Divi WordPress Theme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress fix Reply To: Do you think login captchas stops brute force attacks?

Discussion in 'Misc WordPress Requests' started by Jan Dembowski, Mar 10, 2018.

  1. Jan Dembowski


    Reply To: Do you think login captchas stops brute force attacks?, by Jan Dembowski

    No, they don’t. captchas do nothing to mitigate brute force login attacks. There are literally farms of people who’s only task is to solve those captchas. Also, captchas are notorious for not being accessibility friendly.

    *Drinks coffee*

    There’s two problems with brute force attacks. The first one is that someone is trying to get into your installation. Generally, that can be mitigated by using strong passwords via a password manager such as LastPass or 1Password. That way you can easily use passwords like this one.


    I used my password manager to generate that.

    Without a password manager would be tedious to remember. Most password managers support your passwords being encrypted on their cloud based servers and can be installed on your Mac, PC and smart phone at the same time. You still need a password to unlock it (thus why 1Password is named that way) but that’s not too difficult to remember one strong password.

    You can see how good that password is via a site like this one.


    If that is not an appealing option then there are two factor authentication plugins that you can add.


    This way, you put in your password and your installation asks for a code from your app or keyfob to prove you are you. The one factor is your password, or what you know. The second factor is your token or what you have.

    The other problem with brute force attacks is resource depletion, meaning your web site slows down when getting hammered. For that issue the best would be to use a host based solution or a plugin that qualifies attackers early on and blocks them before your site wastes resources on those requests.

    Jetpack offers that for free. You do need a WordPress.COM account for that plugin but you activate the Protect module and you’re done.


    You can see the features of Jetpack on that site or via the plugin page.


    Reply To: Do you think login captchas stops brute force attacks?

Share This Page

Monarch Social Sharing Plugin