Skip to content

Login Security

The Login Security extension provides more logging and alerts about who is accessing your CiviCRM instance.

  • Keeps a history of recent devices that accessed CiviCRM (with their IP and browser fingerprint). It works for logged-in users, checksum access and API access. Note that it does not keep a full log of pages viewed, only a log of devices. The "last seen" is updated every 15 minutes.
  • Provides a global report for administrators.
  • Provides a CiviCRM Status Check if there are too many unsuccessful logins (currently supports only Drupal7 and Drupal8/9).
  • Can send an email notification to the user and/or to administrators when someone accesses your CiviCRM instance.

It aims to help improve the security of CiviCRM by adding more auditing features, but it is by no means a magic bullet for security.

Getting Started

Download and enable the extension as any other CiviCRM extension. For more information on installing extensions, see the CiviCRM System Administrator Guide.

Once installed, the extension can be configured from the Administration > System Settings > Login Security menu item.

  • User Notifications: If enabled, CiviCRM will send an email notification to users when they access CiviCRM.
  • Admin Notifications: If enabled, CiviCRM will send an email notification to administrators when any user accesses CiviCRM.
  • Admin Emails: If the previous option was enabled, the email addresses to notify administrators may be entered here. In other words, CiviCRM will not notify everyone with administrative permissions, only the emails in this setting.

As you may notice in the settings form, the notifications have two options:

  • Only for new devices or locations: Since IP addresses, location and browser fingerprint are recorded, the extension can notify only for new devices. This helps avoid having too many notifications for daily users.
  • For every new session: Notifications will always be sent.

Finally, the above checks are done for new sessions. A session is when a user logins and first accesses the CiviCRM instance. They may be logged-in for a few hours or for a few days. This depends on the settings of the content management system, which handles logins.

Regular users may see their access history by going to their contact record, then accessing the "Access History" tab.

Viewing the Access History of a Contact

Administrators may see the access history of any contact. A contact may also view their own access history.

To view the access history of a specific contact, go to their CiviCRM contact record, then click on the Access History tab.

Screenshot of the Access History screen

Access History Report

A report of recent accesses is available and may be viewed by administrators. There is also a dashlet available that can be added to the CiviCRM dashboard.

Alerts for unsuccessful logins

If using CiviCRM on Drupal, this extension will automatically check for unsuccessful logins. If there are more than 10 unsuccessful logins in the past hour, a 'critical' alert will be displayed in the CiviCRM Status Check. This can help detect attempts to guess passwords.

The main reason why this was implemented as a Status Check is so that hosting providers who monitoring this check will automatically receive notifications for these alerts.

Screenshot of the Status Check screen

Running CiviCRM behind a proxy

If CiviCRM hosted behind a proxy, such as CloudFlare or Varnish, this will have an impact on which IP address is logged. If this is the case, there is a setting that can be enabled under Administer > System Settings > Login Security. However, this must only be enabled if you are behind a proxy, otherwise it allows visitors to fake their IP address. Enabling this also assumes that the firewall is blocking all requests except those from the proxy.

Technically, a proxy typically sets the HTTP_X_FORWARDED_FOR server variable, and this is what Login Security will use if the setting is enabled. However, if CiviCRM is not accessed via the proxy, then the browser can set their own value in HTTP_X_FORWARDED_FOR, which would result in IP spoofing.

If you are not sure, please contact your hosting provider.

Using MaxMind's GeoIP database

To display the country of origin of an IP address, GeoIP Geolite2 database by MaxMind must be downloaded. The free (no-cost) database includes the city and country. The paid service subscription provides more precise data.

To download, reate an account with MaxMind (link below), then download the databases (for country, and optionally, city).

Then copy the files to loginsecurity/db/country.mmdb and loginsecurity/db/city.mmdb on the CiviCRM server.

For more information:
https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en

This is completely optional. If the databases are not present, the extension will simply not display the 'Location' column.

Why a CiviCRM extension?

We wanted a solution that explicitly supported CiviCRM-specific features (API, checksum) and also tied into CiviCRM's reports and status check (for monitoring). Having details of access to the CMS only was not a concern, only access to CiviCRM.

Furthermore, Symbiotic supports Drupal7, Drupal8 and WordPress, so we wanted something that worked on all CMSes in the same way. Most of our clients barely use the CMS, and one day if CiviCRM Standalone is revived, this extension will already support it.

Support

Please post bug reports in the issue tracker of this project:
https://lab.civicrm.org/extensions/loginsecurity/issues

Paid support options are available by Coop SymbioTIC:
https://www.symbiotic.coop/en

Coop Symbiotic is a worker-owned co-operative based in Canada. We have a strong experience working with non-profits and CiviCRM. We provide affordable, fast, turn-key hosting with regular upgrades and proactive monitoring, as well as custom development and training.