One of the most common threats to website security is stealing user accounts. To compromise an account, attackers use a simple method, which tries to guess the password for that account, either by combining different characters, or by selecting passwords from a dictionary. This threat can be easily eliminated by introducing a limit of invalid logon attempts, which means users will have their account locked after entering an incorrect password for the specified number of times. Users cannot log in to a locked account.
You can set up limiting the number of allowed invalid logon attempts in Settings -> Security & Membership -> Protection in the Invalid logon attempts group, which contains the following settings:
•Maximum invalid logon attempts - specifies the number of attempts to log in that the user can try before the system locks their account and denies access. If set to zero, account locking will be disabled.
•Send unlock account e‑mail - indicates whether an e‑mail should be sent to the user if their account gets locked.
•Unlock user account path - allows selecting the path (or typing in the URL) of a custom page, on which the user can unlock their account.
When you edit a user in Site Manager -> Administration -> Users, you can view the number of invalid logon attempts the user made in the Invalid logon attempts field. To reset the number back to zero and unlock (enable) the user's account in case the user has reached the limit, click the Reset button.