Configuring Captcha for Failed Logins

If you have confluence administrator permissions, you can configure Confluence to impose a maximum number of repeated login attempts. After a given number of failed login attempts (the default is three) Confluence will display a Captcha form asking the user to enter a given word when attempting to log in again. This will prevent brute force attacks on the Confluence login screen.

Similarly, after three failed login attempts via the XML-RPC or SOAP API, an error message will be returned instructing the user to log in via the web interface. Captcha will automatically be activated when they attempt this login.

On this page:

'Captcha' is a test that can distinguish a human being from an automated agent such as a web spider or robot. When Captcha is activated, users will need to recognise a distorted picture of a word, and must type the word into a text field. This is easy for humans to do, but very difficult for computers.

Screenshot: example of a Captcha test

  

Enabling, Disabling and Configuring Captcha for Failed Logins

By default, Captcha for failed logins is enabled and the number of failed login attempts is set to three.

To enable, disable and configure Captcha for failed logins:

  1. Choose the cog icon , then choose General Configuration under Confluence Administration
  2. Choose 'Security Configuration' from the left menu.
  3. Choose 'Edit'.
  4. To enable Captcha:
    • Select the 'Enable' checkbox next to 'CAPTCHA on login'.
    • Set the maximum number of failed logins next to 'Maximum Authentication Attempts Allowed'. You must enter a number greater than zero.
  5. To disable Captcha, deselect the 'Enable' checkbox.
  6. Choose 'Save'.

Screenshot: Configuring Captcha for failed logins

 

Notes

  • Disabling all password confirmation requests, including Captcha on login. Confluence installations that use a custom authentication mechanism may run into problems with the Confluence security measure that requires password confirmation. If necessary, you can set the password.confirmation.disabled system property to disable the password confirmation functionality on administrative actions, change of email address and Captcha for failed logins. See Recognised System Properties.

Was this helpful?

Thanks for your feedback!

2 Archived comments

  1. User avatar

    Anonymous

    After logging in successfully, is the login attempt count reset to zero?

    22 May 2012
    1. User avatar

      Deividi Luvison [Atlassian]

      Yes (smile).

      22 Dec 2014
Powered by Confluence and Scroll Viewport