Protecting WordPress Login & Registration

Why Protect Login Forms?

WordPress login pages (wp-login.php) are one of the most targeted endpoints on the internet. Bots run brute-force attacks around the clock, trying common username and password combinations. Adding Turnstile blocks automated login attempts without slowing down real users.

Enable on Login

1. Go to Settings > Xtreme Turnstile.
2. Under WordPress Core Forms, toggle Login Form to On.
3. Click Save Changes.

The Turnstile widget now appears on the login page, directly above the Log In button. Users see a brief verification (or nothing at all in invisible mode) before they can submit their credentials.

Enable on Registration

If your site allows open registration (Settings > General > Anyone can register), toggle Registration Form to On in the Turnstile settings. This prevents bots from creating fake accounts.

Enable on Password Reset

Toggle Password Reset Form to On to prevent bots from flooding the password reset endpoint. This stops spam reset emails from being sent to your users.

Custom Login Pages

If your theme or a plugin replaces the default wp-login.php with a custom login page, Xtreme Turnstile may not inject automatically. In that case:

1. Add the Turnstile shortcode to your custom login form template:

```php

```

1. Or use the PHP function directly in your template:

```php

```

Testing

1. Open a private/incognito browser window.
2. Navigate to yoursite.com/wp-login.php.
3. Confirm the Turnstile widget is visible (unless using invisible mode).
4. Log in normally to verify that valid credentials still work.
5. Try submitting the form without completing Turnstile (e.g., by disabling JavaScript) to confirm the error message appears.