Learn more about Google reCAPTCHA and other CAPTCHA options in iThemes Security Pro version 7.3 and higher.
Google’s reCAPTCHA is a method of verifying a login or form submission is being made by a human person, not a ‘bot. It’s been a feature of the iThemes Security Pro plugin since version 1.13.3 in 2014. Much more recently, we’ve added support for hCaptcha and Cloudflare Turnstile in iThemes Security Pro 7.3. This gives you a number of CAPTCHA options for your most attack-prone pages, including:
- WordPress New User Registration Forms
- WordPress User Login Forms
- WordPress Comment Forms
- WooCommerce Order Forms
Adding a CAPTCHA to these parts of WordPress/WooCommerce with iThemes Security Pro is easy and gives you essential protection against spam registration, password stuffing, carding, and brute-force login attempts.
Adding CAPTCHAs to WordPress with iThemes Security Pro
iThemes Security Pro integrates with Cloudflare’s intelligent “no CAPTCHA” Turnstile, Google’s reCAPTCHA, and Intuition Machines’ hCaptcha so you can protect your WordPress site with any of these services. Then your users won’t have to waste time trying to guess the answers to unclear CAPTCHA puzzles, and bots can’t use algorithms to guess phrases that aren’t shown on the screen.
To start using CAPTCHA with iThemes Security Pro from your WordPress dashboard, navigate to the iThemes Security › Settings › Features › Lockouts settings and enable the CAPTCHA feature.
iThemes Security › Settings › Features › Lockouts
After you enable the CAPTCHA feature, navigate to the iThemes Security › Settings › Configure › Lockouts › CAPTCHA settings.
Security › Settings › Configure › Lockouts › CAPTCHA
Here you’ll need to select one of the three providers.
Security › Settings › Configure › Lockouts › CAPTCHA
Getting Your CAPTCHA Keys
You will need to get (Public) Site and (Private) Secret Keys from the provider you select. For Google reCAPTCHA, you’ll need to select v2, v3, or Invisible reCAPTCHA. Following the onscreen instructions, click the blue link to obtain your keys.
You can generate keys with each service at any time in the account you establish with Google, Cloudflare, or hCaptcha. If you don’t have an account with them, you’ll need to create one and then follow the prompts for generating keys for each site where you intend to use them.
- Google reCAPTCHA Key Administration
- Cloudflare Turnstile Key Administration
- hCaptcha Key Administration
After you generate keys, you will see the Site and Secret Key codes. Copy and paste them into the corresponding Site and Secret Key fields in your iThemes Security Pro settings.
After you’ve pasted in your Keys, you can edit the rest of your CAPTCHA settings to determine the pages where CAPTCHA will be enforced. You can also define how many failed attempts will trigger a lockout and how long iThemes Security needs to remember a failed attempt to count it toward a lockout. The appearance of the CAPTCHA when it needs to be displayed can also be set here.
Cloudflare Turnstile Settings
At a minimum, our recommendation is to enable CAPTCHA on your login and registration pages. This will greatly reduce, if not eliminate, registration spam and brute-force login attempts.
Click “Save All Changes” and you’re set. The next time users log in they will see the new CAPTCHA field — or perhaps nothing at all! Turnstile in particular is designed to generally require no deliberate action from the user. It invisibly assesses browser data for human activity and recognizes familiar patterns it associates with human activity.
iThemes Security protecting the WordPress login form with Google’s reCAPTCHA.
The next time someone wants to leave a comment on your site, they may see this if you’re using reCAPTCHA:
Grant Users Temporary Privilege Escalation, Scheduled Malware Scans, Enforce Strong Passwords & More with iThemes Security Pro
iThemes Security Pro has many other great features designed to add extra layers of protection to your WordPress site:
- Two-Factor Authentication — Once activated, users are required to enter both a password AND a time-sensitive code sent to a secondary device to log into your WordPress site. Two-factor authentication is one of the best ways to lock down your WordPress site.
- Temporarily Give Users Admin or Editor Access — This feature is great for contractors or users who need special temporary escalated privileges for a short period of time. You can give them Admin or Editor access for 24 hours.
- WordPress Core Online File Comparison — This feature allows iThemes Security to detect changes made to any WordPress core file on your site by comparing them all with the file manifest for the official distribution of WordPress. iThemes Security Pro will intelligently determine if any changed or added files are malware.
- Enforce Strong Passwords and Password Expiration — These features make it easy to enforce strong passwords on your WordPress sites. In iThemes Security Pro settings you can enable the WP strong password evaluator and choose to set a date for passwords to expire, forcing users to create a new password.
If you’re not using iThemes Security Pro, now is a great time to start.
