How To Add CAPTCHA To WordPress: Stop Automated Spam And Hacking Attempts
Published on November 1, 2022 by Simon Wright
If you have any forms on your WordPress website, chances are you will sooner or later receive automated spam submissions or encounter robotic hackers trying to break into your site. Both can be incredibly infuriating, but there are ways of reducing them. So, this article will show you how to add CAPTCHA to WordPress login forms and contact forms to prevent non-human interactions with your site.
What Are CAPTCHA And reCAPTCHA?
The full title of CAPTCHA is somewhat of a tongue twister: “Completely Automated Public Turing test to tell Computers and Humans Apart.” It is a method of preventing automated spam and ro(bot) comments from attacking WordPress forms or trying to log into websites.
CAPTCHA uses a Turing test to help identify the ability of a computer to behave like a human. These tests are the brainchild of the man famously accredited with breaking the Enigma code during the Second World War, Alan Turing.
You will undoubtedly have been exposed to a CAPTCHA at some point when submitting an online form or trying to log into a website. They come in various formats, ranging from simple checkboxes through the infamous photo grids where the user must identify certain elements to those wobbly strings of text and numbers that you must correctly enter before you can submit the form.
Of course, hackers and spammers never give up, and resultingly, CAPTCHA technology continues to evolve to stay ahead (or at least keep abreast) of them. Therefore, basic checkbox-based verification has given way to more advanced methods that use picture, text, mathematical, and even sound-based challenges bots find difficult to solve.
Unfortunately, CAPTCHAs have one massive downside: they seriously diminish a site’s user experience. Many people find them super-annoying, and should a user not be successful on the first CAPTCHA submissions, they will probably leave the website and go elsewhere.
Although CAPTCHA is still extensively used, it has further evolved into what the owners, Google, call ‘reCAPTCHA.’
reCAPTCHA is considerably more sophisticated than CAPTCHA. It was designed to make the challenge process less onerous for users and overcome CAPTCHA’s limitations when used on mobile devices.
Invisible reCAPTCHAs are also now available. These cleverly monitor user activity – for example, mouse movements, typing patterns, and other behaviors – to determine if a user is human or a machine. Should the invisible CAPTCHA suspect a user is a machine, it can present additional tests before the user can proceed further. As a result, the need for challenges has been reduced to the point that, in most instances, users are often unaware that a reCAPTCHA is checking their validity.
Currently, three types of reCAPTCHA exist, namely
- v2 Checkbox reCAPTCHA
- v2 Invisible reCAPTCHA
- v3 reCAPTCHA
Let’s now take a closer look at these:
v2 Checkbox reCAPTCHA
This type of reCAPTCHA merely requires the user to check an “I’m not a robot” box to confirm that they are a real person.
v2 Invisible reCAPTCHA
For additional security (i.e., where the system has some doubt as to whether the user is human,) both versions of v2 may also ask the user to complete an image-based challenge before the form submit button unlocks. For example, the user may need to click on traffic lights, buses, boats, etc., in an image grid.
To users, v3 reCAPTCHA looks virtually identical to v2 Invisible reCAPTCHA. However, V3 reCAPTCHA does not subject users to occasional image-based challenges; instead, it monitors the user’s behavior, looking for any activity it deems to be unusual or suspicious. It then assigns the user a score and compares it to a minimum score you pre-configure – if the user’s score falls short of that, they cannot submit the form.
v3 reCAPTCHA has one major drawback compared to the v2 versions: it does not provide users with a further opportunity to prove they are people and not bots. Therefore, we suggest that for most applications, one of the v2 reCAPTCHA options would better suit most website owners as they won’t prevent legitimate users from submitting forms.
A Word About Hosting
Before we show you how to add CAPTCHA to protect your WordPress website from automated spammers and hackers, we want to quickly mention the importance of good hosting.
Many companies offer website hosting packages, ranging from just a few dollars per month upwards. However, unfortunately, not all solutions are made equal, and some provide better security features than others.
WP Bolt offers high-performance hosting that uses virtual private servers (VPS). You effectively get your own dedicated server space meaning there are none of the security issues that can plague shared hosting. You can read more about the differences between the different types of hosting here.
How To Add CAPTCHA to WordPress?
So, let’s now look at how you can add CAPTCHA protection to the forms on your WordPress website.
The simplest way is to use a plugin. There are plenty to choose from but listed below are some of the best currently available in 2022. The list includes free, premium, and paid options, so it should be possible to find the right one to suit your needs.
First on our list is CAPTCHA 4WP, a plugin that uses advanced technology to secure most form types on your WordPress website, protecting you from spam while continuing to offer your site visitors an excellent user experience.
One of the most attractive things about CAPTCHA 4WP is how easy it is to configure and use – no specialist knowledge is necessary. Furthermore, you can choose from v2 “I’m not a robot” checkbox, v2 invisible, or v3 invisible type CAPTCHAs, so your security checks can be as stealthy as you wish.
The free version of CAPTCHA 4WP includes the following features:
- Spam protection of WordPress login, comments, registration, and password reminder forms
- Ability to select from a variety of CAPTCHA types
- Configurable CAPTCHA pass mark score
- Selectable language
- Forum support
Two premium versions of Captcha 4WP are available. ‘Professional’ costs from $24.99 to $94.99 per year, depending on the number of domains you wish to cover. That plan includes the following:
- Add CAPTCHAs to any form, including PHP forms
- Protect WooCommerce from spam, fake orders, and bogus login attempts
- Single-click Contact Form 7, Gravity Forms, WPForms, and Mailchimp spam protection
- Third-party plugin support, e.g., BuddyPress, bbPress, etc.
- Single-click setup for CF7 and MC4WP
- No adverts
- Premium support
The other premium plan is ‘Business’ which costs $29.99 to $99.99 per year. It is identical to Professional but adds the ability to show CAPTCHA when failed login attempts are detected. You can also safe-list (allow) logged-in users, specific IP addresses, and URLs.
A free seven-day trial of the premium plans is available should you wish to test those out before committing to a full subscription.
Next in our list of plugins to add CAPTCHA to WordPress is reCAPTCHA. Like most of the other plugins we have listed, reCaptcha is compatible with most WordPress form types. Moreover, reCAPTCHA allows you to choose from reCAPTCHA v3, v2, or invisible to minimize inconvenience to real humans while keeping bots out.
Even in its free guise, the reCAPTCHA plugin has many great features included as standard, for example:
- Protect many form types, such as registration, login, password recovery, comments, contact, testimonials, etc., using v2, v3, or invisible reCAPTCHA
- Hide the reCAPTCHA for IP addresses on your safe list and in forms for specific user roles
- Ability to hide the reCAPTCHA badge (invisible and v3)
- Submit button can be disabled
- Admin panel key validity check
- Light and dark themes (v2 only)
- Compatible with the developer’s Limit Attempts plugin
- Multilingual and RTL ready
- Extensive user documentation and tutorial videos
That’s an excellent feature set for a freebie, making reCAPTCHA a superb option for beginners or website owners with a limited budget.
A Pro version of reCaptcha Pro is also available for $24 per year or $211 lifetime. Those prices are per domain, and add the following features over the free version:
- Compatible with many more form types, e.g., MailChimp, WooCommerce, Divi, WPForms, etc.
- Configurable size (normal or compact) for v2
- Manual reCAPTCHA language selection
- Ability to configure all sub-sites on your network
- Priority support
- Thirty-day money-back guarantee
The developer of reCaptcha, BestWebSoft, also sells a Captcha plugin. This offers similar functionality to reCaptcha but uses CAPTCHA instead of reCAPTCHA technology.
The hCaptcha plugin is unique in that it protects your website’s and users’ privacy while financially rewarding you for every CAPTCHA solved by a real person on the site.
The free version of hCaptcha is called ‘Publisher’ and includes the following:
- Financial rewards for each human CAPTCHA solved
- Compliant with global data protection rules, e.g., CCPA, GDPR, LGPD, etc.
- Supports most plugins and form types
- Works in every country worldwide
You’ll need to sign up for a free API Key at hCaptcha’s web site, similar to needing to do the same for reCAPTCHA on Google’s site.
Enterprise is the hCaptcha premium plan. That adds many more features over the free one, although it strangely doesn’t include the financial rewards. However, it does use more advanced methods for determining if interactions on your site are by humans or bots, thereby minimizing inconvenience to legitimate users.
Enterprise includes these features:
- Threat signatures
- Bot detection and risk scores
- Control challenges, types shown, and content used
- Fine-grained difficulty levels
- APT (advanced persistent threat) mitigation
- Flash sale protection
- Advanced reports
- Dashboards for multiple users
Unfortunately, the developer is rather vague about its pricing of Enterprise, so you will need to contact their sales team directly for further information.
Simple Login Captcha
Simple Login Captcha is a basic but free plugin that requires users to enter a randomly generated code into a ‘Security Code’ field before they can submit the login form.
Like Login No Captcha reCAPTCHA, Simple Login Captcha is only for preventing automated login attempts, nothing more and nothing less. As such, the feature set is scant but perfectly usable:
- Simple installation, setup, and operation
- Add a security code box to WordPress and WooCommerce login forms
- Randomized security code
- Compatible with most WordPress configurations
- Eight languages currently supported
Simple Login Captcha’s simplicity is what makes it so attractive.
Read more about Simple Login Captcha
Login No Captcha reCAPTCHA
If you are looking for a completely free option, despite its long-winded name, Login No Captcha reCAPTCHA could be right for you.
While basic, this plugin does what it says on the tin: protects your WordPress site or WooCommerce store’s login, forgot password, and user registration forms from automated hacking and spam attempts via a Google No Captcha ReCaptcha checkbox. That means bots will be refused access, whereas legitimate users only have a single check box to click.
Despite being free, Login No Captcha reCAPTCHA boasts the following features:
- Simple installation, setup, and operation
- Add a ReCAPTCHA checkbox to WordPress and WooCommerce login, forgot password, and user registration forms
- Compatible with most WordPress configurations
- Eleven languages currently supported
Please note that this plugin only protects the default login, forgot password, and user registration forms, not other form types such as comments or custom ones. Moreover, it doesn’t prevent brute force attack attempts, although it will stop them from succeeding.
Read more about Login No Captcha reCAPTCHA
Friendly Captcha is a freemium plugin that presents visitors to your site with a unique crypto puzzle. The puzzle is super easy for humans to solve, and the moment the user begins doing it, it starts getting solved. In most cases, it is completed long before the user is ready to submit the form, keeping inconvenience to a minimum.
Features of the free versions of Friendly Captcha include:
- Protection for one website with up to 1,000 requests per month
- Wide range of registration, login, and password reset form types supported (WordPress, WooCommerce, Gravity Forms, Elementor Pro Forms, etc.)
- Cryptographic bot protection
- Data protection compliance – no tracking or cookies
- More user-friendly than conventional CAPTCHA challenges
The two premium versions of Friendly Captcha, Starter and Growth, offer the same features set as the free one but add commercial usage also. Growth also increases the request limit to 5,000 per month. Starter costs €9 (not $) per month, and Growth is €39. Free thirty-day trials of both versions are available. Moreover, a demo form is available on the plugin website for you to try.
Read more about Friendly Captcha
Should You Add CAPTCHA to Your WordPress Website?
If your site has any user forms, whether for registration, login, commenting, contact, or any other purpose, the answer to that question is “yes.”
Without CAPTCHA protection, you will inevitably receive unwanted automated spam; worse still, automated bots will attempt to hack into your site and wreak havoc.
Thankfully, it is relatively cheap (free, even) and simple to add CAPTCHA to WordPress using one of the suggested plugins. We strongly recommend using hCaptcha, as it requires no specialist knowledge to set up, and you can customise the level of user that you wish to require to complete a Captcha to choose between minimizing user inconvenience or requiring everyone to complete a complex Captcha before gaining access.
I’m a former construction industry professional who came out of the writer’s closet and am now totally comfortable with my creative side. My pronouns are smart, creative, witty, and dependable. I have written content in a number of niches including WordPress, plus I’m a blogger and affiliate marketer. If you’d like to know more about how I can help you, please head over to my website.
Want to speed up your web site?
WP Bolt makes it easy and affordable to have a High Performance WordPress VPS server.