Lesson 2 – How to Activate Brute Force Protection

In the previous lesson, you learned how to customize the common WordPress paths.

Now it’s time to learn how to protect the custom wp-login path from Brute Force attacks if you make it public for subscribers.

Note! You need to be aware that you don’t need to have just one login path. If your theme has a login path for subscribers, you can activate the theme’s security for that URL and have your own secret login path in Hide My WP Ghost.

Good, now that you have set a login path in Hide My WP Ghost, it’s time to activate the Brute Force attack protection for it.

Step 1. Activate Brute Force Protection

Go to “Hide My WP Ghost> Brute Force” and switch on the feature. You will notice that the options “Math Captcha” and “Google reCaptcha” appear. In the free version, you can onlyselect the Math Captcha, so let’s select it.

Step 2. Set the Math Captcha

Enter the number of failed attempts a user can have before the block message appears. The math fail attempts are not counted by the math captcha.

On every fail, the user will see the remaining number of fail attempts before the lockout occurs. If the user reaches the maximum number of fails you have set, they will not be able to access the login page for 3600 seconds (1 hour), or the number of seconds you have set in the “Ban duration” field.

You can also set the Lockout Message” to show a custom lockout message on the login page.

Step 3. Whitelist and Blacklist

This step is important when you have a static IP address and you want to prevent your IP from being banned in case you forget the password. You can also set a range of IPs you what to whitelist (192.168.0.* or 192.168.*.*) – to cover a subclass of IPs.

Also, it’s important to be able to ban an IP address or a range of IPs known to be harmful or spammers. You can add a range (e.g. 192.168.0.* or 192.168.*.*) to cover a subclass of IPs.

Step 4. Google reCaptcha

If you have purchased the Hide My WP Ghost version of Hide My WordPress Plugin, you can select Google reCaptcha to protect the login process.

Brute Force Recaptcha

To setup Google reCaptcha, you need to follow the link https://www.google.com/recaptcha/admin#list and create a V2 reCaptcha. Add a unique Label, select the V2 Checkbox, and add your domain to the Domains list.

google recaptcha v2 setup

Once you register the new reCaptcha domain you will be redirected to a new page where you have access to the Site Key and the Secret Key.

site_key secret_key

Copy and paste the Site and Secret keys into Hide My WP Ghost and click “Save settings”. Now you can click on the reCaptcha test button to make sure it’s working properly and you will not be locked out from your website.


If you followed all the above steps, you are protected from Brute Force attacks on your login page.

Note! To increase the security, make sure you avoid setting the username to “admin” and passwords such as “123456”, which are the first credentials a hacker bot tries – it will not need a second chance to get into your website’s admin area.

Feel free to contact us with feedback and suggestions here

In the next lesson you will learn how to protect your WordPress common paths and to be sure your website is hidden from theme detectors.