WordPress is vulnerable to Brute Force attacks. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that he/she/it knows the username. This can be done manually or with a script.
A would-be hacker, in most cases, simply needs to know the login URL, username and password in order to gain access to a given web site’s admin or Control Panel. While making a guess at all three things accurately might seem impossible, really the majority of time, 2 of them are presented on a silver platter.
A default installation of WordPress uses /wp-login.php as the login page. That’s one down. Next, most users will leave the default username of “admin” when setting up WordPress. That’s two down. Now a hacker just needs to guess the password.
During a Brute Force attack a system is in place to test various combinations of letters and sometimes numbers to “guess” at the password until successful. There are many very simple things that can be done to circumvent this practice.
A user may choose one or more of the following practices to limit the chances of a hacker successfully gaining access via a Brute Force attack:
He or she may:
- use a username other than “admin” for the Administrator account
- limit login attempts
- use a strong password
- implement CAPTCHA on the WordPress login screen
- change the default login URL
Using CAPTCHA for WordPress Login
In this article I will explain how to implement CAPTCHA on the WordPress login page using the free All In One WP Security & Firewall plugin.
“Login CAPTCHA” is just one feature that this plugin utilizes as a “Brute Force” prevention technique.
Essentially what it does is presents a mathematical question that the user must answer before gaining access to the WordPress Dashboard. The CAPTCHA must be answered correctly along with the proper username and password in order to gain access.
Therefore, even if the login URL is known, the “admin” username is used, and a dictionary-based (i.e. weak) password is in effect, the odds of a successful Brute Force attack by a non-human diminish significantly.
Steps for Adding CAPTCHA to the WordPress Login Page
Update: The “Login Captcha” feature is under the “Brute Force” menu now.
Here are the steps to follow:
- Download, install and activate the All In One WP Security & Firewall plugin.
- In the WP Security menu choose Brute Force.
- From the tabs across the top, choose Login Captcha.
- Put a checkmark next to where it says Enable Captcha On Login Page:.
- Click the Save Settings button.
Now logout and log back in to test this security feature.
@Bob, Look in the Bruteforce menu of the security plugin.
I am using Version v3.8.4 and there is no Captcha option at the top of the Login section. Only: Login Lockdown, Failed Login Records, Force Logout, Account Activity Logs and Logged In Users. The Captcha option used to be there, but I cannot find it anywhere now.
WordPress is truly a gift, I love creating content with it 🙂
@Andrew, It is under the “Brute Force” menu.
I am on Version v3.6 and there is no Captcha option at the top of the Login section. Only: Login Lockdown, Failed Login Records, Force Logout, Account Activity Logs and Logged In Users.
Was this feature retired or does it now reside somewhere else?
I am a user of several plugins, like emember and estore, which are fantastic working plugins, and your tips, like the captcha install for the login are just awesome. Thanks for your great tools and getting us these tips and tricks on a regular base. It is greatly appreciated.
Just saying thank you for all the nice wordpress tutorials you have shared!