PHPackages                             ali1/cakephp-bruteforce - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. ali1/cakephp-bruteforce

ActiveCakephp-plugin[Security](/categories/security)

ali1/cakephp-bruteforce
=======================

CakePHP Plugin for Brute Force Protection

6.0.1(1w ago)35.0k2MITPHPPHP ^8.2CI failing

Since May 17Pushed 2y ago1 watchersCompare

[ Source](https://github.com/Ali1/cakephp-bruteforce)[ Packagist](https://packagist.org/packages/ali1/cakephp-bruteforce)[ Docs](https://github.com/ali1/cakephp-bruteforce)[ RSS](/packages/ali1-cakephp-bruteforce/feed)WikiDiscussions master Synced today

READMEChangelog (10)Dependencies (10)Versions (23)Used By (0)

CakePHP Brute Force Plugin
==========================

[](#cakephp-brute-force-plugin)

[![Framework](https://camo.githubusercontent.com/e1277277bd331205fa65110aca2f7764dfc135bbc9c3f2f760e68fc5fa0241d9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4672616d65776f726b2d43616b65504850253230342e782d6f72616e67652e737667)](http://cakephp.org)[![license](https://camo.githubusercontent.com/7afc2480f8e1a6e357efb9abfcd8c9ca480e31fdf0a0ea755fbcfe8533b3eab8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f616c69312f63616b657068702d6272757465666f7263652e7376673f6d61784167653d32353932303030)](/blob/master/LICENSE)[![Build Status](https://camo.githubusercontent.com/3b70ec2d90ac06b8c86e35a56c8612ea14085e812ece77e9673312e9a8c65f5a/68747470733a2f2f7472617669732d63692e6f72672f416c69312f63616b657068702d6272757465666f7263652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/Ali1/cakephp-bruteforce)[![Coverage Status](https://camo.githubusercontent.com/d4ecc8d13394b2241aa0b19c79544acbac98fc985a8df505f124be5595f9c288/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f416c69312f63616b657068702d6272757465666f7263652f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/Ali1/cakephp-bruteforce?branch=master)

A CakePHP plugin for easy drop-in Brute Force Protection for your controller methods.

Component Wrapper for [Ali1/BruteForceShield](https://github.com/Ali1/BruteForceShield)

### Features

[](#features)

- IP address-based protection
- Uses the Cache class to store attempts so no database installation necessary
- Logs blocked attempts (uses CakePHP Logs)
- Does not count re-attempts with same challenge details (e.g. if a user tries the same username/password combination a few times)
- Can block multiple attempts at the same username earlier than the normal limit (to give users a chance to enter the correct username if they have been trying with the wrong one)
- Can be applied in AppController::initialize for simpler set up when authentication plugins are used
- Throws catchable exception which can optionally be caught

### Requirements

[](#requirements)

- Composer
- CakePHP 4.0+
- PHP 7.2+

### Installation

[](#installation)

In your CakePHP root directory: run the following command:

```
composer require ali1/cakephp-bruteforce

```

Then in your Application.php in your project root, add the following snippet:

```
// In project_root/Application.php:
        $this->addPlugin('Bruteforce');
```

or you can use the following shell command to enable to plugin in your bootstrap.php automatically:

```
bin/cake plugin load Bruteforce

```

### Basic Use

[](#basic-use)

Load the component:

```
// in AppController.php or any controller

    public function initialize(): void
    {
        parent::initialize();
        $this->loadComponent('Bruteforce.Bruteforce');
    }
```

Apply protection (`$this->Bruteforce->validate` must come before actually verifying or actioning the user submitted data)

```
    public function login(): void
    {
        $config = new \Ali1\BruteForceShield\Configuration(); // see possible options below

        /**
         * @param string $name a unique string to store the data under (different $name for different uses of Brute
     *                          force protection within the same application.
         * @param array $data an array of data, can use $this->request->getData()
         * @param \Ali1\BruteForceShield\Configuration|null $config options
         * @param string $cache Cache to use (default: 'default'). Make sure to use one with a duration longer than your time window otherwise you will not be protected.
         * @return void
         */
        $this->Bruteforce->validate(
            'login',
            ['username' => $this->request->getData('username'), 'password' => $this->request->getData('password')],
            $config,
            'default'
        );

        // the user will never get here if fails Brute Force Protection
        // a TooManyAttemptsException will be thrown
        // usual login code here
    }
```

### Configuration Options

[](#configuration-options)

The third argument for `validate` is the \\Ali1\\BruteForceShield\\Configuration object.

Instructions on configuring Brute Force Protection can be found [here](https://github.com/Ali1/BruteForceShield#configuration).

### Usage

[](#usage)

#### For a method for username / password BruteForce

[](#for-a-method-for-username--password-bruteforce)

```
// UsersController.php
    public $components = ['Bruteforce.Bruteforce'];

    ...

    public function login()
    {
        // prior to actually verifying data
        $bruteConfig = new \Ali1\BruteForceShield\Configuration();
        $bruteConfig->setTotalAttemptsLimit(5);
        $bruteConfig->setStricterLimitOnKey('username', 3); // setting a limit of 5 above, then a different limit here would mean the user has 3 chances to get the password right, but then an additional 2 chances if they try a different username
        $bruteConfig->addUnencryptedKey('username'); // adding this would mean you could see which usernames are being attacked in your log files

        $this->Bruteforce->validate(
            'login', // unique name for this BruteForce action
            ['username' => $this->request->getData('username'), 'password' => $this->request->getData('password')],
            $bruteConfig
        );
        // rest of the login code to authorize the attempt
    }
```

#### Prevent URL based brute force

[](#prevent-url-based-brute-force)

Non-form data can also be Brute Forced

```
    /**
     * @param string|null $hashedid
     *
     * @return void
     */
    public function publicAuthUrl(string $hashedid): void
    {
        try {
            $bruteConfig = new Configuration();
            $bruteConfig->addUnencryptedKey('hashedid');
            $this->Bruteforce->validate(
                'publicHash',
                ['hashedid' => $hashedid],
                $bruteConfig
            );
        } catch (\Bruteforce\Exception\TooManyAttemptsException $e) {
            $this->Flash->error('Too many requests attempted. Please try again in a few minutes');
            return $this->redirect('/');
        }

        // then check if URL is actually valid
```

#### With user plugins (e.g. CakeDC/Users)

[](#with-user-plugins-eg-cakedcusers)

Although not ideal, when using plugins that you do not wish to extend or modify, you can safely place the `validate` method in AppController.php `initialize` method, since this will run prior to user verification within the plugin.

```
// AppController.php::initialize()

        $this->loadComponent('Bruteforce.Bruteforce'); // Keep above any authentication components if running on initialize (default)
        $this->Bruteforce->validate(
            'login', // unique name for this BruteForce action
            ['username' => $this->request->getData('username'), 'password' => $this->request->getData('password')] // user entered data
        );
        // this will not affect any other action except ones containing POSTed usernames and passwords (empty challenges never get counted or blocked)
```

###  Health Score

47

↑

FairBetter than 93% of packages

Maintenance54

Moderate activity, may be stable

Popularity25

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity82

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~123 days

Recently: every ~578 days

Total

22

Last Release

9d ago

Major Versions

0.4.0 → 4.0.12019-12-23

4.3 → 5.02020-02-21

5.0.3 → 6.0.02026-06-24

PHP version history (4 changes)0.1PHP &gt;=5.4.16

0.3.2PHP &gt;=7.0

4.0.3PHP &gt;=7.2

6.0.0PHP ^8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/637933d952b260bfeeaf8ec8fda92a5acf7eda16df6044fe840f782058a4c7ae?d=identicon)[Ali1](/maintainers/Ali1)

---

Top Contributors

[![Ali1](https://avatars.githubusercontent.com/u/218558?v=4)](https://github.com/Ali1 "Ali1 (62 commits)")

---

Tags

pluginsecuritycakephpbruteforce

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/ali1-cakephp-bruteforce/health.svg)

```
[![Health](https://phpackages.com/badges/ali1-cakephp-bruteforce/health.svg)](https://phpackages.com/packages/ali1-cakephp-bruteforce)
```

###  Alternatives

[dereuromark/cakephp-tools

A CakePHP plugin containing lots of useful and reusable tools

3361.0M51](/packages/dereuromark-cakephp-tools)[dereuromark/cakephp-tinyauth

A CakePHP plugin to handle user authentication and authorization the easy way.

131240.2k13](/packages/dereuromark-cakephp-tinyauth)[cakephp/bake

Bake plugin for CakePHP

11212.0M202](/packages/cakephp-bake)[dereuromark/cakephp-setup

A CakePHP plugin containing lots of useful management tools

36199.6k2](/packages/dereuromark-cakephp-setup)[dereuromark/cakephp-databaselog

A CakePHP plugin for storing and viewing application logs in the database

44172.5k2](/packages/dereuromark-cakephp-databaselog)[dereuromark/cakephp-dto

A CakePHP plugin for generating immutable Data Transfer Objects with full type safety

3099.1k6](/packages/dereuromark-cakephp-dto)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
