Captcha on login

Enable captcha on sign-in. Always show, or only after failed attempts (see Captcha attempts per hour).

Settinglogin_captcha_enabled

Captcha on login

Enables captcha on the password sign-in form.

Where to find it

Admin → Settings → Settings (first tab) → Captcha & abuse → Captcha on forms → Login

Setting key: login_captcha_enabled

How it works

Login captcha Captcha attempts per hour Behavior
Off (ignored) No login captcha
On Empty Captcha on every sign-in
On Number (e.g. 3) Captcha after that many failed logins for that user in one hour

Failed attempts are tracked in memory per user id (rolling hour). Unknown usernames do not build a user failure count the same way — bots spraying random emails may not trigger delayed captcha until they hit a real account.

This is not an IP ban — see Max login attempts per hour for that.

Common problems

Captcha never appears after failures

Login toggle is off, or you expected delay but the attempts field is empty (empty = always show when Login is on).

Form starts without captcha then asks for it

Delayed mode: first failures return needsCaptcha; the UI then shows the challenge.

Related