Simple Captcha Feature on WP Login Form

I wrote number of post on WordPress in this site and I am expecting to write whole lot more. Regardless of WP’s growing popularity, security remains one of top most important topic to talk about. The security system on WP login form can be increased using simple Captcha method. Today in this post I will show you how add simple Captcha on your WP login from.

The method is pretty simple. We will generate some random numbers every time the login form is being rendered. User’s must be able to write down the correct number that’s being generated. In order to be able to login to the admin panel. Wrong input will stop user’s from being able to log in to the system regardless of their username and password.

On this solution, I took help from PHP Session which we would need to start the session. This is bit tricky for many reason, so I followed what Peter Wooster suggested. We should start the session and destroy it as soon as the verification process is complete or user .

<?php
function start_login_session() {
   if(!session_id()) { session_start(); }}
   add_action('init','start_login_session', 1);
function destroy_login_session() {
   session_destroy(); }
   add_action('wp_logout','destroy_login_session');
   add_action('wp_login','destroy_login_session');
?>

Once you are done, you can start copying the following snippet anywhere on your current theme’s functions.php page.

<?php 
function add_captcha_field() { 	
   $cap = rand(1000,9999);
   $_SESSION['captcha'] = $cap;	
   echo '<p><label for="user_catpcha">Captcha: '.$_SESSION['captcha'];
   echo '<br><input type="text" id="user_catpcha" name="user_catpcha">';
   echo '</label></p>'; }
add_action('login_form','add_captcha_field'); 
?>

In this function, we will create the captcha input field. Before anything else though, we need to generate some random number and display it to the user for verification purpose. It is the crucial point because if any bot is trying to log into your system it won’t be able to understand our random number (it’s going to be different every time the form loads).

It is also pretty effective when we are talking about Brute Force Attack. WP has a pretty good documentation on this, so feel free to read it as well.

Now, we will focus on authenticating our user’s input. This process includes not only the user name and password but also the Captcha input. In case, if the input field is empty or is not same as the random number that has been saved on our session, an error message should appear to notify the user.

<?php
function user_captcha_authenticate($user,$username,$password) { 
   $submission = $_POST['user_catpcha'];
   $user = get_user_by('login', $username);
   $random = $_SESSION['captcha'];
   if (!$user||empty($submission)||$submission != $random) {
   remove_action('authenticate','wp_authenticate_username_password',20); 
   return new WP_Error('die','<strong>ERROR</strong>: Wrong Captcha!');
   unset($_SESSION['captcha']);}
   return;
   unset($_SESSION['captcha']);} 
add_filter('authenticate','user_captcha_authenticate',10,3);	
?>

Simply copy and paste this snippet on your functions.php page. That’s it, you are good to go. Now taking questions.

Note: This is not the best captcha solution in the World for WP, however it’s fairly good enough to save you from many unwanted people or bot from accessing your site. I also wrote another post on Captcha which uses web server time to generate unique numbers, you may find that post fairly easier than this.

Today In History

  •  
  •  

Comment

Leave a Reply

Note: Convet HTML, PHP, JavaScripts from HTMLify, before posting from comment section.
License: By submitting a comment here you grant this site a perpetual license to reproduce your words and name/Web site in attribution. Please use your real name or a pseudonym (i.e., pen name, alias, nom de plume) when commenting. If you add your site name, company name, or something completely random, I'll likely change it to whatever I want.