Hi, I have a question and suggestion about how the reCAPTCHA works in WP Cerber.

I have had lots of attempts and lockouts for the past few days, all from different IPs (I counted 200+ in last 24 hours). To reduce the load on my web server, I’ve started trying other things. I added reCAPTCHA to the login screen. I see in the Activity tab that all of the login attempts are failing the reCAPTCHA with “reCAPTCHA verification failed” – very good. But on each attempt there is also an entry for “Attempt to log in with non-existent username” because I have the setting enabled to “immediately block IP when attempting to login with a non-existent username”.

This is working, but I realize it must check the database to know if the username is non-existent. I would like to prevent my web server from doing that work. With a reCAPTCHA failure, it should not have to check the database at all.

Also, I wonder if I disable the option for “immediately block IP when attempting to login with a non-existent username”, does that mean it won’t check the database for failed reCAPTCHA logins?

I would suggest that when reCAPTCHA is enabled, WP Cerber should require successful reCAPTCHA before there is a query to the database about username (or password). This will prevent needless server work. That’s especially helpful in times when there are many login attempts.

PS. I still have growing lockouts and email notifications so I decided to change the login page URL, and that seems to have stopped all the login attempt activity 🙂