Add reCAPTCHA and login attempt limits to your custom login page in under 5 minutes. After customizing your WordPress paths, the next step is protecting the login page from brute force attacks. Even with a hidden login URL, you need attempt limits and CAPTCHA to block bots that find the path through other means. WP Ghost includes Math reCAPTCHA (no API keys needed), Google reCAPTCHA V2, V3, and Enterprise. This quick-start guide gets you protected fast. For detailed configuration of every option, see the full Brute Force Protection tutorial.
You’ve already changed and hidden your login path as part of your hack prevention strategy. That stops bots targeting the default /wp-login.php. But your custom login path still needs protection:
Your login path may be shared with users. If your site has subscribers, authors, or clients who need to log in, they know the custom URL. Brute force protection ensures that even if the path is known, automated password guessing is blocked.
Bots find login pages through other methods. Referrer logs, social engineering, and link scraping can reveal a custom login URL. Brute force protection is the second line of defense after path security.
You don’t need just one login path. If your theme has its own subscriber login page, you can keep that running with its own security while your WP Ghost custom path stays secret for admin access only. WP Ghost protects whichever login path you configure.
After selecting a reCAPTCHA type, configure how the lockout works:
Max Failed Attempts – how many wrong passwords before the IP is blocked. Default: 5.
Ban Duration – how long the block lasts (in seconds). Default: 3600 (1 hour).
Lockout Message – the message shown to blocked users. Customize it or use the default.
On each failed attempt, the user sees the remaining attempts before lockout. When the limit is reached, the login form is replaced with the lockout message for the ban duration.
If you have a static IP address, whitelist it to prevent accidentally locking yourself out:
Go to WP Ghost > Firewall > Whitelist and add your IP. You can use wildcards for ranges: 192.168.0.* or 192.168.*.* to cover a subnet.
For detailed whitelist and blacklist configuration, see the Whitelist IPs and Paths and Blacklist tutorials.
If you want Google’s reCAPTCHA instead of Math reCAPTCHA:
Important: Always test your reCAPTCHA configuration before logging out. If the keys are wrong, you could lock yourself out of the login page. Use the reCaptcha Test button, then test in an incognito browser.
Strengthen your credentials too. Avoid usernames like “admin” or “administrator” and passwords like “123456” – these are the first combinations bots try. With a strong password, brute force protection, and a hidden login path, your login is well protected.
Math reCAPTCHA for the fastest setup with zero external dependencies. Google V3 for invisible protection with no user friction. Google V2 for the familiar checkbox experience. Most sites should start with Math reCAPTCHA and switch to Google V3 later if desired. For enterprise-grade analysis, see Google reCAPTCHA Enterprise.
Wait for the ban duration to expire (default: 1 hour). If you can’t wait, use the Safe URL parameter to bypass WP Ghost, or follow the emergency disable guide. To prevent future lockouts, whitelist your IP.
Yes. You can extend brute force protection to the lost password form, registration form, comment form, and WooCommerce login form. See the full Brute Force Protection tutorial for all protected form options.
No. Brute Force Protection is added through WordPress hooks. No core files are modified. Disabling the feature removes all protections instantly.
Continue building your security layers:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…