How to Add CAPTCHA to WordPress Login Form for Better Security
Table of Contents
Reading Time: 2 min, 37 sec
One of the most common targets for hackers is the WordPress login page. Attackers often use brute force techniques to try thousands of username and password combinations until they gain access. If your site does not have additional protection, this can put your entire website at risk. A simple and effective way to block these automated attacks is by adding a CAPTCHA to your WordPress login form.
In this guide, I will explain why CAPTCHA is important and how you can add it to your WordPress login page using both plugins and custom code.
Best WordPress Hosting
Bluehost is one of the best and secure WordPress hosting providerAlso read: How to Limit Login Attempts in WordPress
Why Add CAPTCHA to WordPress Login Form?
- Protect against brute force attacks – Bots cannot easily bypass CAPTCHA challenges.
- Reduce spam login attempts – Automated scripts will fail when CAPTCHA is enabled.
- Improve website security – CAPTCHA adds an extra layer of protection along with strong passwords and two-factor authentication.
Method 1: Add CAPTCHA Using a Plugin
The easiest way to add CAPTCHA to your WordPress login form is by using a plugin.
Recommended Plugins
For adding reCaptcha by BestWebSoft, you need to first create site key and secret key on Google reCAPTCHA website. If you decide to use reCaptcha by BestWebSoft, you qould require these values.
Go to reCaptcha in side bar and Enter your Google reCAPTCHA site key and secret key. Enable where you want to display CAPTCHA (login, registration, password reset).
Now, when you visit your login page (yoursite.com/wp-login.php), you will see a Google reCAPTCHA checkbox or challenge before logging in.
Also see: How to Replace WordPress Logo on Login Page
Method 2: Add CAPTCHA with Custom Code
If you prefer not to use plugins, you can integrate Google reCAPTCHA manually by editing your theme’s functions.php. This requires adding both the reCAPTCHA script and validation code.
Here’s an example for reCAPTCHA v2 (I’ll keep it simplified):
// Display reCAPTCHA on login form
function add_recaptcha_to_login() {
echo '<div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>';
echo '<script src="https://www.google.com/recaptcha/api.js" async defer></script>';
}
add_action('login_form', 'add_recaptcha_to_login');
// Verify reCAPTCHA on login
function verify_recaptcha_on_login($user, $username, $password) {
if (isset($_POST['g-recaptcha-response'])) {
$response = wp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=YOUR_SECRET_KEY&response=" . $_POST['g-recaptcha-response']);
$response = json_decode($response["body"], true);
if (true != $response["success"]) {
return new WP_Error('captcha_error', __("<strong>ERROR</strong>: Please complete the CAPTCHA."));
}
} else {
return new WP_Error('captcha_error', __("<strong>ERROR</strong>: CAPTCHA is required."));
}
return $user;
}
add_filter('authenticate', 'verify_recaptcha_on_login', 30, 3);
Replace YOUR_SITE_KEY and YOUR_SECRET_KEY with your actual keys.
Which Method Should You Choose?
- If you are not comfortable editing code, use a plugin. It is quick, reliable, and maintained.
- If you want to keep your site lightweight and avoid too many plugins, the custom code method works well.
Wrap Up
Adding a CAPTCHA to your WordPress login form is a simple but effective way to block bots and strengthen your site’s security. You can either use a plugin like “Login No Captcha reCAPTCHA” or integrate Google reCAPTCHA manually with custom code. Whichever method you choose, it will significantly reduce unauthorized login attempts and keep your site safe.
Written by Deepanker
Deepanker Verma is an experienced WordPress developer who has been working on WordPress for more than 12 years. On TheWPGuides, he writes about WordPress, WordPress development, and WordPress plugins.
