Not a developer? Go to


Account Lockout

This feature was introduced in Movable Type 5.13.

Account lockout is a feature to protect your Movable Type account from a password-guessing attack known as a brute force attack or a dictionary attack. Movable Type locks out accounts after defined number of incorrect password attempts.

Movable Type monitors the sign-in attempts on mt.cgi (admin script), mt-comment.cgi (comment script) and mt-cp.cgi (community script), but external authentications such as OpenID are not monitored.

Configure lockout policies

You can configure lockout policies at the system level. The default settings are:

  • A Movable Type user will be locked out if he or she submits an incorrect password 6 or more times within 1800 seconds.
  • An IP address will be locked out if 10 or more incorrect login attempts are made within 1800 seconds from the same IP address.

To change the settings:

  1. Select [System] under Navigation.
  2. Select [Settings] > [General] in the Side Menu.
  3. Change “Lockout Settings” and click [Save Changes] button.

Lockout Settings have following parameters.

  • Recipients for lockout notification
    The system administrators whom you wish to notify if a user or an IP address is locked out. If no administrators are selected, notifications will be sent to the ‘System Email’ address.
  • User lockout policy
    Specify a number of incorrect password attempts to lockout, and the duration.
  • IP address lockout policy
    Specify a number of incorrect password attempts from a single IP to lockout, and the duration. You can also specify a white list of IPs to exclude from the lockout.

Recover from the lockout

If a user or an IP address is locked out, Movable Type sends notification emails to the system administrator and the email of the locked-out account. You can recover from the lockout by either of by either of following methods.

  • Click URL in the notification email to unlock your account.
  • The user or IP lockout will be unlocked automatically after the configured duration ( the default is 1800 seconds ).
  • A system administrator can unlock any accounts with the following steps:
    1. Sign-in as a system administrator.
    2. Select [System] under Navigation.
    3. Select [Users] > [Manage] in the Side Menu.

    4. Select “Locked out Users” from the Filter.
    5. Select users from the list, and click [Unlock] button.

New configuration directives

The following configuration directives were added for the lockout function.

For developers

The following callbacks were introduced for developers.