If your contact forms aren’t as secure as you’d like them to be and now your inbox is flooded with spam. Don’t worry, you can soon fix that problem by learning how to add CAPTCHA to WordPress contact forms.
Even if you’ve never heard the term ‘CAPTCHA’ before, you’ve undoubtedly come across it countless times in your day-to-day life.
They’re the verification tests that appear below contact forms and login screens, asking you to complete a task (such as checking a box or identifying images) to verify you’re human.
As annoying as these little tests can be sometimes, they’re an essential component of WordPress form security, preventing automated bots from deluging your site with spam and putting your site at risk of a malicious attack.
In this guide, we outline everything you need to know about CAPTCHA for WordPress and show you how to quickly and easily implement the free Google reCAPTCHA tool into your forms using popular plugins Contact Form 7 and WPForms.
What is CAPTCHA?
CAPTCHA stands for “Completely Automated Public Turing Test to tell Computers and Humans Apart.”
Interesting, right?
If you’re wondering what a Turing test is, it’s a type of intelligence test named after the computer scientist, Alan Turing.
An early pioneer in the fields of machine learning and Artificial Intelligence, Turing designed ‘The Imitation Game’ back in the 1950s as a way to test whether a machine could display human-like intelligence.
The game involved three participants; two humans and one computer.
One human would engage in separate text conversations with the other human and the computer. They were then tasked to see if they could determine which text came from a human and which came from a machine.
If the human couldn’t tell them apart, the machine was said to have passed the test.
Fast forward 70+ years later, and we have CAPTCHA, a mechanism that essentially flips Turing’s original idea on its head.
Instead of a human trying to figure out if something is a person or a computer, a CAPTCHA is a test for a computer to figure out if something is a computer or a person.
It presents a challenge that is easy for humans to complete, but incredibly difficult -if not impossible- for computers.
So, when you complete a CAPTCHA task successfully, it knows that you’re a real person rather than an automated bot and, thus, allows you to complete whatever action you originally wanted to take.
The Different Types of CAPTCHA Explained
The number of different CAPTCHA types available to you as a website owner has grown over the years as Internet security experts continue to fight the good fight against increasingly sophisticated spam bots.
Some of the more common ones you’re likely to use include:
Text-Based
First invented back in 1997, the original CAPTCHA format presents users with a word or series of characters in a way that is somehow distorted.
These characters are relatively easy for human beings to decipher and enter into a text field, but very hard for bots to interpret.
Image-based
Here’s another one you’ve no doubt encountered in the wild:
A grid containing six squares, each with a different image.
Your job as a user is to click on all the images in that grid that contain a specific object, such as a motorcycle or a bridge.
NoCAPTCHA reCAPTCHA
This is the basic checkbox that asks you to confirm that you’re not a robot.
Although it seems incredibly basic, there’s actually much more going on than meets the eye.
Although bots are certainly capable of clicking in checkboxes, it isn’t the action itself that’s being tested here, but rather the behavior and other factors resulting in that action.
reCAPTCHA looks at things like your IP address, time zone, the number of keystrokes you make, and the way you move your cursor on the screen.
These are things that a robot simply can’t emulate effectively enough to pass the test.
Honeypot
Here’s one that’s really clever, forcing automated spam programs to essentially out themselves.
Used in online forms, the Honeypot is basically an extra field that is hidden from genuine users but visible to bots.
A bot that is programmed to fill in a form would fill out all the fields in that form, so any input in the hidden field couldn’t possibly come from a human.
Benefits of Using CAPTCHA
If we had to give you just one reason to implement CAPTCHA in WordPress, it would be this:
It makes your website stronger, safer, and overall better.
Of course, we don’t have to just give you one reason, so here’s three more:
1. Preventing Spam
CAPTCHA is an effective form of WordPress spam protection that saves you from an inbox flooded with inane, automated form submissions.
Seriously, take a look at the image above. That’s just a fraction of the spam messages we received on our test site over the course of a few days.
Not only is this incredibly annoying, but it also means you run the risk of missing out on a genuine email from a legitimate user that was buried under a mountain of spam.
Can you imagine how devastating it would be to miss out on a game-changing opportunity to grow your business or a potential big-money order, all because an important message was lost in a sea of computer-generated ads for air conditioning units and shady adult websites?
It’s simply not a risk worth taking, especially when you could increase your WordPress form security in a matter of minutes by adding a CAPTCHA solution.
2. Strengthening Security
Spam is certainly frustrating, but, unless you engage with it, most of it is relatively harmless.
Most, but not all:
It’s not that uncommon for stealthy spam bots to submit malicious code disguised as legitimate form data.
This code can then be executed on your hosting server, infecting your site with malware.
What’s more, it’s important to note that CAPTCHA doesn’t just protect WordPress from spam contact form submissions.
It can also serve as a crucial line of defense against brute force attacks and other nefarious activities.
Hackers frequently use automated bots to pummel user login forms with scores of random usernames and passwords.
Eventually, the sheer luck of the draw will mean that these randomly generated characters will exactly match your legitimate credentials, giving attackers easy access to your website.
This is why it’s such a good idea to add CAPTCHA to WordPress admin login screens and membership sites, giving you extra protection against bad actors.
3. Improving User Experiences
With a secure WordPress contact form protected by CAPTCHA, you can be confident that form submissions are coming from real people. This opens the doors to more meaningful, helpful, and timely conversations with your customers, ultimately helping you to boost your conversions.
Choosing the Right CAPTCHA for WordPress Site
With several options at your disposal, the first step to installing CAPTCHA in WordPress is to determine exactly which type of CAPTCHA to use.
Types of CAPTCHA Available
1. Traditional CAPTCHAs
Traditional CAPTCHAs are the ones you’re probably most familiar with. They’re the ones where users have to decipher text or identify an image to prove they’re a real human.
As effective as they can be, they can also frustrate users and, as a consequence, harm your conversion rates.
The problem is that the better bots become at passing CAPTCHA tests, the harder those tests become for even real humans to complete.
The harder they are to crack, the more likely a user is going to give up and leave.
2. Google reCAPTCHA
Here, you can decide between two versions of Google’s reCAPTCHA for WordPress:
3. reCAPTCHA v2
This is the standard ‘I Am Not Robot’ checkbox. Here, user behavior and identifiable information is tracked to determine whether the box is being clicked by a human or a bot.
If the reCAPTCHA program isn’t certain one way or another, it can prevent users with a secondary challenge such as picking out images containing a certain object.
As with traditional CAPTCHAs, they can be a useful WordPress anti-spam measure, but they can also be a turn-off to legitimate users.
4. reCAPTCHA v3
reCAPTCHA v3 is the least likely to annoy visitors as they don’t have to complete any kind of challenge.
Instead, bot detection is done behind the scenes by tracking user data and converting that data into a score.
The interaction must reach a particular score or higher to be classed as coming from a real person.
One of the upsides here is that v3 lets you determine how high that score needs to be.
For example, you could decide that any interaction that doesn’t score at least a 0.5 is a bot and should therefore be blocked.
On the downside, however, this reliance on tracking users’ data does raise significant privacy concerns. Google uses this data not just for things like WordPress bot detection, but also for ad targeting.
5. hCAPTCHA
hCAPTCHA provides a more privacy-friendly alternative to Google reCAPTCHA.
It presents users with a grid of images and tasks them with identifying certain images. One upside is that website owners can control the level of complexity of these challenges, ranging from the old-fashioned “select all images containing boats” to the more challenging -but ultimately more effective “Click on the image of the largest animal in the world.”
However, as we’ve been discussing, the more challenging a CAPTCHA test is, the more off-putting it is for users and, thus, the more likely they are to abandon your site.
Comparing CAPTCHA Options
| CAPTCHA Type | Pros | Cons |
| Traditional CAPTCHAs | Simple to set upMost users are familiar with them | Can be difficult for users Bots are getting better at passing tests. |
| Google reCAPTCHA v2 | Easy to useProvides extra verification steps for maximum site security | Can be intrusive for usersPotential privacy concerns |
| Google reCAPTCHA v3 | Invisible to users, preventing the risk of site abandonment | More technical to set upReliance on user tracking raises privacy issues |
| hCaptcha | Privacy-focused alternative to Google | More challenging for users meaning an increased risk in site abandonment. |
With all that in mind, just one question remains:
What is the best CAPTCHA for WordPress websites like yours?
Ultimately, it all comes down to a matter of user experience versus user privacy.
While traditional CAPTCHa and hCAPTCHA are less intrusive on user privacy, they’re also more likely to harm the overall user experience you provide, causing potential issues such as higher bounce rates and lower conversions.
What’s more, they also pose challenges regarding accessibility.
Sure, most task-oriented CAPTCHAs come with an alternative audio CAPTCHA for visually impaired users, but that doesn’t help much if the user has other accessibility issues that prevent them from hearing it.
On the other side of the coin, the two versions of Google reCAPTCHA don’t have the same impact on user experience, but their reliance on tracking user data means that you’re essentially throwing users under the proverbial bus, sacrificing their privacy in exchange for better results from your site.
To make a decision, it pays to think about your website, the goals you have for it and, of course, your users.
For example, if you prioritize user privacy above all else, then you may want to avoid Google reCAPTCHA altogether and use either a traditional CAPTCHA or the privacy-oriented hCAPTCHA.
Alternatively, if you value flawless user experiences most of all, you may want to go with Google reCAPTCHA v3.
How to Add CAPTCHA to Your WordPress Contact Form
Although you could use a dedicated WordPress CAPTCHA plugin to tighten security around your contact forms, you may not need to.
Many of the top contact form tools for WordPress already come with CAPTCHA capabilities built-in.
Below, we provide step-by-step instructions on how to add reCAPTCHA in WordPress using two of the more popular form plugins, Contact Form 7 and WPForms.
How to Get Your Google reCAPTCHA Keys
Regardless of which plugin you use, your first step is to set up reCAPTCHA in Google.
First, point your browser to Google.com/recaptcha/admin/create and, if you’re not already logged into your Google account, enter your credentials.
Next:
A. Add a Label
Create a label that will make it easy to identify your site in the reCAPTCHA dashboard. Simply adding the name of your website is plenty sufficient.
B. Choose Your reCAPTCHA type
For the sake of this tutorial, we’re going to select the score-based reCAPTCHA version 3.
C. Add Your Domain and Project Name
Enter the domain name for your website, then create a Project Name so that the Google Cloud Platform can provide the necessary APIs for your reCAPTCHA solution to work.
When you’ve done all that, click Submit.
D. Copy Your keys
This process will generate a Site Key and a Secret Key.
Copy both and keep them safe as you’ll need to enter these into your WordPress contact form CAPTCHA settings.
How you do this will depend on which plugin you use.
How to Set Up Your Contact Form 7 CAPTCHA
To set up Contact Form 7’s CAPTCHA integration, first go to Contact – Integration – reCAPTCHA.
Then, click Setup Integration.
Next, paste your Site Key and Secret Key into the relevant boxes and hit Save.
You’ll know it worked when you see two notifications, the first confirming your settings have been saved, and the second confirming that reCAPTCHA is active on your site.
How to Use WPForms CAPTCHA Settings
First, go to WPForms – Settings – CAPTCHA
Then, select the type of CAPTCHA you want to use. Again, we’re going to stick with reCAPTCHA since we’ve already grabbed the necessary keys from Google.
On the reCAPTCHA settings page, select the reCAPTCHA version you want to use and enter your keys.
One of the advantages of using WPForms is that it lets you easily change the score threshold for reCAPTCHA v3.
By default, this is set to 0.4, but we’ve cranked it up one notch for extra security.
Here, you can also enable No-Conflict Mode if you find that your WPForms CAPTCHA settings interfere with other CAPTCHA types on your site.
Otherwise, simply click Save and you’re all done.
As with Contact Form 7, you’ll receive a notification that the CAPTCHA was correct, and you’re now ready to start enjoying the added security and spam-free inbox experience that WordPress CAPTCHA tools provide.
WordPress contact form CAPTCHA: Your Key Takeaways
We’ve provided you with a ton of information and practical instructions on how to choose and implement the best CAPTCHA solution for your WordPress website.
Since there’s so much to take in, let’s wrap things up by recounting the most important points we want you to take away from this guide.
- CAPTCHA is essential for WordPress anti-spam protection – Its purpose is to confirm that an action on your website (such as submitting a form) is being taken by a real person rather than a bot program, thus reducing spam and malicious activity.
- There are three main types of CAPTCHA: Traditional, Google reCAPTCHA, and hCAPTCHA – Although reCAPTCHA is least likely to annoy your visitors, it’s worth considering the impact on privacy before you use it.
- Top WordPress contact form plugins come with CAPTCHA capabilities – You’ll simply need to grab the relevant API keys for your preferred CAPTCHA type and enter them into your plugin’s settings.
If you’re looking for ongoing support to keep your WordPress site secure, check out our WordPress Care Plans. Our team can handle everything from CAPTCHA setup to complete site management, making sure your site stays safe and spam-free.