logo
There’s never been more content on the web and there’s never been more need for security. We’re constantly being bombarded with news that this company got hacked, or that social media platform lost millions of user’s private data. This is, after all, the information age, and knowledge is power.
Everybody with a stake in the game has got to find a way to upgrade their protections and leave no chances for security leaks. One of the main things that can easily lock out the most basic of attacks is securing the login process. Integrating a reCAPTCHA into the login attempt will ensure only humans will get access to your site. Just the simple action of deferring bots has a huge impact on the overall security of your site.
There are many ways of reCAPTCHA integration, however, if you’re using WordPress, like in most cases with the platform, a plugin is the way to go. More specifically, the WP Captcha plugin.
What is WP Captcha?
WP Captcha is a security plugin for WordPress that integrates reCAPTCHA, hCaptcha, or Cloudflare Turnstile into your site. While there is the basic option of simply adding a Captcha to the login attempt, there are many other features centered around it and logins in general. Creating blacklists and whitelists, granting temporary access, managing a firewall, enabling two-factor authentication, etc. are all various ways to enhance the security of your site.
The plugin isn’t solely intended for security, but also for data collection. You’ll have numerous analytical data sets regarding visitors and login attempts that you can then use to further increase your security with the aforementioned features.
WP Captcha Key Features
When you dig deeper into all WP Captcha has to offer, you’ll feel befuddled with the number of things going on. In order to get your bearings and get a little prepared on what to expect it’s worth highlighting a few key features that you’ll probably end up using the most.
- Create temporary access links – when you need to give someone one-time access.
- Lockdown monitor – detailed stats regarding lockdown events.
- Failed logins monitor – detailed stats regarding failed login attempts.
- Firewall – easily configure the firewall settings.
- Two-factor authentication – set up 2FA for added security.
- Cloud protection – use blacklists and whitelists for cloud protection.
- Country blocking – block IPs from selected countries.
How WP Captcha Enhances WordPress Functionality
Before we go into all the functions and features, let’s just take a quick look at what different versions of Captcha there are, along with their security and GDPR levels.
Note that this list is straight from the documentation pages, and the devs certainly know what they’re doing/saying:
- Captcha Disabled: No Additional Security
- Built-in Captcha: Medium Security, No API keys, GDPR Compatible
- Icon Captcha: Medium Security, No API keys, GDPR Compatible
- reCaptcha v2: High Security, Requires API Keys, Not GDPR Compatible
- reCaptcha v3: High Security, Requires API Keys, Not GDPR Compatible
- hCaptcha: High Security, Requires API Keys, GDPR Compatible (Best Choice)
- Cloudflare Turnstile: High Security, Requires API Keys, Not explicitly GDPR Compatible (Best Choice)
As you can see there are a number of ways to go, plus the devs give some advice about which are probably better than others.
Where to Show
Once you’ve figured out what Captcha you want to use, it’s time to choose where you want it to show. Depending on how high you want your level of security to be. You can go the minimalistic route and require the Captcha to be used only upon accessing your site, after which everything else gets a free pass. Alternatively, you can require it every time a manual input from a user is required in a form.
While security is very important and it is your responsibility to maintain it on your site, it’s wise not to go overboard. It isn’t very convenient to have the “Are you human” prompt pop up every few minutes when a user does something. Identify what’s most sensitive and fortify it, leaving the rest more causal.
Activity
The activity section is broken down into two parts – Lockdowns and Failed Logins. Both represent the analytical parts of WP Captcha where you can review comprehensive data the plugin has collected.
Lockdowns
If any lockdowns occur, you’ll have them displayed in this section. You’ll get to see the top countries accessing your site, along with the type of device and browser preferences. You’ll also get data that distinguishes between human and bot attempts, which can be a great insight into the quality of your traffic numbers.
The log shows every lockdown event with a few basic pieces of information such as date and time, reason, location/IP, and user agent. If there comes a time when you see an increase in lockdowns, you’ll probably want to research links leading to your site and maybe additionally increase security measures.
Failed Logins
Very similar to Lockdowns, the Failed Logins tab shows all relevant information about failed login attempts made to access your site. The only difference is the added info about username and password, which comes as no surprise since it is a tab about – failed logins.
Note that both tabs serve to inform. You won’t be able to fix anything from here. Instead, you’ll be able to use this information to implement other security measures.
Login Protection
The Login Protection tab has three subtabs – Basic, Advanced, and Tools. Here you’ll find all the various settings you’ll be able to apply to your Captcha, that will be implemented for your users on the frontend. They vary from the truly rudimentary ones, like the number attempts, to more robust options like the password check.
Basic Login Protection
The very basic things you can do to protect login to your site can be found here. Things like the number of login attempts, length of time blocked if the login failed, block message, etc.
Once you open this section, you’ll see there are some default values already set. You could leave those as they are, however, we do recommend customizing, since it’s really easy, consisting of only ticking and unticking boxes.
Advanced Login Protection
While we recommend fiddling with the basic setting for everyone, the advanced section can be possibly left alone if you’re unsure of what you’re doing. These are all features that enhance your protection capabilities but aren’t necessary to get the core job done.
Within the advanced features, you’ll get to block bots, implement an activity logger, set the cookie lifetime, and much more. As we’ve already said, none of these features are required for the site to have top-notch security the plugin provides, but they do offer a decent number of additional features that could be useful.
Tools
Just as the name suggests, these utility tools can be used to make your life easier in specific situations and include an email test, recovery URL, and an import/export feature.
Whether you’re moving your settings to a new site or bringing ones from a different one; making failsafe solutions; or testing if your email works, you probably won’t be using these every day. However, when you get in a situation that requires tools like these, you’ll be glad to have them.
Country Blocking
Country Blocking works in a pretty straightforward way. You can disable blocking fully, allowing access to everyone; use the whitelist mode, which blocks everyone except selected countries; or use the blacklist mode, which gives access to everyone, blocking only selected countries.
Within the tab, you’ll get to see a statistical breakdown of where your visitors come from, and you can combine it with the data from the Activity sections for a more comprehensive data set.
To block countries simply choose the blocking method, input the names in the appropriate fields, and set a block message if you want to. Blocking countries shouldn’t be the go-to practice, however, since it can alienate regular visitors, potentially lowering healthy traffic.
Temp Access
Creating temporary access links is a very convenient way of giving limited access to users who have something specific to do on your site, like maintenance from an outside contractor.
Unlike regular login, here you aren’t giving your full credentials, and are therefore limiting the user for a timed duration, or through a number of uses. Once those are spent, access is automatically revoked.
Effects of WP Captcha on Performance and Usage Rate
Every security plugin out there must work all the time to fulfill its purpose, so there isn’t any way around this. Once installed and activated WP Captcha will always be working in the background working to secure your site through login security and firewalls (more on that in a bit), along with collecting data. Thus, resources are most definitely used. However, we haven’t encountered any significant changes in site speed and/or responsiveness before and after the plugin was used, but we did feel safer knowing it was there.
User Interface and User Experience
The user interface of WP Captcha is, unlike the security features, at an entry-level. All the features are neatly divided into tabs and their respective subsections. Making changes to security options and various settings is extremely easy because most of them come with either an on/off switch or a box to tick. Some require manual input into designated fields or selection from a dropdown menu, but that’s about it. If you’re an experienced user, you will find sections that can be enhanced through pure code, but if never touch those, you’ll still be just fine.
Dashboard and Navigation
Using the WP Captcha dashboard, you’ll be able to manage your licenses, download the plugin, track purchases, contact support, etc. This is especially handy if you’re running the WP Captcha on multiple sites. Because everything is in the same place, it’s very easy to keep an eye on every status and intervene where it’s necessary without having to jump from one site to another.
Intuitiveness and User-friendliness
As we’ve already noted, WP Captcha is a very user-friendly plugin that brings an advanced security feature to all users, even beginners. The actions required from the user are very simple to understand and usually consist of just a few clicks to get the job done. It’s also great that, while catering to beginners, the plugin also comes with a plethora of advanced features that can, but don’t have to, be used for the core security functions to take effect.
Customization Options
WP Captcha provides you with five template styles you can choose from. Through the Design section, after choosing the starting template, the fun begins. You’ll be able to fully customize the login page so that it fits perfectly with your theme and color schemes. If you disable the customizer, it will use the default WordPress style, or you can change it with a different plugin. It would be a shame, though, because of all the customizable details.
Every aspect of the login can be altered. This includes the logo, form, fields, button, and background. Change the padding, size, color, font, or anything else with just a few clicks, and if that’s not enough, there’s always the custom CSS section for even further customization.
WP Captcha Compatibility and Integration
As the Captcha “Are you human” login confirmation is such a widely accepted security measure, there isn’t much room for conflicts with other apps, extensions, or plugins. We used it on a number of sites, with plenty of other plugins, and haven’t encountered any problems. We could possibly see conflicts with security plugins that do the same thing, but why would you even want two separate Captcha plugins?
Compatibility with Different WordPress Versions
WP Captcha works with all stable versions of WordPress. However, because it’s a security plugin it is always advised to keep both it and WordPress updated to the latest versions – because of…well…security.
Integration with Cloudways Platform
Every hosting service will welcome any kind of added security measure to a site, and Cloudways is no different. Having a reliable hosting service will ensure your site is fast and always online, while a security plugin like WP Captcha will ensure it will stay secure while online.
Security and Support
The whole premise behind the WP Captcha plugin is security. And we’ve been over all of those aspects if you’ve been paying attention. Now, when talking about support there are two ways to go about it. You could find the answer yourself in the comprehensive documentation section, or you could contact the devs directly.
Within the documentation, you can find a step-by-step tutorial about everything, so chances are, you’ll find what you’re looking for. Finding the answer by yourself is also faster because no matter how quick the support team is, they’ll always have a backlog waiting to get through.
Security Features and Measures – Firewall
WP Captcha doesn’t only enhance your login security, you’ll also be able to configure a firewall that enhances your overall security. You’ll find three distinct security measures within the firewall protection – general, two-factor authentication, and cloud protection.
General
The general section is pretty straightforward firewall stuff like blocking bad bots, singling out and blocking malicious code, protection against user manipulation, etc. Within the section, there are descriptions about each security feature, so you won’t be just clicking blindly.
Two-factor Authentication
WP Captcha has an email 2FA feature that you can activate. You’ll need to input the subject and message text. The subject is simply the title of the email users will receive and is usually fixed value. The content of the email has variable elements, like username and confirmation link, as they tend to change every time 2FA is used. There’s a quick guide on how to do everything you need, so while it might look a bit complicated, it really isn’t.
Cloud Protection
Protecting data on the cloud has probably never been more important, because we store so much data on the cloud. WP Captcha allows you to use private blacklists and whitelists you’ve created based on monitoring security data, either from this or some other plugin.
Furthermore, you can use the global cloud blacklist – connected to the public, global database, it’s maintained daily, and new malicious IPs are added, so it should provide the latest up-to-date security.
Finally, you can also block entire access to the site, or the login page specifically and set up the “block message” that’s received after a failed login attempt.
Comparison with Competitors
| FEATURE | WP CAPTCHA | hCAPTCHA | reCAPTCHA BY BESTWEBSOFT |
| Support for all Captcha formats | YES | NO | YES |
| Temporary access links | YES | NO | NO |
| Login activity monitor | YES | YES | YES |
| Firewall | YES | NO | NO |
| 2FA | YES | NO | NO |
| Cloud protection | YES | NO | NO |
| Country blocking | YES | NO | NO |
Pros and Cons
Pros
Supports all relevant Captcha formats.
Provides added security features like a firewall and 2FA.
Advanced login activity monitors.
Country blocking.
Cons
If you’re using just the default setting a lot of the features go unused.
User Reviews and Testimonials
Straight from those who have first-hand experience with the plugin, we can see the vast majority of reactions are positive.
Pricing and Licensing Options
Conclusion
WP Captcha is one of those premier plugins every site should have. It enhances such a core element of a site (security) and does so in numerous ways. You can customize it to the point where it’s miles away from the default version you started with; use it as a data collector; and improve security for other parts of your site, aside from the login page. WP Captcha has our highest recommendation, and we believe it should be part of every site’s security set.
