PeepSo supports invisible ReCaptcha to be configured as a protection against bots.
IMPORTANT: This configuration will only apply Invisible Captcha to PeepSo registration form. It will not be applied to any other form if you decide to use third-party or WordPress registration forms.
Note: This article shows configuration from Google ReCaptcha site in mid 2019. We are not responsible if images become obsolete, but we urge you to let us know so we can update them.
To configure Invisible ReCaptcha, you will need a valid site and secret keys provided by Google
Make sure you are logged in with your Google account and go to this page.
The admin dashboard will show up
Fill up the form as follows
- Label – Enter any label you want. This will be shown only in the ReCaptcha admin console and will not show anywhere on your site.
- ReCAPTCHA Type – Select reCAPTCHA v2 and immediately choose
- Domains – Add domain(s) where you want reCAPTCHA to be available. You must enter the domain name without http:// or https://. For example: domain.com
- Owners – If you wish, you can add more email addresses if you have a need for other people to manage your reCAPTCHA settings.
Accept reCAPTCHA Terms Of Service, and if you wish, thick the box to send notifications to owners in case of miss-configuration or suspicious traffic and then press “Submit” button. The keys will be generated.
Navigate to WP Admin -> PeepSo -> Configuration -> Accounts and Security and find “Security” panel.
Enable ReCaptcha for Login or Register and enter Site key and Secret key provided by Google.
During registration, ReCaptcha will show in the lower right corner but users trying to register won’t have to interact with it.
Find these options in WP Admin -> PeepSo -> Configuration > Accounts and Security under “Registration” panel
They are disabled by default. Enable each option respectively and fill the designated textarea to show them during registration or use your custom page in each setting by selecting the page.
If you wish to redirect users after login or logout, you can do this in WP Admin -> PeepSo -> Configuration -> Navigation under “Login and Logout” panel.
Security settings can be found in WP Admin -> PeepSo -> Configuration -> Accounts and Security
- ReCaptcha during registration
Add invisible ReCaptcha to registration process
- ReCaptcha during login
Add invisible ReCaptcha to login process
- Site key
Google invisible ReCaptcha site key
- Secret key
Google invisible ReCaptcha secret key
- Use ReCaptcha Globally
Enable: will use “www.recaptcha.net” in circumstances when “www.google.com” is not accessible.
- Minimum password length
Applies only to new passwords. This was introduced as a setting after a user pointed out on our registration there’s just a simple 6 character password being required. We made this configurable with a new default minimum of at least 10 characters per password. The minimum password length is a new feature and not really related directly to the brute force settings. Nevertheless, it is related to login security. It doesn’t matter whether the brute force protection is enabled or not, the minimum password length setting is self-contained.
- Password reset delay
since 18.104.22.168, admin can now define a custom delay between password reset requests (brute force protection).
- Check “remember me” by default
Enable: “Remember me” checkbox on the login form will be checked by default
- Require e-mail to login
Since 22.214.171.124, Improves security by preventing username sign-in; email address is required to log in. Intended to apply to all login attempts: PeepSo, WordPress, and third party (if proper filters are implemented). “Administrators” are any users who have a manage_options cap and/or PeepSo Administrator role.
- No – Use username/e-mail for login
- Administrators – Use e-mail login for Administrators only
- Everyone – Use e-mail login for everyone
- Enable Login brute force protection
Enable Login brute force protection settings
- Block login after
Maximum failed attempts allowed.
- Block for
hours: minutes – how long to block login attempts after the above limit is reached.
- Email Notification
Send an e-mail notification to the user, warning them about failed login attempts.
- Enable additional block after
Additional security when users block themselves repeatedly.
- Additional block length
How long to block login attempts when additional security is triggered.
- Reset retries after
How long it takes for the system to “forget” about a failed login attempt.
- IP whitelist
list of IP addresses whitelisted from brute-force protection, one IP per line
Security & caching
- Login nonce check
Disable security nonce check during PeepSo login. This will prevent PeepSo login failed error on highly cached systems, while using third-party caching plugins like WP Rocket, W3 Total Cache, Litespeed, or other similar plugins that return login failed error during the login, since PeepSo will stop validating the (potentially over-cached) security login nonce. Using this setting is generally not recommended, as it lowers the systems resilience against brute force attacks, but it will be reasonably safe in a properly configured and secure environment with brute force protection enabled.
- Registration nonce check
Disable security nonce check during PeepSo registration.
- Password reset nonce check
Disable security nonce check during PeepSo password reset.
- Password preview
Enable: will display a button to toggle password preview in all PeepSo login forms and the registration form.
Note: All these settings will only work on PeepSo forms and PeepSo widgets. These settings will not take effect if you decide to use third-party login forms or widgets.
Access settings for registration and login by going to WP Admin -> PeepSo -> Configuration -> Accounts and Security
- Disable registration – Enabled: registration through PeepSo becomes impossible and is not shown anywhere in the front-end. Use only if your site is a closed community or registrations are coming in through another plugin.
- Redirect WordPress registration – Enabled: wp-login.php?action=registration will redirect to the PeepSo registration page.
- Repeat e-mail field – Enabled: users need to type their e-mail twice, which improves the chance of it being valid and the verification e-mail reaching them.
- Admin account verification – Enabled: users register, confirm their e-mail (optional) and must be accepted by an Admin. Users are notified by email when they’re approved.
Disabled: users register, confirm their email address and can immediately participate in your community.
- Force SSL on registration page – Requires a valid SSL certificate. Enabling this option without a valid certificate might break your site.
Activation & Redirect
- Skip e-mail verification – Enabled: users don’t need to confirm their e-mail. It is not recommended unless your registrations are coming in via another plugin (WooCommerce, EDD etc).
WordPress is a very big world full of various plugins and ways to register users. Some of them require those users to confirm their email address, some don’t. It’s a rather advanced feature that does come with a bit of a burden. Starting from PeepSo 1.11.1 We finally add this feature. By disabling the need for email confirmation people can use the site right away.The burden I mentioned earlier is that it does open your site up to possible abuse, and that’s something you must be aware of, pretty much anyone can register with a bunch of email addresses of other people, just to sign them up, whether it’s a prank, all in good faith or a straight-up malicious behavior.
- Activation redirect – An url to redirect users after account activation.
- First known visit (first page when user visited the site)
- Home page
Terms & Conditions
- Enable Terms & Condition – Enabled: Add your own ToS in a popup that will show during registration
- Page – Custom Terms & Conditions page
- Terms & Condition – text content for the terms & condition
- Automatically resend activation – PeepSo will resend the activation e-mail a defined amount of times to any users who did not activate their account.
- Every – specific time for automatic resend activation to retry
- Maximum – maximum attempt resend activation
Allow Or Disallow Registration From Certain Domains
Block selected domains
To block certain email domains to be used during the registration, enable the Block selected domains to add the domain names in the Blocked domains field.
In the example above, whenever someone tries to register using gmail.com, yahoo.com, microsoft.com and apple.com, PeepSo registration will not validate the email and will ask the user to select the different one.
Contrary to the blocked domains, you can enable Allow only selected domains and add the list of domains. In this scenario, only listed domains can be used for registration. This is particularly useful if you have closed community or intranet site where you want users to register only with their company email or similar case.
Please note, Blocked and Allow settings can’t and won’t work if you use third-party registration forms. This can only work with PeepSo registration form.