores information on failed login attempts, so that when reaching a configurable number of such failed login attempts the attacker's IP address can be blocked. Furthermore, you can configure notifications about failed logins and blocked IP addresses, as well as a configurable (optionally even adaptive) delay for a failed login attempt.

  • Get this

The component included in the package will allow you to view the blocked IP addresses and manage them, manage whitelists of IP addresses which will never be blocked, viewing failed log attempts and testing the notification.

New in Version 1.3.0:
- Allow showing IP address in blocked message
- Show hint to use reset password functionality
- small fixes

For a full list of changes in each version see the Changelog at https://github.com/codeling/bfstop/blob/master/CHANGELOG

- pt-PT/pt-BR translations and various fixes by solrac (comproperty247(at)gmail.com)
- ca-ES translations by nouespai
- fr-FR translations by Flying_Lolo
- nl-NL translations and various fixes by Rob van Baal (info(at)fischertechnikclub.nl/http://www.fischertechnikclub.nl)
- es-ES translations by Aimagen (info(at)aimagen.com)
- ru-RU translations by Raven (ravencrow(at)mail.ru)
- it-IT translations and various fixes by Stefano Buscaglia (info(at)binarioetico.org/http://www.binarioetico.org)
- old nl-NL translations by Agrusoft

Should be Joomla core

Posted on 14 October 2014

I'm not sure what the likelihood is of someone actually succeeding in logging in to a site, but the idea scared me when I saw the number of attempts to access my site's Apache server. After The first day after installing BFStop, I got so many notices of failed attempts that I set it to send me only 1 message a day and to block the IP permanently after 5 failed attempts. Pretty much all attempts are to the usernames 'admin', 'administrator', or a variation of the url, so I suggest eliminating those even if you don't install BFStop. This extension is easy to understand and implement, and worked without a glitch for me.

This should be Core!

Posted on 30 September 2014

I was unaware that these attacks were happening. When I checked my daughter's site, she had admin accounts that no one could explain. After installing Brute Force Stop, I have seen and blocked 4 attacks in about 2 weeks. The IP is blacklisted now automatically and I suspect the problem is solved. Of course a tight user name and password help tremendously, but Brute force stop bats clean-up. Great Job. This extension should be in the Joomla Core.

Good extension

Posted on 07 June 2014

I have used this extension for a while. It is great one, work as expected. It is also easy to set up. Now I used it on all of my sites. Thanks developer for your effort.

Brute Force Stop

Posted on 02 June 2014

All I can say is that this program works great. Has stopped many login attempts from the back end which were clearly attempted attacks. I can then block IP address's permanently so I don't have to worry about repeated attempts. Had a question for developer and got an instant response. Thanks for a great extension.

This is a great component addition to Joomla. There are others that I have reviewed but this is my favorite and I install it on all Joomla sites I create. The support is also "second to none". Bernard goes way out of the way to support this. To have the level of support he provides for a free product is just amazing. I am trying to find out how to make a donation today.

Thank you Bernard!


This extension is now part of my standard installations. Simple to use, simple to install. All good!

Very appreciative of this developer's work, creating a critically important element to safeguard sites built using Joomla CMS. Easy install, and does what it says it will do. I would suggest some slight modifications to the language, to make it easier for sitebuilders and marketers to understand how to use it (as opposed to developers, who appreciate the challenge of figuring out what all the toggles do). Great job, now on my list of "must-have" extensions.

Owner's reply: Thank you very much for your feedback! Suggestions for language changes are always welcome. Being a developer, it is hard for me to think as a sitebuilder and/or marketer. I would therefore be very glad to hear more about your suggestions! Please contact me via mail (bfstop@bfroehler.info) or report an issue (https://github.com/codeling/bfstop/issues) if you're interested in contributing!

Stops attempts cold

Posted on 02 December 2013

Simple and easy install. Had problems with constant attempts at back-end. Before was using .htaccess and manually adding. This is just what I need. One feature I think would be helpful would be a way to whitelist IPs.

Thanks again!

Owner's reply: Thanks for your favourable review! A whitelist (for single IP addresses) is now available with version 1.1.0!

Great Plugin

Posted on 07 November 2013

I have to say that I've tried other plugins and this is one of the best I've had. Great work doing this. The first day I got 20 people trying to log in...and what's great about this program it tells us who their trying to log in as. I would recommend this plugin to everyone. I've had no problems.

Thanks for this great plugin.

blocked myself out

Posted on 07 August 2013

This is a great plugin. However a couple of things needed: for example removing a blocked ip from the failed login section.

Also, somehow I ended up blocking myself from the frontend when I put in the settings frontend/backend. I did not have failed logins and am not sure how I got blocked. But regardless, I went into the database and deleted my ip entry and it is still blocking me.

Not sure what happened nor why it is not unblocking me.


Owner's reply: Thanks for taking the time to write a review!
Regarding your problems with my extension, I would ask you to file a bug report at https://github.com/codeling/bfstop/issues, or to contact me at bfstop@bfroehler.info so that we can discuss further steps to resolve these!
Furthermore I'm not sure I understand your comment about the removal of blocked IPs from the failed login section - the failed login list is supposed to be a log of all failed login attempts; one of its main purposes is to allow the administrator to see why an IP was blocked. If entries are removed from there once an IP is blocked, the administrator would have no opportunity to check these anymore! By the way there is a pending enhancement request to remove old entries (https://github.com/codeling/bfstop/issues/37). If this is not what you had in mind (and also for other enhancement you think necessary), please go ahead and file a feature request (as an issue, also at https://github.com/codeling/bfstop/issues)! I can't guarantee that they will be implemented, but such requests will definitely be considered for future versions!

Brute Force Stop

Bernhard Froehler
Date added:
Nov 19 2014
GPLv2 or later
Free download
Uses updater:
2.5 3
Download DemoNot available Support Documentation
  • Overall
  • Functionality

  • Ease of use

  • Documentation

  • Support