No rate limiting on the login form

This is not limit (no flooding protection on form) on login or contact form. You can brute force any forms on website.

  1. First of all intercept the request sent by the login form using a web proxy such as Burp suite.
  2. Then using the same tool you can resend the same request with different passwords

How to ?
Design throttling mechanisms into the system architecture. The best protection is to limit the number of resources that an unauthorized user can cause to be expended.

Any idea ?

The default number of trials for the login form is 10 (by IP or email): auth | Kirby CMS

Kirby doesn’t come with a default contact form.

Thank you for the login forms information. Do you recommend any solution for the contact form ?
doc: Email contact form | Kirby CMS

The frontend code is up to yourself. In our example, we use a simple honeypot. But of course, you could add some other type of guard, like a math guard or Google captcha or whatever you see fit for your use case.

The popular Uniform plugin comes with some guards already implemented (see the docs).

There’s also a plugin for the Uniform plugin, that implements Turnstile protection: Turnstile for Uniform | Kirby CMS