More Security: Login Rate Limiting

Belt, meet suspenders.

Over the past few development cycles, we have been introducing more layers of security to the LexBlog platform.  Within the next couple of weeks, we’ll be adding another:  Login Rate Limiting.

Login Rate Limiting means users will only be able to perform any of the following actions five times in total, per five minutes:

  • Attempt to log in
  • Request a password reset link
  • Attempt to use a password reset link

If a user exceeds this limit, they will be blocked for 15 minutes and they’ll see the following screen:


These parameters (five attempts, five minutes, fifteen minutes) are more restrictive than we would prefer, however we are moving forward with this configuration because Cloudflare, our partner for security and performance, offers it as a very deployable and scalable solution.  The security and safety of our platform—your sites and your content—are a top priority, and in this case the downsides are out-weighed.

This will make the LexBlog platform safer, and more performant, because we’ll have fewer PHP workers tied up evaluating bogus password attempts.

Is this going to be annoying?

If you can’t remember your login credentials, then this new login constraint could be frustrating.  If you need assistance logging in, our Customer Success team is readily available to assist you.

That said, blogs on our Enterprise Platform will be free to decline this feature.  LexBlog’s Enterprise Platform features more nimble security measures such as 2-factor authentication and IP whitelisting. If you would like to know more about our Enterprise Platform service please reach out to Dan Mintz.

But really, there’s a more important point here: There should be no such thing as forgetting a password, because there should be no such thing as remembering a password! Ideally your LexBlog account password is too quirky and long to remember because it’s auto-generated by password management service like 1Password or LastPass.

We strongly encourage the use of these password management services for all of our clients, even those on our Enterprise Platform. If you need another reason to consider, go visit to check if your email address or telephone number have ever been compromised.

To this day, knock-on-wood, we have never had a blog defaced due to compromised login credentials. And moving forward we will continue our work to research and implement security features like Login Rate Limiting to prevent security violations from happening. Considering the alternatives, we think you’ll be firmly in favor of this new security measure and others like it.

Scott Fennell
About the Author

Scott is a WordPress theme and plugin developer with a penchant for connecting the dots between services like MailChimp, Cloudflare, and GoDaddy. He has been published in A List Apart and CSS-Tricks.

Subscribe to 99 Park Row via Email or RSS
Please enter a valid email address and click the button.
Recent Posts
More content can be found in the Search section.