While web trends are always changing, one thing is for sure: There will always be spam. Security experts over the years have researched a variety of ways to control and outwit spammers, most notably CAPTCHA.
A CAPTCHA is a program designed to distinguish between humans and bots — CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” By detecting bot traffic, these programs prevent malicious attacks and keep your customers’ information safe.
In this post, we’ll discuss why you should consider using Google Invisible reCAPTCHA to secure your WordPress website, and how to integrate it with your pages.
What is Google Invisible reCAPTCHA?
Invisible reCAPTCHA is a Google CAPTCHA service that identifies spam traffic without additional input from visitors. This technology uses machine learning and risk analysis techniques to analyze web browsing behavior. Because of this, visitors will only need to solve a CAPTCHA problem if their browsing patterns appear suspicious.
To understand what sets Invisible reCAPTCHA apart, let’s look back at what led up to this technology.
The first CAPTCHAs were introduced in 1997. However, early iterations of CAPTCHA failed to keep up with the evolution of modern technology. They also had a usability problem. While bots learned to simply bypass CAPTCHA more often than not, the program grew more complex to prevent them from infecting websites and crashing servers. This complexity led to actual humans finding it difficult to pass tests like these:
Can you read that word? I’m not sure I can.
After several iterations of its own CAPTCHAs (called “reCAPTCHAs”), Google introduced Invisible reCAPTCHA. Why? The first iteration of Google reCAPTCHA required visitors to identify certain images and interpret distorted text, like in the example above. However, this version of reCAPTCHA has been phased-out by Google.
Invisible reCAPTCHA automatically snuffs out spam and allows visitors to enjoy an uninterrupted browsing experience without the irritating tests. Google then created the reCAPTCHA v2, which includes the “I’m not a robot” task — website visitors simply check a box to proceed, and the CAPTCHA detects bots by tracking mouse movement toward the box. Humans tend to move the mouse in curved, irregular patterns, while bots move the cursor in straight lines.
While v2 was pretty effective, Google continued to develop a more robust way of curbing spam. Enter Invisible reCAPTCHA (or reCAPTCHA v3), which uses an internal scoring system to detect abusive traffic and requires no additional user input.
Since then, Google also introduced reCAPTCHA Enterprise. This program emphasizes “frictionless security” to help protect websites from fraudulent activity, spam, and abuse. Its added features include password leak detection and multi-factor authentication.
Why use Google Invisible reCAPTCHA in WordPress?
With the rapid growth of the WordPress community, WordPress websites have become one of the most attractive targets for cybercriminals and spam. WordPress website owners face many security threats, including spam comments, fake registrations, and brute-force login attempts.
Google reported that 84% of companies saw an increase in bot attacks this past year. This research also showed that 71% of organizations saw an increase in successful attacks, while 65% experienced more frequent attacks and a greater loss in revenue.
WordPress websites are so frequently targeted because security vulnerabilities are made public after they’re patched, which leaves outdated WordPress software susceptible. Also, hackers assume that many WordPress users are inexperienced and don’t take the necessary precautions.
WordPress is only secure when admins take the proper steps. With reCAPTCHA, you can add one more layer of security to your website with minimal work — it will save you potentially hours of sifting through spam traffic, or worse, cleaning up after a successful break-in.
Plus, there’s another important factor to consider here — the user experience. The less users must do to prove they’re human, the better. Even ticking a box can negatively impact the user experience.
Invisible ReCAPTCHA doesn’t interrupt visitors with security questions, fuzzy words, or checkboxes. Visitors browse your site as normal, and Google handles the bot detection behind-the-scenes. It’s the best of both worlds, and it’s completely free to use.
In addition to installing reCAPTCHA, there are other things you can and should do to harden your WordPress site. For example, admins should regularly update their WordPress installation as security fixes are patched, and you might also consider a WordPress security plugin for extra protection.
See our WordPress security checklist for a comprehensive look at what the safest WordPress sites do.
How to Add Google reCAPTCHA to WordPress
Adding Invisible reCAPTCHA to your WordPress site is a fairly simple process — you just need a Google account and a WordPress reCAPTCHA plugin. For this tutorial, we’ll use the reCaptcha by BestWebSoft plugin, the most popular plugin for this purpose.
Other popular reCAPTCHA plugin options include Advanced noCaptcha & invisible Captcha and Simple Google reCAPTCHA. Setup is similar for all of these plugins, and all have similar abilities. All are free, so you can sample different options to see which you prefer.
To get started with the reCaptcha by BestWebSoft plugin:
1. Log into your WordPress dashboard.
2. Under Plugins > Add New, install and activate the reCaptcha by BestWebSoft plugin. This will add a new reCaptcha option to your admin panel.
3. Once you’ve activated the plugin, log into your Google Account and open the Google reCAPTCHA registration page.
4. On the registration page, complete the required fields. Here you can choose between reCAPTCHA v2 or reCAPTCHA v3. For Invisible reCAPTCHA, select reCAPTCHA v3. When finished, click Submit.
5. After registering, you’ll get your site key and your secret key. Keep this window open, as you’ll need these codes shortly. Keep these keys hidden from everyone besides your site administrators.
6. Return to your WordPress dashboard and choose reCaptcha > Settings. Under Authentication, paste in your site key and secret key in the corresponding fields.
7. Under General, choose your reCAPTCHA Version based on what you selected while registering for your keys. For an Invisible reCAPTCHA, choose Invisible.
8. Select where on your site you want to place your reCAPTCHA. In the free version of this plugin, you can place reCAPTCHA on your login form, registration form, reset password form, and/or comments form.
The paid version of the plugin also lets you place reCAPTCHA on forms provided by additional plugins, like WooCommerce.
You may also hide the reCAPTCHA by WordPress user role and hide the reCAPTCHA badge on active pages. Check the corresponding boxes if this applies to you.
9. At the bottom of the screen, click Save Changes.
10. You now have reCAPTCHA enabled on your selected pages. If you haven’t chosen to hide the badge, you should see the reCAPTCHA logo in the bottom right corner of these pages:
Protect Your WordPress Website from Spam
With Google Invisible reCAPTCHA, you can detect harmful traffic on your website with little to no impact on the visitor experience. Without verification measures, you open your site to all sorts of risks, so it’s important to add this extra protection. A safer website improves the user experience, protects you from malicious attacks, and ultimately helps you grow better.
Editor's note: This post was originally published in July 2019 and has been updated for comprehensiveness.