Brute force detection and auto-block
An attacker can try a lot of passwords in a minute. That is why ePulz.io combines two protections: a login attempt limit that temporarily rejects further attempts, and an alert for the administrator when a suspiciously high number of failed attempts comes from a single IP address. Both protections are enabled automatically for every account, you do not have to set up anything.
Login attempt limit
The login form is protected by two independent limits. Once they are exceeded, the server returns an HTTP 429 response and temporarily rejects further attempts:
- By IP address: at most 20 login attempts per 15 minutes from a single IP. Once exceeded, further attempts from this address are temporarily rejected.
- By account (e-mail): at most 10 attempts per 30 minutes for the same e-mail, even when the attack comes from several IP addresses. This limit prevents a distributed attack on one specific account.
After a successful login, the counter for that e-mail is reset.
Alert for the administrator
Independently of the limits: if 10 or more failed attempts within 15 minutes come from a single IP address, the administrator receives an alert via Telegram (repeated at most once per hour for the same IP). This helps catch a targeted attack early.
What the user sees when the limit is exceeded
Once the limit is exceeded, a notice appears stating that there were too many attempts and that you need to wait a given number of minutes. The "Forgot password" link stays available, so a legitimate user always has a way back to their account - password recovery via e-mail works even during the temporary restriction.
Login overview (login audit)
A detailed overview of login attempts is available only to the administrator in the admin panel (Admin -> Logins, /admin/login-audit). It shows at most 500 most recent attempts, both successful and failed. For each record you can see:
- time, e-mail, IP address with a country flag and browser information,
- status (OK / FAIL) and reason: ok, bad password (invalid_credentials), limit exceeded (rate_limited, rate_limited_email), unverified e-mail (unverified),
- a separate section with the top IP addresses from which the most failed attempts come.
Clicking an IP in the list filters out all attempts from the same address.
What you can do for account security
The protection runs automatically, you do not have to set it up or respond to it. For extra peace of mind we recommend enabling two-factor authentication (2FA) and occasionally checking trusted devices in the Settings -> Account section.
If you locked yourself out by mistake
- The simplest option is to wait the stated time - the restriction lifts on its own once the window passes.
- If you need access immediately, use Forgot password. Password recovery via e-mail works even during the temporary restriction.
- If the problem persists, contact us via support - we will help after verifying your identity.