WHMCS allows you to ban IP addresses and email domains. You can also configure automatic bans for users who exceed the maximum number of failed login attempts.

Banned IPs and Email Domains

You can view and manage the list of banned IP addresses at Configuration () > System Settings > Banned IPs.

You can view and manage the list of banned email domains at Configuration () > System Settings > Banned Emails.

Auto Ban Control

By default, WHMCS blocks any user IP addresses that attempt to log in to the admin area with a valid username and incorrect password three or more times. The length of this ban, by default, is 15 minutes. This helps to prevent hackers from endlessly trying different password combinations in order to gain access to your admin area. You can alter the length of this ban by going to Configuration () > System Settings > General Settings > Security tab > Failed Admin Login Ban Time.

To disable IP banning for failed admin logins, set this value to 0. The system will never attempt to ban IP addresses and the user will be able to continue to attempt to log in endlessly. For this reason, we recommend a minimum value of at least 1.