For Issue #1 regarding changing the brute force protection settings
I found the following info.
Also this is a link to the Documentation but it’s very sparse
Looks like the file to edit is located in here: ghost/current/core/server/config/ It’s called defaults.json Look for the section that starts with “spam”: { Any changes you make require a “ghost restart” from ghostcli to take effect.
As for actually unlocking a user when they trigger the spam prevention rules I think I found the answer. Here are all the details I found along the way.
Looks like Ghost is using a middleware bruteforce protection called express-brute the data is stored in the Mysql database with brute-knex in the “brute” table There are 5 columns in the Brute table key,firstRequest,lastrequest,lifetime,count Count is incremented by one every time you fail a login but setting it to 0 doesn’t reset the “too many login attempts” message.
What worked for me was deleting the row in the DB where the count was increased. This unlocked the user. I’m a noob at this and This is most likely very unsafe try it at your own risk.