PHPackages                             gburtini/bfd - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. gburtini/bfd

ActiveLibrary[Security](/categories/security)

gburtini/bfd
============

Brute force defense: rate limiting tools.

0.0.6(10y ago)5742[1 issues](https://github.com/gburtini/PHP-Brute-Force-Defense/issues)GPLPHPPHP &gt;=5.4.0

Since Apr 4Pushed 6y ago3 watchersCompare

[ Source](https://github.com/gburtini/PHP-Brute-Force-Defense)[ Packagist](https://packagist.org/packages/gburtini/bfd)[ Docs](http://github.com/gburtini/PHP-Brute-Force-Defense)[ RSS](/packages/gburtini-bfd/feed)WikiDiscussions master Synced 1mo ago

READMEChangelogDependenciesVersions (8)Used By (0)

PHP Brute Force Defense Tools
=============================

[](#php-brute-force-defense-tools)

**This hasn't been maintained in years. Use at your own risk and only with the expertise to build it yourself.**

*A lightweight framework for mitigating brute force attacks in an online architecture.*

Right now, there is only one tool, a session-based rate limiter. It is very general and powerful, but there's a lot of work to do here.

Installation
------------

[](#installation)

Installation is available via composer.

```
composer require gburtini/bfd

```

Usage
-----

[](#usage)

### SessionThrottle

[](#sessionthrottle)

- `__construct(string $name, int $safe, int $upper, float $rate, boolean sleep)`
- `fail()`, `succeed()` - used to report the outcome of the action being protected, a fail increments the counter and a succeed resets it. (aliased as `increment()` and `reset()` if success/fail don't make sense for your use case)
- `test()` - returns true or false to indicate whether you should allow the requested call to take place.

Constructing a SessionThrottle means setting the parameters.

- `$name` - a token for the element, function or method that this SessionThrottle instance is protecting
- `$safe` - the number of failures a user gets "free" before they start to get rate limited, you can safely set this quite high for most login related applications.
- `$upper` - the highest power of $rate to be used. Out of the box, this is 20 (with rate 1.3) meaning the highest timeout is 1.3^20 = 190 seconds.
- `$rate` - the base of the exponent used to calculate the time limit. By default, 1.3. Too large, and the throttler is too aggressive. Too small, and it won't be aggressive enough.
- `$sleep` - true/false for whether -&gt;test() should ATTEMPT to always return true (by simply sleeping until the timelimit has passed). Even if sleep is true, the sleep may get interrupted and thus return false. Merely sleeping will not prevent multiple requests for most use-cases. You must check it the return value of `test`.

*Example use:*

```
use gburtini\bfd\SessionThrottle;

$login_limit = new SessionThrottle("login_bob");
// can have "login" throttles or "login_%username%" throttles... or even just an expensive process can be throttled by this.
if($login_limit->test()) {
  	if(!checkLogin($user, $pass)) {
		$login_limit->fail(); //or ->increment()
	} else {
		$login_limit->succeed(); // clear the timelimit (or ->reset())
	}
} else {
	showThrottleError();
}

```

Future Work
-----------

[](#future-work)

The intent is to collect a whole set of tools for mitigating brute force attacks here. The `SessionThrottle` tool is just a start:

- Efficient IP-based blocking and throttling.
- Data-level blocking (non-session based limits on access to particular data)
- Global shutdown tools for mitigiating large-scale brute-force attacks.
- Device-cookie tools

License
-------

[](#license)

*Copyright (C) 2015 Giuseppe Burtini*

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see .

###  Health Score

26

—

LowBetter than 43% of packages

Maintenance16

Infrequent updates — may be unmaintained

Popularity15

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity53

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~44 days

Recently: every ~66 days

Total

7

Last Release

3796d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/ae4c24da012c0348f5c1555bd9aa3088c43ce6d4bcad11652f12a6c6e37a4f3b?d=identicon)[gburtini](/maintainers/gburtini)

---

Top Contributors

[![gburtini](https://avatars.githubusercontent.com/u/780031?v=4)](https://github.com/gburtini "gburtini (9 commits)")

---

Tags

loginrate limitlimitthrottlethrottlingrate limitingbrute force

### Embed Badge

![Health badge](/badges/gburtini-bfd/health.svg)

```
[![Health](https://phpackages.com/badges/gburtini-bfd/health.svg)](https://phpackages.com/packages/gburtini-bfd)
```

###  Alternatives

[maba/gentle-force-bundle

Symfony bundle that integrates gentle-force library for limiting both brute-force attempts and ordinary requests, using leaky/token bucket algorithm, based on Redis

53517.6k1](/packages/maba-gentle-force-bundle)[davedevelopment/stiphle

Simple rate limiting/throttling for php

2567.7M9](/packages/davedevelopment-stiphle)[maba/gentle-force

Library for limiting both brute-force attempts and ordinary requests, using leaky/token bucket algorithm, based on Redis

45591.0k2](/packages/maba-gentle-force)[bandwidth-throttle/token-bucket

Implementation of the Token Bucket algorithm.

5121.9M10](/packages/bandwidth-throttle-token-bucket)[graham-campbell/throttle

Throttle Is A Rate Limiter For Laravel

7102.3M11](/packages/graham-campbell-throttle)[websoftwares/throttle

Ban identifier after certain amount of requests in a given timeframe.

1249.7k](/packages/websoftwares-throttle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)