Captcha on login
Enable captcha on sign-in. Always show, or only after failed attempts (see Captcha attempts per hour).
Captcha on login
Enables captcha on the password sign-in form.
Where to find it
Admin → Settings → Settings (first tab) → Captcha & abuse → Captcha on forms → Login
Setting key: login_captcha_enabled
How it works
| Login captcha | Captcha attempts per hour | Behavior |
|---|---|---|
| Off | (ignored) | No login captcha |
| On | Empty | Captcha on every sign-in |
| On | Number (e.g. 3) |
Captcha after that many failed logins for that user in one hour |
Failed attempts are tracked in memory per user id (rolling hour). Unknown usernames do not build a user failure count the same way — bots spraying random emails may not trigger delayed captcha until they hit a real account.
This is not an IP ban — see Max login attempts per hour for that.
Common problems
Captcha never appears after failures
Login toggle is off, or you expected delay but the attempts field is empty (empty = always show when Login is on).
Form starts without captcha then asks for it
Delayed mode: first failures return needsCaptcha; the UI then shows the challenge.