CAPTCHAs provide a completely automated way of testing whether your website visitors are humans or bots. They prove very useful when you are trying to combat spam bots and certain types of automated attacks on your website. There are many types of CAPTCHA services that you can integrate with your website. Some of the most popular ones are reCAPTCHA, hCAPTCHA, Turnstile, and Friendly Captcha. All of them have their unique strategies to detect bots. This can make choosing between CAPTCHA vs ReCAPTCHA challenging.
This post will focus on reCAPTCHA (a service owned by Google) and how it differs from other CAPTCHA services in several key aspects. This should help you make an informed decision when it comes to integrating a CAPTCHA into your website.
Table of contents
- What is reCAPTCHA?
- Visitor Verification
- User Interaction and Experience
- Integration Process
- Should you use ReCAPTCHA or CAPTCHA?
- Frequently Asked Questions – FAQs
What is reCAPTCHA?
As mentioned earlier, reCAPTCHA is a variation or type of CAPTCHA. Google acquired it a while ago and has been releasing newer and improved versions of reCAPTCHA ever since.
The first version of reCAPTCHA, called reCAPTCHA v1, was shut down in March 2018. There are now three different active versions:
- Google ReCAPTCHA V2 “I’m not a robot”
- Google ReCAPTCHA V2 Invisible
- Google ReCAPTCHA V3
All reCAPTCHA versions employ different methodologies to detect bots. With each one having its own set of pros and cons, which one you choose will largely depend on your needs and requirements. All reCAPTCHA versions, as well as other types of CAPTCHAs, can be implemented on WordPress using a plugin.
All CAPTCHA services have the same goal of protecting your WordPress from malicious bots while letting in legitimate visitors. This includes reCAPTCHA as well as alternatives such as hCAPTCHA and Turnstile. However, they have some important differences that you should keep in mind when deciding which one to use on your site.
Google reCAPTCHA is currently the most popular CAPTCHA service out there. Therefore, this post will revolve around reCAPTCHA and how it compares with other CAPTCHA services. We will divide the discussion into several important topics, such as the visitor verification process, security, accessibility, privacy, etc.
Keep in mind that not all of these criteria will be equally important for everyone reading this article. You should give more weight to what’s important for your particular situation before choosing a CAPTCHA service to use on your website.
Visitors on a website can either be humans or bots. The bots can be good or bad. The bad ones will try to access secure parts of your website, post spam comments, create fake orders, etc.
Having a proper visitor verification mechanism in place will help you stop most of these bad bots.
Google reCPATCHA v1 primarily used text identification and image classification to determine if the website visitors were humans or bots. It has been shut down since March 2018. One challenge that Google faced with reCAPTCHA v1 was that bots were getting better and better at solving CAPTCHAs.
For this reason, reCAPTCHA v2 reduced its reliance on traditional CAPTCHA challenges. It offers two different versions to verify that a visitor is human and not a bot, as explained below.
You can use this Google ReCAPTCHA V2 “I’m not a robot” that explicitly asks visitors to click on a checkbox that says “I’m not a robot” as a test. At this point, Google is running its algorithm in the background to determine if the visitor’s behavior is similar to a human or a bot. If the visitor passes the test, they are let through. However, if they fail the test, they will be asked to solve a CAPTCHA challenge in order to proceed.
You can also use the Google reCAPTCHA v2 invisible version to verify that the visitors are humans. As the name suggests, there is no CAPTCHA visible to visitors in this case. You simply tie the reCAPTCHA verification to an existing button on your website, such as the form submission button. In its default configuration, this version only asks the most suspicious traffic to solve a CAPTCHA. However, you can update the security preferences for your website from the settings in the Google reCAPTCHA admin dashboard.
Google reCAPTCHA v3 relies solely on user interactions on web pages. It loads a script that determines how likely a particular visitor is a human or a bot. The script, which is often handled by a CAPTCHA plugin, needs to be loaded on form pages at a minimum. CAPTCHA 4WP comes with an option to load the script on all pages. While this offers a negligible performance hit, it increases the accuracy of the test. This is easy to do with the help of the CAPTCHA 4WP plugin, which gives you the option to configure reCAPTCHA v3 to load only on form pages or all pages.
Google reCAPTCHA v3 doesn’t ask visitors to solve any captcha challenge. It analyzes user behavior and returns a score. The lower the score, the more likely it is that the visitor is a bot. The higher the score, the more likely it is that the visitor is human.
Google reCAPTCHA v3 leaves the implementation of an additional test for visitors (who fail the automated reCAPTCHA v3 test) up to website owners. The CAPTCHA 4WP plugin provides a failover feature to help you here. You can configure the plugin so that it asks visitors to verify themselves using a reCAPTCHA v2 checkbox if they have failed the reCAPTCHA v3 test. Other configuration options include the ability to redirect visitors to a different URL or to do nothing.
Other CAPTCHA services
Usually, CAPTCHA challenges involve solving puzzles such as typing distorted text and image classification. Some of them might require solving a simple math problem.
Some of the newer CAPTCHA services, such as hCaptcha, sometimes ask visitors very simple questions, such as what their favorite fruit or vegetable is. Others, like Friendly Captcha, generate a crypto puzzle for the visitor’s device to solve. The visitors can just fill out their forms normally. The puzzle automatically starts getting solved when visitors start to fill out a form protected by the CAPTCHA.
Cloudflare Turnstile also avoids asking visitors any questions or solving some puzzles to determine if they are humans. It takes several other aspects into consideration, such as the reputation of the visiting IP, probing the user-agent, checking for support of web APIs, and human behavior patterns.
The CAPTCHA 4WP plugin also supports popular reCAPTCHA alternatives like hCaptcha, and Cloudflare Turnstile.
User Interaction and Experience
A good CAPTCHA service will always try to determine if a visitor is a human or bot with as little direct interaction with the CAPTCHA as possible. In fact, a lot of new CAPTCHA providers rely on either the information gathered about the visitor’s device or their behavior across a website to determine if they are bots.
User experience is something that you should definitely consider when determining which CAPTCHA service to use on your website. A service that regularly asks visitors to solve CAPTCHA puzzles could result in you losing out some business to your competitors due to a bad user experience.
Google reCAPTCHA has continuously made improvements in its bot detection algorithm to avoid showing visitors any puzzles. This means that you will get a high level of security on your website without compromising on the user experience.
With reCAPTCHA v2, Google started relying mostly on behavioral analysis to determine if a visitor is a bot. This implementation of reCAPTCHA v2 is also known as the No CAPTCHA reCAPTCHA.
Visitors can simply click a checkbox to verify that they are humans. This makes reCAPTCHA v2 much more user-friendly compared to its predecessor reCAPTCHA v1.
Google took it a step further with the invisible reCAPTCHA, where the verification occurs entirely in the background, and visitors don’t even see the checkbox. Only the most suspicious visitors are asked to solve CAPTCHA puzzles with reCAPTCHA v2.
Keep in mind that visitor behavior varies across websites. Therefore, Google suggests that you let the script run freely in the background for some time to collect enough data. Once you have the data, you will be able to make an informed decision about the threshold at which to take further action to verify the legitimacy of the visitors.
This reluctance to show visitors any actual CAPTCHA challenges to solve makes reCAPTCHA v3 the most user-friendly reCAPTCHA.
In the spirit of improving user experience, the CAPTCHA 4WP plugin allows you to allowlist IP addresses and users that you trust. This means that those particular users will never have to deal with a CAPTCHA on your website. This arrangement strikes the perfect balance between a better user experience and security.
Other CAPTCHA services
Some basic CAPTCHA implementations require all their visitors to solve CAPTCHA challenges. One such example would be the Really Simple CAPTCHA WordPress plugin. Many of these services don’t take visitor behavior into account at all. They may also ask the same visitor to solve a new CAPTCHA every time they fill out a form. This isn’t very user-friendly and will likely annoy regular website visitors.
A few other CAPTCHA solutions, such as hCAPTCHA, try to avoid showing visitors any CAPTCHA in around 99.9% of cases. You also have complete control over the way CAPTCHAs are shown to visitors.
Others, such as Cloudflare Turnstile and Friendly Captcha, don’t show any puzzles to visitors at all. The CAPTCHA technology used in these services provides a comparatively better user experience than basic implementations.
You should aim to create a WordPress site that is accessible to everyone regardless of their visual or auditory capabilities. Accessibility best practices require that images have an alternate text to identify them. This goes directly against the basic principle of any CAPTCHA, which requires visitors to classify images. Providing descriptive text for images defeats the purpose of CAPTCHA.
One of the biggest criticisms of CAPTCHAs has been that they are not usually accessible to everyone. Historically, CAPTCHAs have been known to be inaccessible to people with visual or auditory impairments. For example, any CAPTCHA that asks visitors to classify images will keep your site out of reach for people with poor vision. Language barriers could be another reason that makes a CAPTCHA service inaccessible.
Google’s reCAPTCHA v2 has moved away from asking every visitor to label images to become more accessible. Most of the time, reCAPTCHA v2 only asks visitors to click a checkbox. If the website owners integrate the invisible CAPTCHA, visitors don’t even have to click the checkbox. Their verification continues in the background. Only rarely does it ask visitors to complete a CAPTCHA challenge.
With reCAPTCHA v3, Google completely stopped asking visitors to solve a CAPTCHA. It simply relies on data collected from your web traffic and gives visitors a score. The decision to handle what reCAPTCHA v3 considers bots is left up to site owners.
Relying on visitor behavior has made reCAPTCHA v2 and v3 more accessible compared to the now obsolete Google reCAPTCHA v1.
Other CAPTCHA services
People with visual or auditory impairments may not be the only ones who’ll have a tough time solving CAPTCHA challenges. Solving some of these puzzles can be problematic, even for non-native English speakers. They might not fully understand the task that they are supposed to perform in order to pass the test.
Any CAPTCHA service that uses these visual, auditory, or language-based tests faces the possibility of becoming inaccessible to visitors.
Some services, such as Cloudflare Turnstile and Friendly Captcha, have tried to get over this limitation. They analyze the visitor’s device and session data instead of relying on their ability to solve a CAPTCHA. This makes them much more accessibility friendly.
One more thing to keep in mind is that Google is blocked in some regions, such as China. This means that no version of reCAPTCHA can work there. Google does provide a solution by asking you to use a different domain to load the scripts. Alternatives like Turnstile, hCAPTCHA, and Friendly Captcha do not face this issue.
If you decide to use Google reCAPTCHA on your website, CAPTCHA 4WP makes it very easy for you to switch to a non-blocked domain provided by Google through a dropdown menu on the configuration page.
The integration process refers to the steps that you have to take from your end to use a CAPTCHA service on your website. Ideally, any CAPTCHA service that you use on your website should be easy to integrate.
Most of them usually just require adding a script to load the CAPTCHA functionality. You might also need to generate some keys for proper authentication of requests. All this becomes a lot easier with a dedicated CAPTCHA plugin such as CAPTCHA 4WP.
Integration becomes a lot easier if you have a WordPress site. You can simply install the CAPTCHA 4WP plugin, which has a user-friendly setup wizard that only asks you to supply your reCAPTCHA keys.
You might want to read our step-by-step guide on getting Google reCAPTCHA keys for your website to get up and running quickly.
Other CAPTCHA services
There are a few CAPTCHA solutions, such as the Really Simple CAPTCHA plugin that you can install on your WordPress site. You won’t need to add any script or get any keys for it to work. This is because it comes with its own basic CAPTCHA checks. However, the CAPTCHAs that the plugin generates aren’t very secure. The plugin itself clarifies this in its description.
More advanced CAPTCHA services, such as hCAPTCHA and Turnstile, require you to acquire some API keys and add some code to your website. The basic process will be similar to integrating Google reCAPTCHA. For example, if someone is using Google reCAPTCHA, they could switch to hCAPTCHA with just two lines of code as claimed on the website.
People who are using WordPress can install the CAPTCHA 4WP plugin and simply provide the keys for hCAPTCHA or Cloudflare Turnstile in the setup wizard.
CAPTCHA 4WP works well with multiple CAPTCHA service providers such as hCAPTCHA, Cloudflare Turnstile, and Google reCAPTCHA. This means that switching from one service provider to another won’t be a time-consuming process.
The primary reason people add CAPTCHA to their websites is to reduce spam and improve security. You should always make it a priority to improve your WordPress website security. It is a good idea to add multiple layers of protection to your website that keep it safe from malicious bots as well as malicious users.
The use of a good CAPTCHA solution on a website keeps it safe from most spam bots and stops many automated bot attacks. It ability to secure your website by doing things like controlling spam user registrations or limiting brute-force login attacks depends on how the CAPTCHA works behind the scenes.
Advances in artificial intelligence technology, especially in the field of machine learning, mean that bots are going to get better and better at solving challenges, such as image classification tasks based on labeled data. The same is true for decoding distorted audio or typing distorted text.
For this reason, any CAPTCHA services that rely solely on the visitor’s ability to answer such questions correctly will be less effective with time.
Google’s analysis across multiple websites had shown that bots were getting better at solving CAPTCHA puzzles. Therefore, Google’s reCAPTCHA implementation was updated in later versions to provide better security to your website against spam. With v2 and v3, reCAPTCHA relies on visitor behavior to determine if they are bots.
When compared to basic CAPTCHA solutions, reCAPTCHA is a lot better at keeping your website safe and secure.
Other CAPTCHA services
Services such as hCaptcha take a different approach here. Instead of asking straightforward questions based on labeled data, they ask visitors questions based on the idiosyncrasy that is typical of humans. The service regularly includes new types of challenges in its test to keep itself one step ahead of some advanced bots.
Cloudflare Turnstile looks at the visitor’s session data, such as the headers, user agent, and browser support for APIs to distinguish bots from humans. Discarding the use of images and distorted text in CAPTCHA puzzles makes it better in terms of security against advanced machine learning bots. For devices such as Apple, it also relies on private access tokens to let the vendor validate the device.
Securing all forms on a website against bots
A WordPress website can have multiple forms that you want to protect from spambots. Adding a CAPTCHA to all these forms is better for overall website security. Luckily, you can use the CAPTCHA 4WP plugin to add CAPTCHAs to login, comment, registration, or even custom forms.
What’s even better? CAPTCHA 4WP is compatible with all major third-party plugins that generate forms. A few examples of such plugins would be Gravity Forms, WP Forms, and Contact Form 7.
One big concern for people who want to integrate a CAPTCHA service into their website could be the privacy of their visitors. Ideally, you would like to minimize the amount of data that a CAPTCHA service collects to determine if a visitor is a bot or human.
As you might know, Google owns reCAPTCHA. It also has access to a lot of data about people through their use of different Google services. Whether a user is logged into their account or not is also a factor in determining how frequently you are asked to manually solve a CAPTCHA with Google reCAPTCHA v2.
reCAPTCHA v3 takes things one step further and asks website owners to add CAPTCHA script to multiple pages on their website to better track visitors and their behavior.
This means that you will have to compromise with the visitor’s privacy if you decide to use Google reCAPTCHA v2 or reCAPTCHA v3 on your website.
Other CAPTCHA Services
Privacy is one of the areas where many other CAPTCHA solutions shine. Popular services such as hCAPTCHA, Turnstile, and Friendly Captcha claim that they don’t track users.
For example, hCAPTCHA mentions that their service does not store any personally identifiable information. The same goes for Friendly CAPTCHA, which does not rely on cookies to determine if the visitor is a bot. It also does not store any personal data of users.
As we mentioned earlier, Cloudflare Turnstile relies on private access tokens to verify a visitor on modern Apple devices. The validation is then left up to the vendor. This means that Turnstile will not collect or store any data about you if you are using a newer Apple device.
The CAPTCHA 4WP plugin allows you to easily switch to hCAPTCHA or Cloudflare turnstile if you decide to limit the amount of data tracked about your website’s visitors.
GDPR compliance of different CAPTCHA services
Both reCAPTCHA v2 and v3 rely on cookies to distinguish bots from humans. This means that your website will no longer be GDPR compliant if you integrate them without making any changes. You need to add cookie banners and consent buttons to your website for compliance.
Please keep in mind that not all CAPTCHA services will be GDPR-compliant out of the box. It is advisable that you thoroughly read about them before adding them to your website.
Bad actors will always try to circumvent or pass security measures, including CAPTCHAs. CAPTCHA service providers have to dedicate resources to actively implement solutions and perform calculations that keep sites safe from spam bots. Running CAPTCHA checks costs money, and as such, it is understandable that some services may require payment.
Any associated costs that you might have to pay can be an important deciding factor when deciding which CAPTCHA service to use on your website.
Google reCAPTCHA v2 and v3 offer generous limits of up to one million free monthly assessments to help you fight spam.
You can hop on to their enterprise plan if you need to make more calls. Their enterprise users also get free assessments up to one million per month. After that, the price depends on the number of calls you make. For one million to up to ten million assessment calls per month, it charges $1 per 1,000 calls.
Compared to non-enterprise customers, enterprise customers also get access to customization features, product support, and comprehensive coverage.
Other CAPTCHA services
The cost of integrating a CAPTCHA into your website will vary depending on the service you use. The price is usually determined by the volume and capability of the service to stop spam bots.
Some very basic CAPTCHA services might either be free or have a one-time fee.
Almost all premium CAPTCHA services also offer free plans that you can use on your sites. The free tier is generally limited in either the capabilities or the number of requests that you can make.
Consider hCATPCHA, which offers up to 1 million free requests per month under its Publisher plan. One disadvantage of the Publisher plan is that it doesn’t offer the No CAPTCHA and 99.9% passive modes. Those are only available to the Pro and Enterprise plan customers.
Customers subscribed to the Enterprise plan also get other features such as bot categorization, control over the types of challenges shown, fine-grained difficulty levels, and much more.
The Cloudflare Turnstile plan has no limit on assessments in either the free plan or the enterprise plan. However, the number of widgets is limited to 10 in the free plan.
Friendly Captcha does not offer any free plans. Their starter plan costs €9 per month and offers 1000 requests. However, it is free for use on non-commercial websites.
Should you use ReCAPTCHA or CAPTCHA?
We have covered the key differences between multiple CAPTCHA services in relation to reCAPTCHA. It is time to decide which one you should use.
We will first look at the alternative CAPTCHA services covered in this article, including hCAPTCHA, Turnstile, and Friendly Captcha.
These are all GDPR-compliant and respect user privacy. Friendly Captcha and Turnstile never show any CAPTCHA puzzles to visitors. This makes them much more accessible. While the hCAPTCHA service does show visitors puzzles in the free tier, it is fully compliant with Web Content Accessibility Guidelines (WCAG 2.1).
Google reCAPTCHA has also become more accessible in its latest v3 version. It no longer shows visitors challenges to solve. It does monitor their behavior across multiple pages of the website, raising concerns about privacy.
If you are concerned about user privacy and GDPR compliance, you may want to choose services that are compliant straight out of the box. Otherwise, you may need to update your consent notices and policies to make sure everything is covered and above board.
Don’t forget that you can easily integrate Google reCAPTCHA, hCAPTCHA, and Cloudflare Turnstile into your website with the help of our CAPTCHA 4WP plugin.
Frequently Asked Questions – FAQs
What is the difference between reCAPTCHA and CAPTCHA?
The term CAPTCHA refers to all the automated tests and services that you can use to prevent a bot from spamming your website. This includes hCAPTCHA, Friendly Captcha, and Turnstile, etc. reCAPTCHA is also just a type of CAPTCHA that you can use to block spam. Google acquired reCAPTCHA a while back.
What is the difference between reCAPTCHA v2 and v3?
The primary difference between reCAPTCHA v2 and reCAPTCHA v3 is that the latter works entirely in the background. Google reCAPTCHA v2 might show you a checkbox now and ask you to solve some puzzles every now and then. However, reCAPTCHA v3 only provides a score that specifies the probability of a visitor being a human.
Which CAPTCHA should I use?
It depends entirely on your goal and budget. You can consider using hCAPTCHA or Turnstile if user privacy and GDPR compliance are a concern. Otherwise, reCAPTCHA v2 and reCAPTCHA v3 also work fine.