If reCAPTCHA doesn’t appear on your comment forms after enabling Brute Force Protection, the comment form may not be using WordPress’s standard comment hooks, or the settings aren’t fully configured.
Verify both settings are enabled
Go to WP Ghost > Brute Force > Settings and confirm that both Use Brute Force Protection (the main toggle) and Comment Form Protection are switched on. If you’re using Google reCAPTCHA (V2, V3, or Enterprise), verify the Site Key and Secret Key are entered and correct. Use the reCaptcha Test button to confirm the keys work.
Clear all caches
Cached pages still serve the old comment form without reCAPTCHA. Clear your WordPress cache plugin, CDN cache, and browser cache. Check the comment form in an incognito window to confirm reCAPTCHA appears.
Custom comment forms or themes
WP Ghost injects reCAPTCHA into WordPress’s standard comment form using the comment_form hook. Themes or plugins that use custom comment forms (like wpDiscuz, Thrive Comments, or custom-built forms) may bypass this hook entirely. If your comment form is custom, add the WP Ghost brute force shortcode directly into the form template:
Place this shortcode inside the comment form HTML, before the submit button. This forces WP Ghost to render the reCAPTCHA on that specific form regardless of which hooks the form uses.
JavaScript conflicts
reCAPTCHA requires JavaScript to render. If another plugin or optimization tool defers, delays, or blocks JavaScript loading, reCAPTCHA may not appear. Check your browser’s developer console (F12 > Console tab) for JavaScript errors. If you use a script optimization plugin (Autoptimize, WP Rocket JS delay, Perfmatters, etc.), exclude the Google reCAPTCHA script from optimization.
If you’ve lost access to the admin dashboard, see the emergency disable guide.