ChurchInfo

Adding an optional human verification step is easy enough to do. I did
this to protect the guest book on www.koober.org and it has been perfectly
effective. I would hope that most of our installations are hidden well
enough that robot searches would not find them. I encourage people to
avoid posting links to their churchinfo installation on publicly indexed
web pages. It is easy enough to distribute the link to the people who need
it, and encourage them to bookmark it in their browsers.

Mike

Regarding the malicious robot attack that locks all accounts by
intentionally entering incorrect passwords here is a possible solution.

* After 10 incorrect login attempts the account is locked for 4 hours.
Come back 4 hours later and the account has been automatically unlocked.

This allows the account to automatically recover 4 hours after the end of
the robot attack. The advantage is that no intervention from an
administrator is required to re-enable the account. The robot only gets to
try 10 passwords every 4 hours so any reasonably secure password is not
likely to ever be guessed in this scenario.

-Ed

There are already protections against this type of thing. An account can
be locked if there are too many failed login attempts.

Admin -> Edit General Settings

Look for iMaxFailedLogins

The default value is 50 (probably too high) and may be changed to any
number you like.

I suppose it is possible that a malicious person/robot could lock all of
the accounts and cause a "denial of service" attack. Is this a concern?

-Ed