codeling
commented
3 years ago If you just reload the login page without sending a POST request, then this does of course not count as login, and is not counted. I have tried this on several browsers, and with just reloading the login page, I could not reproduce your issue.
What seems to have happened in your case, seems that the form was actually submitted multiple times; browsers do this under certain circumstances if you have pressed login before, and then reload; but typically they warn you that this means that the form will be submitted again. You should see whether Joomla considered it a login attempt by a feedback message shown next to the login form ("password may not be empty" or "invalid username and password" or some such).
As you write, you encountered this situation on your own site, and to me it seems not very likely to happen to "normal" users. Of course one could include special handling for empty username / empty password - but (1) for normal reloading of the login page this isn't necessary, as described above, and (2) any such special handling has the potential of including subtle bugs that reduce security.
So unless you have some very good arguments for why such special handling would be crucial, I'll not change anything about bfstop for this.
I just blocked myself by visiting the front-end login page too many times - I was testing the front-end login page layout/pre-login text and reloaded the page a few times and then BANG, got the blocked IP message.
The key thing here was that it blocked me and logged a blank username. These should be ignored, right? I mean how can you even log in with a blank username?