If a member gets their login wrong a couple of times, they get logged out for 15mins. Is this configurable? To say 6 times locked for 30?
Yes, you can see the configuration properties on the Member class:
/**
* @config
* @var Int Number of incorrect logins after which
* the user is blocked from further attempts for the timespan
* defined in {@link $lock_out_delay_mins}.
*/
private static $lock_out_after_incorrect_logins = 10;
/**
* @config
* @var integer Minutes of enforced lockout after incorrect password attempts.
* Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
*/
private static $lock_out_delay_mins = 15;
Modify them in your project's configuration files:
# File: app/_config/security.yml
SilverStripe\Security\Member:
lock_out_after_incorrect_logins: 6
lock_out_delay_mins: 30
Ensure you flush your cache after changing YAML configuration files.