Many WordPress website owners use CAPTCHA and reCAPTCHA plugins to add an additional layer of protection around their websites against spam and certain types of automated attacks. A CAPTCHA accomplishes this by asking visitors to fill out obscured text, identify specific objects in an image, transcribe audio, assess their behavior, and other kinds of tests.
ReCAPTCHA is simply a type of CAPTCHA. Google acquired reCAPTCHA in 2009 and then developed it further to make it better.
In this post, we will discuss important aspects related to reCAPTCHA. This will help us gain a better insight into how different versions of reCAPTCHA work.
Table of contents
A brief history of reCAPTCHA
Humans are exceptionally good at identifying patterns when compared to computers. This is why a lot of CAPTCHAs in the past relied on text or image recognition to distinguish bots from humans.
Luis von Ahn, the founder of reCAPTCHA, realized that we could use this pattern recognition ability of humans to help digitize public domain material.
He reasoned that humans should identify scanned text that returns two different results when processed through two different OCRs.
The first version of reCAPTCHA usually did this by presenting two words to users. One was the control word that the system already knew. The second was the suspicious word that people had to identify for the OCRs.
If two or more users provide the same guess for the control word, then the program assumes it to be the actual value of the word. The program considers a word unreadable if six users in a row can’t form a consensus about the word.
So, filling out the control word correctly helped the website separate bots from humans, while filling out the second word helped with OCR.
The first version of Google reCAPTCHA was updated in 2012 when Google started asking people to identify images of street lights, crosswalks, etc.
In its first version of reCAPTCHA, Google was showing visitors two types of CAPTCHAs. One is based on distorted text, and the other one is based on identifying images. For better accessibility, visually impaired visitors also had the option to complete a challenge by passing the audio CAPTCHA tests. The first version of Google reCAPTCHA was named reCAPTCHA v1, and it was shut down in March 2018.
Currently, Google has three active versions of reCPATCHA. These are
- reCAPTCHA v2 checkbox or No CAPTCHA reCAPTCHA
- reCAPTCHA v2 invisible CAPTCHA
- reCAPTCHA v3
You can easily add any active version of reCAPTCHA and other types of CAPTCHA to your WordPress website using the CAPTCHA 4WP plugin. Besides including all active versions of reCAPTCHA, this plugin also supports other popular CAPTCHA services, such as hCaptcha and Cloudflare Turnstile.
What is reCAPTCHA v2, and how does it work?
By mid-2012, some researchers were able to crack around 82% of reCAPTCHA images and, in some cases, solve 99% of reCAPTCHA texts by taking advantage of artificial intelligence based on machine learning. Google was releasing regular updates to their CAPTCHA systems to keep it one step ahead of spam bots.
However, it got to the point where human users also started having a difficult time figuring out the correct answer to CAPTCHAs.
For example, the above text-based CAPTCHA puzzles were successfully solved by bots.
An updated version of reCAPTCHA called reCAPTCHA v2 was released to overcome this challenge. There are two different ways of using reCAPTCHA v2. You can either use No CAPTCHA reCAPTCHA or the Invisible CAPTCHA.
How reCAPTCHA v2 improves upon reCAPTCHA v1
Learning how Google determines whether a visitor is a human in reCAPTCHA v2 can help us understand how V2 is better than reCAPTCHA v1.
According to Google, the trick here is to perform an advanced risk analysis in the background. The algorithm actively observes the visitor’s behavior before, during, and after they engage with the CAPTCHA.
This allows Google to rely on visitors’ behavior instead of asking them to type text and label images. Text typing and image labeling were getting increasingly difficult for humans, but anyway, bots relying on machine learning got better and better at solving and identifying text.
The risk analysis that Google performs lets it divide website visitors into categories. Keep in mind that Google does not explicitly state how it performs this risk analysis. Releasing the details of the risk analysis algorithm to the public can compromise its effectiveness by allowing advanced bots to take some countermeasures.
However, Google has dropped hints that let us examine their thought process while designing reCAPTCHA v2.
Let’s see how Google does it with the No CAPTCHA reCAPTCHA (also called reCAPTCHA v2 checkbox).
No CAPTCHA reCAPTCHA
The reCAPTCHA v2 version, where visitors have to click on a checkbox that says “I am not a robot,” is called No CAPTCHA reCAPTCHA. This is because there is no CAPTCHA involved at the beginning.
As we just mentioned, visitors simply click a checkbox that asks them to confirm that they are not a robot. Google is keeping track of the visitor’s behavior at this point.
Some people speculate that Google tracks how the visitor’s cursor is moving before they click the checkbox to determine if the visitor is a human or a bot. However, other reports indicate that Google reCAPTCHAv2 does not track mouse movements.
The consensus is that Google relies on the browsing history of visitors and tracking cookies to determine if they are human. It also takes into account the browser environment and user-agent.
Google’s analysis has two outcomes:
- Google concludes that a visitor poses no risk and is most probably a human. Those visitors will be let through with just the checkbox click.
- Google concludes that the visitor behavior is suspicious and resembles that of a bot. The visitor will have to pass additional tests. The CAPTCHA difficulty level for a visitor depends on how risky the algorithm considers them.
Visitors who are assigned a low probability of being bots by the risk-analysis algorithm get easy-to-solve CAPTCHAs. However, visitors who are highly likely to be bots get very hard CAPTCHA challenges.
Initially, the CAPTCHAs that Google presented to visitors were a mix of text CAPTCHAs and image CAPTCHAs. However, Google almost exclusively sends image CAPTCHAs now. Their analysis showed that image CAPTCHAs are still easier for humans to solve compared to bots. On the other hand, bots have gotten better at solving text CAPTCHAs than humans.
Google has tried to limit the number of times a visitor has to solve a CAPTCHA challenge. Using visitor behavior instead of their ability to solve a CAPTCHA while determining if they are humans has given rise to the concept of no CAPTCHA reCAPTCHA.
Invisible reCAPTCHA
Some websites that don’t have a visible reCAPTCHA v2 checkbox can still be under its protection. This is possible due to the invisible reCAPTCHA.
In this case, website owners bind the invisible reCAPTCHA to a button on their website. They can also just invoke the CAPTCHA programmatically to render a challenge if necessary.
CAPTCHA 4WP gives you the option to display a badge on the webpages protected by invisible reCAPTCHA. This lets the visitors know that reCAPTCHA is active on the page.
You would generally add the reCAPTCHA v2 check at the end of the forms that you want visitors to submit. This can include contact forms, comment forms, or registration forms.
What is reCAPTCHA v3, and how does it work?
Google has been moving away from showing visitors any challenges. Its focus has now shifted to tracking visitor behavior to determine if they are human or a bot.
This approach solves two problems. First, people don’t like it when the tasks they want to complete on a website get interrupted due to CAPTCHAs. Second, bots have been getting better and better at solving CAPTCHAs. They are likely to pass these CAPTCHA tests anyway.
reCAPTCHA v3 works without direct user interaction
The reCAPTCHA v3 update takes the philosophy of not showing CAPTCHAs to the visitors to the next level by keeping track of visitor behavior in a site-wide manner. It makes sense because the behavior of a bot will likely differ from that of a human visitor. Some advanced bots might still be able to fool the system.
It is also important to understand that the behavior of visitors themselves is likely to change from one website to the next. On one website, you may find yourself browsing the content. On another website, you might be actively liking or disliking content.
Google solves this problem by allowing website owners to set their own threshold for what is considered human and what is considered bot behavior. The scores range from 0.0 to 1.0. A score of 1.0 means that the interacting visitor is almost definitely a human. A score of 0.0 means that the interacting visitor is almost definitely a bot. For general websites, Google recommends that you use a threshold of 0.5.
You have the option to only add reCAPTCHA v3 to the form pages on your website. However, this latest version of reCAPTCHA works best when it gets a chance to analyze your website traffic across multiple web pages. This allows it to properly assign scores that can help you separate genuine human visitors from bots.
The risk analysis engine is also likely to give you different scores on the production website compared to a website in the testing phase. This is because the behavior of your actual website visitors will probably differ from the behavior of people who test the website.
Making sense of reCAPTCHA v3 scores
The reCAPTCHA v3 API has built-in functionality that puts a lot of information at your disposal. This helps you decide when and how to proceed with visitor verification.
The admin console provides a detailed breakdown of stats on visitor behavior for each website that implements reCAPTCHA. You can tag specific actions on your website with names before executing reCAPTCHA. This will help identify those actions inside the console.
The behavior of malicious bots can vary depending on the task that they are trying to accomplish. For example, a bot that is trying to post a comment will behave differently than a bot trying to scrape content or log in. Tagging different actions with names allows you to perform adaptive risk analysis based on the context in which a visitor acted.
With some help from reCAPTCHA v3, your website visitors won’t have to solve any reCAPTCHA tests. This creates an improved user experience. The fact that they are human is determined by their interactions with the website.
reCAPTCHA v3 failover
Older reCAPTCHA implementations asked visitors to solve challenges either upfront or if the visitors seemed suspicious. However, reCAPTCHA v3 leaves the implementation of visitor authentication or visitor verification up to you.
If you decide that you want to take some additional action, such as asking visitors to solve a CAPTCHA puzzle or redirect them to a different URL, you can do so based on scores returned by reCAPTCHA v3 API in its JSON response.
The CAPTCHA 4WP plugin has this feature already built into it. This means that visitors who fail the automated reCAPTCHA v3 test can still get a chance to prove they are humans.
Google reCAPTCHA relies on a site key and secret key for proper verification and functioning of its CAPTCHA system. Knowing how to get Google reCAPTCHA keys for your website will help you quickly add reCAPTCHA to your website.
Google recommends that you verify the visitor’s response to a reCAPTCHA challenge in the backend. This prevents any chances of manipulation of the response by bad actors. It also helps avoid the exposure of your keys. As a WordPress user, you don’t have to worry about any of it. The CAPTCHA 4WP plugin will automatically take care of things for you once you supply the keys.
Pros and cons of using reCAPTCHA
There are some pros and cons associated with the usage of reCAPTCHA on your website. Let’s go over them briefly. We will begin with the advantages.
- You can get rid of a lot of spam that automated bots post through different forms on your website. Using reCAPTCHA also allows you to slow down and prevent attack bots from trying to log in to your website to some extent if you ask them to complete a CAPTCHA. You should still have other security measures, such as WordPress two-factor authentication, put in place for improved security.
- Using the reCAPTCHA service on your website doesn’t cost anything as long as you are doing up to 1 million assessments per month. This means that you won’t have to pay anything unless your website gets a significant amount of traffic.
- A wide variety of tools, libraries, and platforms support reCAPTCHA out-of-box. This means that you won’t find it too difficult to integrate it into your website. For instance, the CAPTCHA 4WP plugin allows you to easily integrate any active version of reCAPTCHA on your website.
There are also some disadvantages to using reCAPTCHA. They are mostly centered around GDPR compliance and user privacy.
- You have the option to add the reCAPTCHA v3 script only on form pages that you want to protect against bots. However, it works best when you add it to all pages of your website. This means that your website visitors are bound to lose some privacy as reCAPTCHA v3 tries to analyze their behavior by capturing data.
- Research suggests that Google also relies on some cookies to determine if a visitor is legitimate, and people who are browsing a website in a browser connected to their Google account will generally receive a higher score compared to others. You will have to include a cookie banner on your website to inform visitors about your privacy policy and cookie policy concerning Google reCAPTCHA. Alternatively, you might want to consider Cloudflare Turnstile or hCaptcha. Both solutions are solid alternatives that can easily be implemented on WordPress websites with CAPTCHA 4WP.
- As you know, Google is blocked in certain regions around the world. This means that reCAPTCHA won’t work on any websites within that region if it is loaded through the Google domain. Google provides an alternate domain called recaptcha.net that you can use to replace google.com to get around this limitation. With CAPTCHA 4WP, you can simply select this recaptcha.net domain from the dropdown in the configuration options.
Overall, the benefits of installing reCAPTCHA on your website outweigh the disadvantages. Both you and your website visitors will have to deal with much less spam with Google reCAPTCHA in place. However, you might still want to take a look at some of the reCAPTCHA alternatives before making a final decision.
If you are doing things from scratch, installing reCAPTCHA requires you to load a JavaScript file and add appropriate code to your website. However, WordPress administrators can install CAPTCHA 4P to easily integrate Google reCAPTCHA into a WordPress website. The CAPTCHA 4WP plugin allows you to integrate not only Google reCAPTCHA but also the CAPTCHA services of other providers.
Installing reCAPTCHA on your WordPress website is easy and safe with so many reputable plugins available. Reducing spam with the help of reCAPTCHA is one of the many steps you can take to make WordPress websites more secure for you and your users.
How to get the most out of reCAPTCHA
The CAPTCHA 4WP plugin offers a range of features to help you fully utilize the capabilities of reCAPTCHA.
Use reCAPTCHA on multiple forms
The CAPTCHA 4WP plugin allows you to select all the WordPress and WooCommerce forms where you want to add reCAPTCHA. This includes the login form, registration form, comments form, WooCommerce checkout, WooCommerce login, and more.
You can also add reCAPTCHA to any contact forms created through popular plugins such as Contact Form 7, Gravity Forms, WP Forms, and more.
Display a badge on your website
The CAPTCHA 4WP plugin also has an option that allows you to display a badge to visitors on different pages of your site. This badge is available for the invisible reCAPTCHA v3, which works behind the scenes without any user interactions.
Displaying a badge lets the users know that your website is protected by reCAPTCA v3.
Set a CAPTCHA language for better accessibility
One general criticism of different CAPTCHAs has been that the usage of the English language in the challenges can make it difficult for non-native speakers to solve them.
CAPTCHA 4WP gives you the option of selecting the language of the text used in the CAPTCHA text. You can also let it automatically detect and match the CAPTCHA text language to that of the visitor’s language settings.
Frequently Asked Questions
In the web development context, the term “bot” refers to scripts that automate tasks such as scraping a website, filling out forms, etc. These bots can be benign or malicious. They work by following a specific set of instructions embedded into their programming.
The goal of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is to help website owners distinguish human visitors of their websites from bots using automated tests. It helps prevent the spread of spam on their website by bots.
Earlier versions of reCAPTCHA worked by asking visitors to type distorted letters or identify images. New versions work by observing visitor behavior on the website.
CAPTCHA refers to a general term for different tests that websites and services can use to distinguish bots from humans. The term reCAPTCHA refers to the Google-specific implementation of CAPTCHA.
