Since XWiki 11.6 we have support to block users after too many attempts to log in withe the wrong password:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/11.6/#HAuthenticationSecurityModule
However I did not notice it and implemented something similar:
https://extensions.xwiki.org/xwiki/bin/view/Extension/Blocking%20Authenticator%20-%20UI/
If you run an older version of XWiki, you might find this interesting.
However if you run XWiki 11.6 or higher, I recommend you use the build in solution, which is easier to install (and probably better supported). If there is enough interest I might release a 2.0 version that fits into the new framework to handle authentication failures introduced with XWiki 11.6.
This extension differs from the XWiki platform solution in the following aspects:
- it implements its own authenticator and is thus somewhat more difficult to install (you need to configure the new authenticator in the xwiki.cfg and restart the wiki afterwards
- also it does not work with LDAP authentication for similar technical reasons
- blockages of users are only temporarily and go away after a (configurable) time without admin intervention
- there is not “Captcha” strategy - blocked means blocked
- also the information about which users are blocked are only hold in memory and not in persistent storage, so if you restart the wiki, this information goes away
- it also allows to block by IP - I do not think much about it, as password crackers seem to use botfarms with lots of different IPs, but the people who asked me to implement the extension wanted to give this feature a try
As I said, this is mostly interesting to use with older XWiki versions, but if there is enough interest I might update this to extend the new feature in XWiki 11.6 to supply an alternative strategy to handle login failures.