WordPress Security Explained
WordPress Security Explained

Why does reCAPTCHA not protect WordPress against bots and brute-force attacks

Using reCAPTCHA for WordPress login form is a bad practice and does not protect WordPress from being hacked by bots and hackers

What is reCAPTCHA, anyway?

reCAPTCHA is a human verification mechanism that created and maintained by Google as a free web service. WP Cerber supports reCAPTCHA for WooCommerce and WordPress forms as antispam feature.

Why does reCAPTCHA not protect WordPress from bots and brute-force attacks?

Because WordPress has three authorization methods that enabled by default. That means hackers have access to three entrances on any WordPress powered website. The first one is being used when you are using ordinary WordPress login form. Two other methods are invisible for you but known for hackers and specialized software that hackers use. Hackers use them to probing a website and to obtain correct user password or to get access to the WordPress Dashboard with admin privileges.

Any captcha based mechanism, including reCAPTCHA, can protect WordPress against brute-force attack to an ordinary login form only. Other two WordPress authentication methods are still unprotected. Moreover, reCAPTCHA is intended to protect websites from robots because it is human verification mechanism. Robots, not hackers.

You must not use any plugin that adds reCAPTCHA to the WordPress login form to protect website from brute force attacks

I see a plenty of plugins that offer using reCAPTCHA to protect login form. I have a question for you: do those plugins protect your website completely including the following two methods? The WP Cerber plugin does.

  1. Cookie based authorization
  2. XML-RPC authorization

Does it mean reCAPTCHA useless?

Nope. reCAPTCHA can be successfully used as a spam prevention mechanism for registration forms and password reset forms. Vital parts of WordPress must be protected with specialized security solutions only. Just install WP Cerber Security.

How do I protect my website from spam?

To protect WooCommerce and WordPress forms, Cerber Security offers two options

  1. Cerber antispam and bot detection engine, follow the instruction: Antispam protection for WordPress forms
  2. Using reCAPTCHA, follow the instruction: How to setup reCAPTCHA.

How to bypass reCAPTCHA

Is it possible that bots can solve reCAPTCHA without a human? Sounds unbelievable but they can in some way. The method is based on using voice captcha called Audio Challenge and one of those online speech recognition services like Google Speech Recognition API. A hacker takes an audio file with voice captcha generated by reCAPTCHA and then recognize it with a speech recognition service. Is not it brilliant?

This method has been discovered back in 2012. Fortunately, this method is not exploitable in real circumstances  – when Google service identifies multiple attempts to solve the captcha from the same IP address, the voice captcha is changed into a more complex voice which cannot be identified with this approach. So,  to successfully use this method hackers have to use a lot of IP addresses. To achieve that hackers can infect significant amount of mobile devices with malicious software. But there is a question. Does ability to post spam comments or register with a fake name on a web site worst it? It’s easier to hire guys from some poor country to do that manually in a bulk mode.

Want to know more? Subscribe to Cerber’s newsletter.

Last posts from WordPress security blog

I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments