One of Drupal's strengths is its ability to create communities of users who contribute towards the content of the site. Whether you have an open forum, where users can create their own accounts, or a closed magazine site with just a few editors, you need to take the security of your users seriously.
Out of the box, Drupal has a number of account protection features that assist in making sure that users are authenticated correctly.
For example, the user login page is protected by a brute force system and will lock accounts after a number of incorrect password attempts in a short amount of time.
There are a few other things you can do to protect your site users that can be applied to any Drupal site. In this article we'll look through a number of different modules and techniques you can use to protect the user accounts on your site. We'll look at some of the pros and cons of each approach.
Flood Control
Drupal's login forms have built in brute force projection that will block any user account that fails to enter the correct password more than 5 times per IP address within an hour. This prevents automated bots from just guessing the password of a user account thousands of times until it hits the right combination.
The Flood Control module allows these settings to be tweaked to make them more (or less) restrictive.