WordPress Brute Force Protection with WP Ghost – reCAPTCHA and Login Limits

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

Table of Contents

Enable Brute Force Protection
Protected Forms
reCAPTCHA Options
Shared Settings
Frequently Asked Questions

Protect WordPress login, registration, password reset, and comment forms from automated brute force attacks with WP Ghost. Add reCAPTCHA (Math, Google V2, V3, or Enterprise), set attempt limits, and configure lockout durations. Protection extends to WooCommerce login forms. This is a free feature.

Enable Brute Force Protection

Go to WP Ghost > Brute Force > Settings. Switch on Use Brute Force Protection. Select a reCAPTCHA type (Math, Google V2, V3, or Enterprise). Click Save.

Protected Forms

Form	Setting location
Login Form	Enabled by default when Brute Force is active
Lost Password Form	Brute Force > Settings > Lost Password Form Protection
Sign Up Form	Brute Force > Settings > Sign Up Form Protection
Comment Form	Brute Force > Settings > Comment Form Protection
WooCommerce Login	Brute Force > WooCommerce > WooCommerce Support

reCAPTCHA Options

Math reCAPTCHA — displays a simple math problem. No API keys, no Google dependency. Just activate and save.

Google reCAPTCHA V2 — the “I’m not a robot” checkbox. Requires a Google reCAPTCHA V2 Site Key and Secret Key from the Google reCAPTCHA admin.

Google reCAPTCHA V3 — invisible to users. Scores each request based on behavior. Requires V3 API keys.

Shared Settings

All reCAPTCHA types share lockout configuration: Max Failed Attempts (default: 5), Ban Duration (default: 1 hour), and Lockout Message (customizable). These apply regardless of which reCAPTCHA type you use.

Wrong Username Protection blocks IPs that submit login attempts with non-existent usernames, preventing username enumeration. Not recommended for membership sites where users may forget their exact username.

Frequently Asked Questions

Which reCAPTCHA type should I choose?

Math reCAPTCHA is simplest (no API keys). Google V3 is best for user experience (invisible). Google V2 is best for certainty (visible checkbox). Choose based on your priority.

Is this a free feature?

Yes. All brute force protection features including all reCAPTCHA types, attempt limits, lockout configuration, and WooCommerce support are free.

Does WP Ghost modify WordPress core files?

No. Brute force protection uses WordPress hooks. No core files modified. Disabling restores default login behavior.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.