As of LiteSpeed Web Server 5.4, reCAPTCHA is available as a method of defense against DDoS attack.
reCAPTCHA may also be used as a method of WordPress Brute Force Attack Protection. Please see the WP-Protect Guide for more information about that.
Enable Globally at the Server Level¶
Access the WebAdmin console via
Navigate to Configuration > Server > Security > reCAPTCHA Protection
Set Enable reCAPTCHA to
Yes. This is the master switch and it is required for both a control panel environment and an LSWS native environment. It will enable the reCAPTCHA feature for all control panel Apache virtual hosts as well as LSWS native virtual hosts globally. It may be overridden at the virtual host level.
For other options, hover over the
? symbol to view detailed information about that option.
For demonstration purposes, we will set Trigger Sensitivity to maximum (
100), and reCAPTCHA Type to
Checkbox. You may adjust these values according to your needs. Save and restart LSWS. This sensitivity setting will be inherited by all control panel Apache virtual hosts and LSWS native virtual hosts unless overridden at the virtual host level.
When a visitor accesses the website, they will need to go though reCAPTCHA validation. This validation protects the server against HTTP Flood and other DDoS attacks.
After passing the reCAPTCHA validation, the visitor is temporarily whitelisted as long as they continue to browse the site. This makes for a better user experience. Once the visitor has been inactive for more than 20 minutes, reCAPTCHA is once again enabled for that visitor's next request.
You can also enable reCAPTCHA on an individual virtual host that is under attack, while leaving other websites disabled.
Override/Disable at the Virtual Host Level¶
Assuming you have enabled reCAPTCHA at the server level globally, you can override the settings at a virtual host level, but how you do so depends on which environment you are using.
Override/Disable for Apache Virtual Hosts¶
As of LSWS v5.4RC4, you can configure vhost-level reCAPTCHA via the
LsRecaptcha directive in the virtual host include configuration, like so:
<IfModule LiteSpeed> LsRecaptcha (0-100) </IfModule>
0-100 value defines or overrides Trigger Sensitivity for the virtual host. When
LsRecaptcha is set to
0, it means the reCAPTCHA feature has been disabled for that virtual host.
LsRecaptcha directive cannot be used in .htaccess files.
Override for LiteSpeed Native Virtual Hosts¶
Use the LSWS WebAdmin console to override reCAPTCHA in LSWS native mode.
Navigate to Configuration > Virtual Hosts > Security > reCAPTCHA Protection
Set Trigger Sensitivity¶
Trigger Sensitivity refers to the automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of
0 is equivalent to “Off” while a value of
100 is equivalent to “Always On”.
Virtual Host level: inherits server-level setting.
Syntax: Integer value between
LiteSpeed calculates Trigger Sensitivity as the percentage of your server capacity used, based on the number of active connections. reCAPTCHA is activated when this formula is true:
Active connections * 100 / Max Connections > (100 - Trigger Sensitivity)
If Max Connections =
1000, Trigger Sensitivity =
20, and you currently have 900 connections, the formula would be evaluated like so:
900 * 100 / 1000 > 100 - 20
90 > 80
The result is true, so the incoming connection will be given a reCAPTCHA test.
Calculating backwards, you can see that when the number of connections drops to less than 800, reCAPTCHA will not be invoked.