working perfect

Thanks very much for pointing this out. The next release (1.1) contains this important security improvement.

Thanks for the quick update on this issue. Testing it right now.

Excellent, thanks! I have to admit Google’s non-js implementation of captcha is really not user-friendly, but at least this stops the bots. If you’d like to contribute pull requests or patches for other captcha options offered by Google I’d welcome that. Let me know if so, and I’ll set this up on GitHub.

I have tested this script on 50+ sites but the bots still bypass the recaptcha method. Somehow it is not able to stop the botnets from bulk trying out username+passwords.

Could you explain your methods so that I might reproduce them?

Here is how I am testing:

1) reset a browser completely, enable javascript, enter correct login/password and check reCaptcha box — login succeeds

2) reset a browser completely, disable javascript, enter correct login/password but do not enter reCaptcha — login fails

Based on this simple test, it would appear that the implementation Google recommends for non-javascript login forms does indeed block the login when javascript is disabled (#2).

I have done those test myself also before (bulk) update the sites. I also see a different recaptcha when I disable javascript. So from a browser it seems to work fine. I had a hoorah moment.

After bulk updating the sites and double checking a few sites (non-js response) I awaited the usual notifications (we use sucuri plugin) and they still keep coming in.

So I checked the server log what the botnets are trying to access but it is simply the wp-login.php file.

I see the confusion here. Bots (like legitimate users) will still be able to access the /wp-login.php URL, and will still show up in your log files as doing so. None of their attempts at brute-force login should actually be abel to succeed now, though, because they can’t fulfil the reCaptcha requirement and so all of their brute-force attempts will fail.

That is what this plugin is designed to do–prevent bots from making a successful login via brute-force, not prevent them from trying the brute-force in the first place. Based on my testing, it is working and doing that now, which is keeping your sites secure.

If you want to stop bots completely from accessing /wp-login.php and making brute-force attempts in the first place, you can use something like the Limit Login Attempts plugin to blacklist them by IP after too many attempts. I use this myself as part of a “defence in depth” strategy, which is a good idea in general for security.

I hope this helps.

You are completely right. I manually tested in browser without adding captcha and still the attempt is logged. Thanks for the work Robert.

Great, glad that was useful, and thanks for pointing this out as it made the plugin better! ??