How to Enable Admin Captcha in Magento 2

Make your store’s backend more secure with Magento 2 admin CAPTCHA

Aiming at helping ecommerce businesses in their endeavors, Magento developers took many business-critical things into account when developing the platform. Specifically, different measures were taken to satisfy security needs of its users. They implemented flexible filesystem ownership and permissions, safeguarded stores store from clickjacking attacks, among other things.

When it comes to admin users, they are protected too.  For instance, they can change their password, add a secret key to, set a specific admin session lifetime, and so on. CAPTCHA is another effective way to introduce another layer of security to Magento 2 admin accounts.

This visual check ensures that it’s a human being rather than a bot is trying to log in to the Admin panel. In this article, we’re going to guide you through the process of enabling and configuring admin captcha in Magento 2.

How to Add Admin CAPTCHA

Log in to the store’s backend and tap ‘Stores’ on the Admin sidebar. Then go to Settings > Configuration. Set the Store View to ‘Default’. Proceed to the ‘Advanced’ section and select ‘Admin’.

Scroll down to the ‘Captcha’ subsection and expand it. Set the ‘Enable CAPTCHA in Admin’ field to ‘Yes’.

Configuring CAPTCHA in Magento 2

In the next field, choose the font you would like to assign to the CAPTCHA.

Enter the name of the Font to be used for the CAPTCHA symbols or LinLibertine will be used by default.

Select the Forms where the CAPTCHA will be used. You can choose both of them or just one.


Now you need to configure the displaying mode. If you want to display CAPTCHA each time an admin user logs in to the store’s backend, choose ‘Always’ in the dropdown list. To show CAPTCHA after some unsuccessful login attempts, select the second option.

Enter the number of attempts into the ‘Number of Unsuccessful Attempts to Login’ field. Please note if ‘0’ is used, CAPTCHA will always be used.

It’s up to you to decide how long CAPTCHA will be displayed. Add the necessary number of minutes to the ‘CAPTCHA Timeout (minutes)’ field. To see new CAPTCHA when the previous one expires, the admin will need to reload the page. Enter the number of symbols to be used in the CAPTCHA. You may either set a range (e.g., 3-7) or the exact number of symbols. The maximum number is 8 here.

You can specify allowed symbols in the ‘Symbols Used in CAPTCHA’ field by using letters from A to Z and numbers from 0 to 9.

You may make CAPTCHA case sensitive, meaning that users must enter the characters exactly as shown.

Click the ‘Save Config’ button to activate CAPTCHA. Here is how the admin login window will look like.

To reload CAPTCHA, click the ‘Reload’ icon in the upper-right corner of the displayed image.

Summing Up

Magento 2 admin CAPTCHA is a great way to achieve higher security of your online store. Leverage it to protect the Admin panel from computer programs used by malicious individuals. Wish to make your admin panel even more secure? Try Two-Factor Authentication by Aitoc.


Aitoc Team
Aitoc is a young team of passionate professionals delivering robust Magento extensions. Founded in 2001, Aitoc has produced over 100 modules for clients worldwide. The company continuously evolves, now offering a full range of custom ecommerce development services.