Site Security

This plugin provides means to avert Brute-Force-Attacks on your Joomla-Installation. For this purpose, the plugin stores information on failed login attempts, so that when reaching a configurable number of such failed login attempts the attacker's IP address can be blocked. Furthermore, you can configure notifications about failed logins and blocked IP addresses, as well as a configurable (optionally even adaptive) delay for a failed login attempt.

  • Favourite
  • Report

The component included in the package will allow you to view the blocked IP addresses and manage them, manage whitelists of IP addresses which will never be blocked, viewing failed log attempts and testing the notification.

New in version 1.4.1:
- minor release fixing JED checker errors
New in version 1.4.0:
- Blocking via .htaccess
- New method for determining client IP to support load balancers / proxies
- IPv6 fixes (IPv6 subnet masks not yet supported)
- mysql compatibility
- php 7 compatibility
For a detailed list of changes in each version see the commit history at

- pt-PT/pt-BR translations and various fixes by solrac (comproperty247(at)
- ca-ES translations by nouespai
- fr-FR translations by Flying_Lolo
- nl-NL translations and various fixes by Rob van Baal (info(at)
- es-ES translations by Aimagen (info(at)
- ru-RU translations by Raven (ravencrow(at)
- it-IT translations and various fixes by Stefano Buscaglia (info(at)
- old nl-NL translations by Agrusoft

This extension is now part of my standard installations. Simple to use, simple to install. All good!

Very appreciative of this developer's work, creating a critically important element to safeguard sites built using Joomla CMS. Easy install, and does what it says it will do. I would suggest some slight modifications to the language, to make it easier for sitebuilders and marketers to understand how to use it (as opposed to developers, who appreciate the challenge of figuring out what all the toggles do). Great job, now on my list of "must-have" extensions.

Owner's reply: Thank you very much for your feedback! Suggestions for language changes are always welcome. Being a developer, it is hard for me to think as a sitebuilder and/or marketer. I would therefore be very glad to hear more about your suggestions! Please contact me via mail ( or report an issue ( if you're interested in contributing!

Stops attempts cold

Posted on 02 December 2013

Simple and easy install. Had problems with constant attempts at back-end. Before was using .htaccess and manually adding. This is just what I need. One feature I think would be helpful would be a way to whitelist IPs.

Thanks again!

Owner's reply: Thanks for your favourable review! A whitelist (for single IP addresses) is now available with version 1.1.0!

Great Plugin

Posted on 07 November 2013

I have to say that I've tried other plugins and this is one of the best I've had. Great work doing this. The first day I got 20 people trying to log in...and what's great about this program it tells us who their trying to log in as. I would recommend this plugin to everyone. I've had no problems.

Thanks for this great plugin.


blocked myself out

Posted on 07 August 2013

This is a great plugin. However a couple of things needed: for example removing a blocked ip from the failed login section.

Also, somehow I ended up blocking myself from the frontend when I put in the settings frontend/backend. I did not have failed logins and am not sure how I got blocked. But regardless, I went into the database and deleted my ip entry and it is still blocking me.

Not sure what happened nor why it is not unblocking me.


Owner's reply: Thanks for taking the time to write a review!
Regarding your problems with my extension, I would ask you to file a bug report at, or to contact me at so that we can discuss further steps to resolve these!
Furthermore I'm not sure I understand your comment about the removal of blocked IPs from the failed login section - the failed login list is supposed to be a log of all failed login attempts; one of its main purposes is to allow the administrator to see why an IP was blocked. If entries are removed from there once an IP is blocked, the administrator would have no opportunity to check these anymore! By the way there is a pending enhancement request to remove old entries ( If this is not what you had in mind (and also for other enhancement you think necessary), please go ahead and file a feature request (as an issue, also at! I can't guarantee that they will be implemented, but such requests will definitely be considered for future versions!

I agree with other reviewers; this is really good; does exactly what it says and yes, it should be part of Joomla! core.

Having said that, I can confirm the issue with Joomla 3.1.4 - uninstall it before upgrading Joomla. Hoping an update to BFStop isn't long in the pipeline. i will certainly installing it :-)

Other extensions typically just change the URL, which is fine but not enough for me.

I like bfstop for my sites where I didn't want to change URL because re-training users wasn't worth the pain.

The ability to tune the notification frequency and when an IP is blocked is great.

I like that he warns you also if you have your super admin set to "admin" and the newer additions of the administration component to view which IPs are block and the usernames they tried.

For straight up brute force protection, this is best extension out there.

Excellent, this will save me a lot of time. I have been blocking IP's using blacklists that I manually update, either using .htaccess or in firewall rules.

Works instantly in real time on 2.5 sites using the standard Joomla login, on Community Builder sites I'm using the CB Antispam plugin instead.




Posted on 19 July 2013

I think this should be integrated into the Joomla! core. It works exactly as advertised, is very configurable, and solves a very serious problem facing Joomla administrators.


Thumbs up

Posted on 26 June 2013

Easy to install, easy to configure (if you read the instructions) and worked within 5 minutes. Highly recommend.

Brute Force Stop

Bernhard Froehler
Last updated:
Feb 01 2017
Date added:
Nov 19 2014
GPLv2 or later
Free download
c p

Uses Joomla! Update System


Write a review