How to implement CAPTCHA on your WordPress Login Page

July 8, 2022

WordPress is vulnerable to Brute Force attacks. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that they know the username. This can be done manually or with a script.

A would-be hacker, in most cases, simply needs to know the login URL, username and password in order to gain access to a given web site’s admin or Control Panel. While making a guess at all three things accurately might seem impossible, really the majority of time, 2 of them are presented on a silver platter.

A default installation of WordPress uses /wp-login.php as the login page. That’s one down. Next, most users will leave the default username of “admin” when setting up WordPress. That’s two down. Now a hacker just needs to guess the password.

During a Brute Force attack a system is in place to test various combinations of letters and sometimes numbers to “guess” at the password until successful. There are many very simple things that can be done to circumvent this practice.

“Login CAPTCHA” is just one feature that our WordPress security plugin utilizes as a “Brute Force” prevention technique.

Essentially what it does is presents a mathematical question that the user must answer before gaining access to the WordPress Dashboard. The CAPTCHA must be answered correctly along with the proper username and password in order to gain access.

Therefore, even if the login URL is known, the “admin” username is used, and a dictionary-based (i.e. weak) password is in effect, the odds of a successful Brute Force attack by a non-human diminish significantly.