I have a CMS coded in standard PHP. It has a login where my client can login to their admin to make changes to their website. The login is simply a PHP page that refers to the variables held in the mysql database and if login is successful then it logs them in. If they do not enter login details correctly, then it informs them the details are incorrect and allows them to try again any number of times (not good). There is already a "forgot password" function coded which works fine.
I require enhanced protection for this login such that:
1. To test the login for any vulnerability i.e sql injection / xss etc
2. To implement an effective capture (not just hard to read characters but something better for you to suggest that is easy for humans but very hard/impossibe for computers).
3. If they fail to login, it will tell them they have x more attempts before they are locked out. If they get locked out, they can no longer login and I will automatically get an email notifying me of the website that has had x failed attempts with IP address, day and time stamp. I would like to be able to specify how many attempts are possible.
4. After my client has successfully logging in, my clients can see in the logged in page information of the last 20 successful or failed login attempts with IP addresses, and the day and time stamp of the login attempt.
If you are interested, please let me know if you have any ideas of how the captcha can be implemented with any examples...and if you understand the above requirements or have any questions. I would ideally like to see any login you have implemented and general comments of my requirements.