Add Brute Force Protection to Elementor Login Forms

Add WP Ghost’s brute force reCAPTCHA protection to Elementor login forms using the shortcode. WP Ghost automatically protects the default WordPress login form, but custom login forms built with page builders like Elementor don’t load WP Ghost’s brute force protection automatically. The shortcode bridges this gap – add it to any Elementor form to enable the same reCAPTCHA and attempt-limiting protection that the default login page receives.

When You Need the Brute Force Shortcode

WP Ghost’s Brute Force Protection works automatically on the standard WordPress login page (wp-login.php). But if your site uses a custom login page built with Elementor, Divi, WPBakery, or another page builder, the brute force protection doesn’t load on those forms by default. The shortcode solves this by injecting the reCAPTCHA widget and attempt-limiting logic into any form where you place it.

Use this shortcode on any page builder login form, custom registration form, or any other form where you want brute force protection. This tutorial shows the Elementor workflow, but the shortcode works in any page builder that supports WordPress shortcodes.

How to Add Brute Force Protection to Elementor

Activate Brute Force Protection

The shortcode only works when Brute Force Protection is active. If you haven’t enabled it yet:

1. Go to WP Ghost > Brute Force > Settings.
2. Switch on Use Brute Force Protection.
3. Select your preferred reCAPTCHA type (Math, Google V2, V3, or Enterprise).
4. Click Save.

Add the Shortcode to Your Login Form

1. Open the page containing your login form in the Elementor editor.
2. If you haven’t created a login form yet, drag the Elementor Pro Login widget onto your page.
3. In the Login widget settings, go to the Form Fields section.
4. Add a Shortcode field and enter:
5. Save and publish the page.

The reCAPTCHA widget (Math, V2, V3, or Enterprise – whichever you configured) now appears on your Elementor login form. Failed login attempts are tracked and IPs are blocked according to your Brute Force settings.

The shortcode renders whichever reCAPTCHA type you selected in WP Ghost’s Brute Force settings. If you switch from Math to Google V3, the shortcode automatically renders the V3 widget – no need to change the shortcode itself.

Frequently Asked Questions

Does this work with Divi, WPBakery, or other page builders?

Yes. The shortcode works anywhere WordPress shortcodes are supported. In Divi, use a Code module. In WPBakery, use a Text Block or Raw HTML element. The shortcode renders the same reCAPTCHA widget regardless of which builder you use.

Do I need the shortcode on the default WordPress login page?

No. WP Ghost automatically adds brute force protection to the standard WordPress login page (wp-login.php). The shortcode is only needed for custom login forms built with page builders that don’t use the default WordPress login mechanism.

What about WooCommerce login forms?

WooCommerce login forms have their own toggle in Brute Force > WooCommerce > WooCommerce Support – you don’t need the shortcode for those. Use the shortcode only for custom-built login forms that WP Ghost can’t auto-detect.

Does WP Ghost modify WordPress core files?

No. The shortcode renders through WordPress’s standard shortcode API. No core files are modified. Removing the shortcode from your form removes the brute force widget instantly.

Related Tutorials

Complete your brute force and login security setup:

• Brute Force Protection – The complete guide covering all reCAPTCHA options, protected forms, and shared settings.
• Two-Factor Authentication – Add a second verification step after the password.
• Change and Hide the Login Path – Move your login page to a custom URL.
• Magic Link Login – Passwordless login via email link.