Search

How to Add reCAPTCHA to Login Form in WordPress (without Plugin)

WordPress is one of the most popular content management systems, and unfortunately, it attracts attention from hackers and automated bots seeking to gain unauthorized access. By implementing reCAPTCHA, you add an additional layer of protection that verifies the authenticity of users attempting to log in.

reCAPTCHA effectively distinguishes between human users and bots by presenting a challenge, such as identifying specific objects in images or solving puzzles. This helps prevent brute-force attacks, where automated scripts attempt to guess passwords repeatedly which can lead to compromised user accounts, unauthorized access to sensitive data, or even a complete website takeover.

This tutorial will show you how to implement reCAPTCHA to your WordPress login form to ensure that only genuine human users can log in to your website.

Adding reCAPTCHA to Login Form in WordPress

Step 1: Getting the Required Keys

The first step for adding reCAPTCHA to your website is to get the required keys. Start by visiting the Google reCAPTCHA site and then click on the V3 Admin Console (previously Admin Console). If you are logged in to your Google account, you will be directly taken to the reCAPTCHA registration page otherwise you’ll be asked to log in first.

On the site registration page, fill out the Label and the Domains field, select Challenge V2 because we want to add the “I’m not a robot” checkbox, and then tick on the Google TOS agreement checkbox. Click on the Submit button to proceed.

Once you’ve clicked the submit button, you can copy the SITE KEY and the SECRET KEY for reCaptcha integration later.

Step 2: Integrate reCAPTCHA with WordPress Login Page

The next step is adding the code snippets to integrate Google reCHAPTCHA on your site.

Before you start adding the snippets to your theme files, you might want to back up your site to avoid breaking your theme. And you can use a child theme or create a plugin yourself for the snippets to avoid losing your changes when you update or change your theme.

Once you’re ready, navigate to Appearance  Theme File Editor then click functions.php from the Theme Files. If you use a block theme, you can find Theme File Editor under the Tools menu. On the file editor add the following snippet at the very bottom.

// Add reCaptcha JavaScript
function wpp_login_script() {
    wp_register_script('login-recaptcha', 'https://www.google.com/recaptcha/api.js', false, NULL);
    wp_enqueue_script('login-recaptcha');
}
add_action('login_enqueue_scripts', 'wpp_login_script');

// Add reCaptcha on login page
function add_recaptcha_on_login_page() {
    echo '<div class="g-recaptcha" data-sitekey="your-site-key"></div>';
}
add_action('login_form','add_recaptcha_on_login_page');

// Validating reCaptcha
function captcha_login_check($user, $password) {
    if (!empty($_POST['g-recaptcha-response'])) {
        $secret = 'your-secret-key';
        $ip = $_SERVER['REMOTE_ADDR'];
        $captcha = $_POST['g-recaptcha-response'];
        $rsp = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret=' . $secret . '&response=' . $captcha .'&remoteip='. $ip);
        $valid = json_decode($rsp, true);
        if ($valid["success"] == true) {
            return $user;
        } else {
            return new WP_Error('Captcha Invalid', __('<center>Captcha Invalid! Please check the captcha!</center>'));
        }
    } else {
        return new WP_Error('Captcha Invalid', __('<center>Captcha Invalid! Please check the captcha!</center>'));
    }
}
add_action('wp_authenticate_user', 'captcha_login_check', 10, 2);

Replace 'your-site-key' with your reCAPTCHA site key and 'secret-key' with your reCAPTCHA secret key. Once you did, click the Update File button to save the changes made to the file.

Step 3: Try to Log-in

Now, anyone trying to log in to your WordPress site needs to pass the “I’m not a robot” challenge first.


The Bottom Line

The importance of adding reCaptcha to the WordPress login page cannot be overstated. It significantly enhances the security of your website, protects user accounts from unauthorized access, and helps prevent spam and malicious activities. By taking this simple step, you demonstrate your commitment to safeguarding user data and maintaining a trustworthy online presence.

This page may contain affiliate links, which help support our project. Read our affiliate disclosure.
Picture of Hendri Risman

Hendri Risman

Hendri is a WordPress expert and a writer staff at WPPagebuilders. He writes solutions on how to get things fixed in WordPress a lot. Mostly without involving a plugin.
Want to save yearly expense up to $219? why not?

Leave a Comment