How to Add Invisible reCAPTCHA to WordPress & Protect Your Site

Get HubSpot's WordPress Plugin
Jamie Juviler
Jamie Juviler



While web trends are always changing, one thing is for sure: There will always be spam. Security experts over the years have researched a variety of ways to control and outwit spammers, most notably CAPTCHA.

WordPress website owner adding Invisible reCAPTCHA to their website

A CAPTCHA is a program designed to distinguish between humans and bots — CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” By detecting bot traffic, these programs prevent malicious attacks and keep your customers’ information safe.

In this post, we’ll discuss why you should consider using Google Invisible reCAPTCHA to secure your WordPress website, and how to integrate it with your pages.

Grow Your Business With HubSpot's Tools for WordPress Websites

To understand what sets Invisible reCAPTCHA apart, let’s look back at what led up to this technology.

The first CAPTCHAs were introduced in 1997. However, early iterations of CAPTCHA failed to keep up with the evolution of modern technology. They also had a usability problem. While bots learned to simply bypass CAPTCHA more often than not, the program grew more complex to prevent them from infecting websites and crashing servers. This complexity led to actual humans finding it difficult to pass tests like these:

captcha verification example

Image Source

Can you read that word? I’m not sure I can.

After several iterations of its own CAPTCHAs (called “reCAPTCHAs”), Google introduced Invisible reCAPTCHA. Why? The first iteration of Google reCAPTCHA required visitors to identify certain images and interpret distorted text, like in the example above. However, this version of reCAPTCHA has been phased-out by Google.

Invisible reCAPTCHA automatically snuffs out spam and allows visitors to enjoy an uninterrupted browsing experience without the irritating tests. Google then created the reCAPTCHA v2, which includes the “I’m not a robot” task — website visitors simply check a box to proceed, and the CAPTCHA detects bots by tracking mouse movement toward the box. Humans tend to move the mouse in curved, irregular patterns, while bots move the cursor in straight lines.

example of the google recaptcha click task

Image Source

While v2 was pretty effective, Google continued to develop a more robust way of curbing spam. Enter Invisible reCAPTCHA (or reCAPTCHA v3), which uses an internal scoring system to detect abusive traffic and requires no additional user input.

Since then, Google also introduced reCAPTCHA Enterprise. This program emphasizes “frictionless security” to help protect websites from fraudulent activity, spam, and abuse. Its added features include password leak detection and multi-factor authentication.

Why use Google Invisible reCAPTCHA in WordPress?

With the rapid growth of the WordPress community, WordPress websites have become one of the most attractive targets for cybercriminals and spam. WordPress website owners face many security threats, including spam comments, fake registrations, and brute-force login attempts. 

Google reported that 84% of companies saw an increase in bot attacks this past year. This research also showed that 71% of organizations saw an increase in successful attacks, while 65% experienced more frequent attacks and a greater loss in revenue.

WordPress websites are so frequently targeted because security vulnerabilities are made public after they’re patched, which leaves outdated WordPress software susceptible. Also, hackers assume that many WordPress users are inexperienced and don’t take the necessary precautions.

WordPress is only secure when admins take the proper steps. With reCAPTCHA, you can add one more layer of security to your website with minimal work — it will save you potentially hours of sifting through spam traffic, or worse, cleaning up after a successful break-in.

Plus, there’s another important factor to consider here — the user experience. The less users must do to prove they’re human, the better. Even ticking a box can negatively impact the user experience.

Invisible ReCAPTCHA doesn’t interrupt visitors with security questions, fuzzy words, or checkboxes. Visitors browse your site as normal, and Google handles the bot detection behind-the-scenes. It’s the best of both worlds, and it’s completely free to use.

In addition to installing reCAPTCHA, there are other things you can and should do to harden your WordPress site. For example, admins should regularly update their WordPress installation as security fixes are patched, and you might also consider a WordPress security plugin for extra protection.

See our WordPress security checklist for a comprehensive look at what the safest WordPress sites do.

How to Add Google reCAPTCHA to WordPress

Adding Invisible reCAPTCHA to your WordPress site is a fairly simple process — you just need a Google account and a WordPress reCAPTCHA plugin. For this tutorial, we’ll use the reCaptcha by BestWebSoft plugin, the most popular plugin for this purpose.

product page for the google invisible recaptcha wordpress plugin recaptcha by bestwebsoft

Other popular reCAPTCHA plugin options include Advanced noCaptcha & invisible Captcha and Simple Google reCAPTCHA. Setup is similar for all of these plugins, and all have similar abilities. All are free, so you can sample different options to see which you prefer.

To get started with the reCaptcha by BestWebSoft plugin:

1. Log into your WordPress dashboard.

2. Under Plugins > Add New, install and activate the reCaptcha by BestWebSoft plugin. This will add a new reCaptcha option to your admin panel.

installation page for the google recaptcha plugin

3. Once you’ve activated the plugin, log into your Google Account and open the Google reCAPTCHA registration page.

4. On the registration page, complete the required fields. Here you can choose between reCAPTCHA v2 or reCAPTCHA v3. For Invisible reCAPTCHA, select reCAPTCHA v3. When finished, click Submit.

registration page for google recaptcha

5. After registering, you’ll get your site key and your secret key. Keep this window open, as you’ll need these codes shortly. Keep these keys hidden from everyone besides your site administrators.

registration keys for google recaptcha

6. Return to your WordPress dashboard and choose reCaptcha > Settings. Under Authentication, paste in your site key and secret key in the corresponding fields.

placing keys in the google recaptcha wordpress plugin

7. Under General, choose your reCAPTCHA Version based on what you selected while registering for your keys. For an Invisible reCAPTCHA, choose Invisible.

selecting recaptcha version in the wordpress recaptcha plugin

8. Select where on your site you want to place your reCAPTCHA. In the free version of this plugin, you can place reCAPTCHA on your login form, registration form, reset password form, and/or comments form.

enabling recaptcha on different pages in the recaptcha wordpress plugin

The paid version of the plugin also lets you place reCAPTCHA on forms provided by additional plugins, like WooCommerce.

You may also hide the reCAPTCHA by WordPress user role and hide the reCAPTCHA badge on active pages. Check the corresponding boxes if this applies to you.

9. At the bottom of the screen, click Save Changes.

10. You now have reCAPTCHA enabled on your selected pages. If you haven’t chosen to hide the badge, you should see the reCAPTCHA logo in the bottom right corner of these pages:

the wordpress login page with google recaptcha enabled

Protect Your WordPress Website from Spam

With Google Invisible reCAPTCHA, you can detect harmful traffic on your website with little to no impact on the visitor experience. Without verification measures, you open your site to all sorts of risks, so it’s important to add this extra protection. A safer website improves the user experience, protects you from malicious attacks, and ultimately helps you grow better.

Editor's note: This post was originally published in July 2019 and has been updated for comprehensiveness.

Use HubSpot tools on your WordPress website and connect the two platforms  without dealing with code. Click here to learn more.


Related Articles

Capture, organize, and engage web visitors with free forms, live chat, CRM, analytics, and more.


CMS Hub is flexible for marketers, powerful for developers, and gives customers a personalized, secure experience