Django-ratelimit-backend is an app that allows rate-limiting of login attempts at the authentication backend level. Login attempts are stored in the cache so you need a properly configured cache setup.
By default, it blocks any IP that has more than 30 failed login attempts in the past 5 minutes. The IP can still browse your site, only login attempts are blocked.
If you use a custom authentication backend, there is an additional configuration step. Check the custom backends section.
Get involved, submit issues and pull requests on the code repository!
- Add RatelimitMixin.get_ip.
- Django 1.7 support. Patch by Mathieu Agopian.
- Removed calls to deprecated check_test_cookie().
The RatelimitBackend now allows arbitrary kwargs for authentication, not just username and password. Patch by Trey Hunner.
- Python 3 compatibility.
- The backend now issues a warning (warnings.warn()) instead of a logging call when no request is passed to the backend. This is because such cases are developer errors so a warning is more appropriate.
- Automatically re-register models which have been registered in Django’s default admin site instance. There is no need to register 3rd-party models anymore.
- Fixed a couple of deprecation warnings.
- Removed the part where the admin login form looked up a User object when an email was used to login. This brings support for Django 1.5’s swappable user models.
- Added a logging call when a user reaches its rate-limit.
- Initial version.