Secure > Enhance site security
Set up an account lockout policy
The Account Lockout Policy page of the Administration Console allows you to set up an account lockout policy for different user roles within WebSphere Commerce. This page lists all existing account lockout policies including any predefined ones supplied with WebSphere Commerce by default. An account lockout policy disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.
An account lockout policy enforces the following items:
- The account lockout threshold. This is the number of invalid logon attempts before the account is disabled.
- Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to login, after two failed attempts to login. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive login failure.
Procedure
- Open the Administration Console and select Site on the Administration Console Site/Store Selection page.
- Click Security > Account Lockout Policy.
- The Account Lockout Policy page lists all existing account lockout policies. On this page:
- You can create a new policy by clicking New.
- Enter a name for the account lockout policy in the Name field (for example, my_policy).
- Enter an account lockout threshold in the Account lockout threshold field. For example, enter 6 (for six attempts)
- Enter the consecutive unsuccessful login delay in seconds in the Wait time field. For enter 10 (for ten seconds).
- Click OK.
- You can change the characteristics an existing policy by selecting the policy in the list and clicking Change.
- You can delete an existing policy by selecting the policy in the list and clicking Delete.
- You cannot delete an account lockout policy if it is in use (that is, a user is assigned to the account lockout policy).
- Account lockout policies are enforced only if users are authenticated against the WebSphere Commerce database.