Skip to contentSkip to main navigation Skip to footer

Lesson 2 – How to Activate Brute Force Protection

In the previous lesson, you learned how to customize the common WordPress paths.

Now it’s time to learn how to protect the custom wp-login path from Brute Force attacks if you make it public for subscribers.

Note! You need to be aware that you don’t need to have just one login path. If your theme has a login path for subscribers, you can activate the theme’s security for that URL and have your own secret login path withHide My WP Ghost.

Good, now that you have set a login path in Hide My WP Ghost, it’s time to activate the Brute Force attack protection for it.

Step 1. Activate Brute Force Protection

Go to “Hide My WP > Brute Force” and switch on the feature. You will notice that the options “Math reCaptcha“, “Google reCaptcha V2” and “Google reCaptcha V3” appear. In the free version, you can only use Math Captcha, so let’s select it.

Step 2. Set the Math reCaptcha

Enter the number of failed attempts a user can have before the block message appears. The math fail attempts are not counted by the Math reCaptcha.

On every fail, the user will see the remaining number of fail attempts before the lockout occurs. If the user reaches the maximum number of fails you have set, they will not be able to access the login page for 3600 seconds (1 hour), or the number of seconds you have set in the “Ban duration” field.

You can also set the Lockout Message” to show a custom lockout message on the login page.

Step 3. Whitelist and Blacklist

This step is important when you have a static IP address and you want to prevent your IP from being banned in case you forget the password. You can also set a range of IPs you what to whitelist (192.168.0.* or 192.168.*.*) – to cover a subclass of IPs.

Also, it’s important to be able to ban an IP address or a range of IPs known to be harmful or spammers. You can add a range (e.g. 192.168.0.* or 192.168.*.*) to cover a subclass of IPs.

Step 4. Google reCaptcha V2 & Google reCaptcha V3

If you have purchased the Hide My WP Ghost version of Hide My WordPress Plugin, you can select Google reCaptcha V2 or Google reCaptcha V3 and to protect the login process using Google security.

To setup Google reCaptcha, you need to follow the link and create a V2 or V3 reCaptcha. Add a unique Label, select the V2 or V3 Checkbox, and add your domain to the Domains list.

google recaptcha v2 setup

Once you register the new reCaptcha domain you will be redirected to a new page where you have access to the Site Key and the Secret Key.

site_key secret_key

Copy and paste the Site and Secret keys into Hide My WP Ghost and click “Save settings”. Now you can click on the reCaptcha Test button to make sure it’s working properly and you will not be locked out from your website.


If you followed all the above steps, you are protected from Brute Force attacks on your login page.

Note! To increase the security, make sure you avoid usernames like “administrator” or “admin” and passwords such as “123456”, which are the first credentials the hacker bots try – it will not need a second chance to get into your website’s admin area.

Feel free to contact us with feedback and suggestions here

In the next lesson you will learn how to protect your WordPress common paths and to make sure your website is hidden from Hacker Bots.