reCAPTCHA in Three Steps: A Guide for WordPress Users

If you’ve been a WordPress site owner for long, no doubt you already know the importance of WordPress security. WordPress sites comprise half the web, and that’s a big target. Fortunately, there’s a simple tool to keep cybercriminals, spammers, and their bots away. It’s the “Completely Automated Public Turing test to tell Computers and Humans Apart” (CAPTCHA). Let’s learn how to use reCAPTCHA to protect WordPress.

This guide will teach you about Google reCAPTCHA and its helpful role in securing WordPress websites. Cybercriminals, spammers, and other malicious threat actors can all be deterred by CAPTCHAs.

Let’s dig in.

What is CAPTCHA?

When you’re browsing various websites online, no doubt you’ve seen a lot of different CAPTCHAs. And they can come in a variety of forms.

A CAPTCHA you’ve probably encountered is a string of distorted text in an image. You are prompted to type that text into a form before logging into a website. Other types of CAPTCHAs require selecting specific images that meet a required specification from a grouping of several photos.

In every case where a CAPTCHA is implemented, the challenge presented to the user is simple enough. Most people will be able to figure it out and complete it. However, even the most advanced bots can’t pass a CAPTCHA test.

When a bot fails to complete the test, it’s blocked from accessing any area of your site that’s CAPTCHA-protected.

Why test for humans and block bots?

Blocking bots is a good security practice. Cybercriminals frequently use bots in many ways to compromise websites and web apps, steal data, and plant malicious code.

For example, a brute force attack is a common way to break into sites through vulnerable user accounts. In brute force attacks, bots repeatedly attempt to guess login credentials. They’re looking for access to the back end of your website. Weak, recycled, and stolen passwords are frequently tested rapidly in large numbers against login screens that don’t block bots. This can slow the targeted site down, overload its hosting resource, and take it offline.

Another typical cyberattack is called Cross-Site Scripting (XSS). In an XSS attack, an attacker will inject malicious code into a form on your site. Comments or login pages are common targets. A successful XSS attack could result in stolen information, a malware injection, or any other unfavorable situations.

Finally, spammers might use bots to fill your site’s comments section with spam links. Spam links harm your SEO and deter users from interacting with your site.

A poorly monitored site is vulnerable to all these — and more — security risks.

Any area of our site that asks for user input is a target that threat actors will exploit. Requiring CAPTCHA input from users before a form can be submitted helps prevent bots from gaining access and injecting code that will harm your site.

What is Google reCAPTCHA?

As you can see, employing CAPTCHA gives you the benefit of protecting your site from attack. However, it does have several drawbacks.

One drawback is that they foster a negative user experience (UX). A CAPTCHA slows down your users with tests to prove that they’re real, and this can get in the way of site visitors accomplishing their goals quickly and smoothly.

Another drawback is that users with a visual impairment may have difficulty completing a CAPTCHA. If you inadvertently keep human users from accessing your site, it won’t benefit them or you, even if bots are blocked.

In 2014, Google released something called “No CAPTCHA reCAPTCHA,” a successor to their image and word tests used since 2007. In the 2014 version, all a user must click on is a checkbox labeled “I’m not a robot” to confirm they’re a human user.

This process was much faster and more straightforward than the traditional CAPTCHAs. It was an accessibility improvement as well.

Then, in 2018, Google released what’s been called “invisible CAPTCHA.” This technology helps detect bots without requiring humans to take any specific action.

Set up reCAPTCHA for WordPress.

Your WordPress security strategy should include adding CAPTCHA to your site. This is one of the easiest ways to harden your site and make it difficult for threat actors and their bots to do any damage.

Fortunately, adding WordPress reCAPTCHA is incredibly simple and can be completed in only three easy steps.

1. Install and Activate a WordPress Plugin for reCAPTCHA.

There’s a reason why WordPress plugins are so popular. They are the quickest and easiest way to add almost any functionality to your site.

Adding reCAPTCHA functionality is no different.

There are a few different viable options in the plugin directory for WordPress, which means you shouldn’t need to break the bank when it’s time to boost your site security.

But before you choose which plugin to use, you’ll first want to know what key features to look for in a WordPress security plugin that allows reCAPTCHA implementation.

First, it’s essential to know the different types of CAPTCHA that the plugin you choose provides. As discussed, Google reCAPTCHA is far more friendly to your users than making them decode warped text or click on mystery images.

But beyond that, it’s crucial to ensure that the WordPress reCAPTCHA plugin can add CAPTCHAs to your website’s most sensitive and targeted areas.

Securing only the main login page isn’t enough. You’ll learn more about why in Step 3. But for now, remember that any areas of your site with a user input form will need CAPTCHA protection to deter bots from gaining site access.

2. Create a Google reCAPTCHA, then add it to your WordPress site.

After you’re done installing and activating your plugin of choice, the next step is to create a Google reCAPTCHA (if, of course, your chosen plugin uses one).

To do this, navigate to Google’s reCAPTCHA admin console and fill in the registration form.

In this form, you can pick between the v2 or v3 version of reCAPTCHA and use an invisible test for your users or the standard “I am not a robot” checkbox.

The invisible test gives the best user experience as it won’t require your users to take any action. However, the checkbox in v2 is typically more reliable for keeping attackers from gaining unauthorized site access.

After completing all the fields, click the “submit” button. Google will give you a Site Key and a Secret Key on the following screen. Both must be entered into your plugin’s settings in your WordPress admin area.

The process of doing this will vary a bit, depending on the plugin you’ve chosen to use. But you should be able to easily find these settings in the dashboard sidebar of the plugin, then paste your Site Key and Secret key into the specified fields.

Of course, make sure to save your changes.

It’s also a good idea to bookmark the admin console page for Google reCAPTCHA so that you can check it later. After live traffic begins to visit your website, you can view analytics related to how your reCAPTCHA is performing.

3. Configure the “Protected Actions” settings to secure critical areas of your site.

Earlier in this guide, we mentioned some specific areas on your site where incorporating CAPTCHA is essential for maintaining the security of your WordPress site.

After you’ve installed the plugin you want to use, you’ll want to configure the settings to ensure all vital areas of your site are CAPTCHA-protected.

Depending on the plugin you’re using, you should be able to find a list of checkboxes in the General Settings that allow you to choose where WordPress reCAPTCHA is used.

In most cases, you’ll want to employ CAPTCHA on all forms that are on your website, including vulnerable areas like:

• Your admin login page
• User registration forms
• Contact forms
• Password recovery forms
• WooCommerce login page

Your site might include additional forms, such as surveys, email sign-ups, or user-generated content submissions.

Add reCAPTCHA to the WordPress login screen.

It’s important to understand that your WordPress login page is the number one target for cross-site scripting (XSS) and brute force attacks.

To include a CAPTCHA on your login page using the plugin you’ve chosen, all you need to do is navigate to:

Google CAPTCHA › Settings › General › Enable reCAPTCHA for WordPress

Then, select “Login Form,” located below “WordPress Default.”

At this point, your login page will now be fully protected with WordPress reCAPTCHA.

Add reCAPTCHA to the WordPress password reset screen.

When an attacker’s attempts to log into your website fail, they’ll probably get directed to a page where they’ll be asked to reset their password. To include a CAPTCHA to keep this page protected, you’ll want to navigate to Google CAPTCHA › Settings › General › Enable reCAPTCHA in your WordPress dashboard.

After you’re there, choose the Reset password form you’ll see in the WordPress Default list.

Add reCAPTCHA to the WooCommerce login screen.

If you’re running an eCommerce WordPress site, the login page for your WooCommerce plugin is equally susceptible to a malicious hacking attempt, as is your core WordPress login page.

To keep your WooCommerce login page protected with reCAPTCHA, you’ll need to upgrade to a premium version of whatever plugin you’ve chosen to use. Then, when you’re ready to implement CAPTCHA on the WooCommerce login page, navigate to Google CAPTCHA › Settings › General › Enable reCAPTCHA in the WordPress dashboard

You can select the WooCommerce login form from the list that shows External Plugins from this location.

It’s time to protect WordPress with reCAPTCHA.

If it’s important to you to protect your users, content, and brand reputation, then it’s vital to keep malicious bots from infiltrating your site. One of the simplest ways to keep them out is by adding reCAPTCHA to your website’s forms.

Remember, you can add reCAPTCHA to your site in three quick steps:

• Install and activate your chosen CAPTCHA plugin.
• Create a Google reCAPTCHA and get it added to your website.
• Configure the plugin settings to keep key areas of your site protected from bot attacks.

Also, remember that running a WordPress backup plugin, such as Solid Backups, is important when adding or activating new plugins on your site. If a new plugin causes a conflict with other plugins you’re already running, you could be in for a lot of debugging work. A backup plugin will allow you to immediately restore your site to a “last known good” state without downtime or time wasted trying to troubleshoot and fix the root problem. You can do that anytime on a local test or staging site.