Quote:
So IMO the ISP's actions are a bit rash, but understandable. Maybe we can build in an extra security (something like 3 password entries per minute, or something similar, making it less vulnerable to a brute force attack).
IMO, XOOPS could implement the following two solutions to better secure the system
1. As Herko mentioned the bility to disable user accounts after a certain number of failed logins should be seriously considered.
2. move admin.php into a separate directory and password-protected.
Meanwhile, anyone that has problems with admin.php could do two things:
1. Use a better admin password so it can not be easily cracked. Mind you, any password could be cracked, just a matter of time.
2. Add an extra protection to your system module directory - password protected it. Better solution is to deny anyone other yourself based on the IP number. So even someone were to crack your admin, he/she could not do much harm to your system. This only applies to Apache.