WordPress security explained
WordPress security explained

Why reCAPTCHA does not protect WordPress from bots and brute-force attacks

Using reCAPTCHA for WordPress login form is a bad practice and does not protect WordPress from being hacked by bots and hackers


What is reCAPTCHA, anyway?

reCAPTCHA is a human verification mechanism that created and maintained by Google as a free web service. WP Cerber supports reCAPTCHA for WooCommerce and WordPress forms as antispam feature.

Why does reCAPTCHA not protect WordPress from bots and brute-force attack?

Because WordPress has three authorization methods that enabled by default. That means hackers has three entrances on any WordPress powered website. The first, well-known method, is being used when you are using ordinary WordPress login form. Two other methods are invisible for you but known for hackers and specialized software and bots that hackers use. Hackers use them to probing website and to obtain correct user password or to get access to the WordPress Dashboard with admin privileges.

Any captcha mechanism, including reCAPTCHA, can protect WordPress from brute-force attack to login form only. Other two authorization methods are still unprotected. Moreover, reCAPTCHA is intended to protect websites from robots because it is human verification mechanism. Robots, not hackers.

You must not use any plugin that adds reCAPTCHA to the WordPress login form to protect website from brute force attacks

I see a plenty of plugins that offer using reCAPTCHA to protect login form. I have a question for you: do those plugins protect your website completely including the following two methods? The WP Cerber plugin does.

  1. Cookie based authorization
  2. XML-RPC authorization

Do you want to say that reCAPTCHA useless?

No. reCAPTCHA can be successfully used as a spam prevention mechanism for registration forms and password reset forms. Vital parts of WordPress must be protected with specialized security solutions only. Just install WP Cerber Security.

To enable reCAPTCHA for WooCommerce and WordPress forms follow the instruction: How to setup reCAPTCHA.

How to bypass reCAPTCHA

Is it possible that bots can solve reCAPTCHA without a human? Sounds unbelievable but they can in some way. The method is based on using voice captcha called Audio Challenge and one of those online speech recognition services like Google Speech Recognition API. A hacker takes an audio file with voice captcha generated by reCAPTCHA and then recognize it with a speech recognition service. Is not it brilliant?

This method has been discovered back in 2012. Fortunately, this method is not exploitable in real circumstances  – when Google service identifies multiple attempts to solve the captcha from the same IP address, the voice captcha is changed into a more complex voice which cannot be identified with this approach. So,  to successfully use this method hackers have to use a lot of IP addresses. To achieve that hackers can infect significant amount of mobile devices with malicious software. But there is a question. Does ability to post spam comments or register with a fake name on a web site worst it? It’s easier to hire guys from some poor country to do that manually in a bulk mode.

Want to know more? Subscribe to Cerber’s newsletter.

Last posts from WordPress security blog




I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.