In the previous lesson, you learned how to customize the common WordPress paths.

Now it’s time to learn how to protect the custom wp-login path from Brute Force attacks if you make it public for subscribers and also to protect the comment forms from spammers.

Note! You need to be aware that you don’t need to have just one login path. If your theme has a login path for subscribers, you can activate the theme’s security for that URL and have your own secret login path with WP Ghost.

Now that you have set a login path in WP Ghost, it’s time to activate the Brute Force attack protection for it.

Activate Brute Force Protection

Go to “WP Ghost > Brute Force” and switch on the feature. You will notice that the options “Math reCaptcha“, “Google reCaptcha V2” and “Google reCaptcha V3” appear.

Brute Force Options

Set the Math reCaptcha

Enter the number of failed attempts a user can have before the block message appears. The math fail attempts are not counted by the Math reCaptcha.

On every fail, the user will see the remaining number of fail attempts before the lockout occurs. If the user reaches the maximum number of fails you have set, they will not be able to access the login page for 3600 seconds (1 hour), or the number of seconds you have set in the “Ban duration” field.

You can also set the Lockout Message” to show a custom lockout message on the login page.

Whitelist and Blacklist

This step is important when you have a static IP address and you want to prevent your IP from being banned in case you forget the password. You can also set a range of IPs you what to whitelist (192.168.0.* or 192.168.*.*) – to cover a subclass of IPs.

Also, it’s important to be able to ban an IP address or a range of IPs known to be harmful or spammers. You can add a range (e.g. 192.168.0.* or 192.168.*.*) to cover a subclass of IPs.

Google reCaptcha V2 & Google reCaptcha V3

Select Google reCaptcha V2 or Google reCaptcha V3 to protect the login process using Google security.

Google V2 reCaptcha

To set up Google reCaptcha, you need to follow the link and create a V2 or V3 reCaptcha. Add a unique Label, select the V2 or V3 Checkbox, and add your domain to the Domains list.

Once you register the new reCaptcha domain you will be redirected to a new page where you have access to the Site Key and the Secret Key.

Copy and paste the Site and Secret keys into WP Ghost and click “Save settings”. Now you can click on the reCaptcha Test button to make sure it’s working properly and you will not be locked out from your website.


If you followed all the above steps, you are protected from Brute Force attacks on your login page.

Note! To increase security, make sure you avoid usernames like “administrator” or “admin” and passwords such as “123456”, which are the first credentials the hacker bots try – it will not need a second chance to get into your website’s admin area.

Feel free to contact us with feedback and suggestions here