[ad_1]
Hello!
I tried using this plugin for my website, tested it on the login page, and I found out that the reCaptcha validation occurs after the username validation. This way anyone (even bots) can try guessing usernames without having to deal with the captcha – and if it hits a reCaptcha error, it means that it just found a valid username. I think it would make a site more secure to validate the captcha before all the user related validations. Maybe try using the “authenticate” filter instead of “wp_authenticate_user”.