Do CAPTCHA and reCAPTCHA Protect WordPress Sites from Bots?

If you’ve used the internet anytime in the last decade, chances are you’ve had to pass a CAPTCHA or reCAPTCHA test. You may have done so many of these little quizzes that you groan just seeing one on a form.

There are quite a few different versions, but they all can help protect your WordPress website from spambots and make your life simpler.

In this post, we’ll cover the evolution of CAPTCHA and reCAPTCHA. We’ll also go over the different versions and the pros and cons of each one. Then, we’ll show you how to enable reCAPTCHA on WordPress and explore additional security measures you should implement.

What are CAPTCHA and reCAPTCHA?

CAPTCHA and reCAPTCHA serve the same purpose: protecting your website against bots and other security threats. They’re typically found on contact, comment, login, and password reset forms. But there are some key differences between the two safety checks. Let’s take a look at each one in detail. 

What is CAPTCHA?

The acronym CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. It’s a mouthful, but the name says it all — it can decipher the difference between a human and a computer operator. Still, the specifics are important.

In the early 2000s, when it was created, CAPTCHA used a distorted text (letters and numbers) test to prevent bots from compromising websites.

When faced with a CAPTCHA, users needed to decipher broken text correctly to prove that they were, in fact, human. If they couldn’t identify the letters and numbers, the test wouldn’t submit their requests. 

This was revolutionary because most humans could pass it easily, but computers couldn’t solve it themselves. 

What is reCAPTCHA?

reCAPTCHA follows a similar principle, but instead of just utilizing meaningless text to see if the user is a real human, it was designed to help computers digitize old books and newspapers. The test was essentially split into two parts shown side-by-side — one traditional CAPTCHA to determine the humanity of the user, and a second image of letters from a piece of text the computer was trying to digitize. If the human could pass the first part, it would accept the user’s input for the second part as an accurate translation. 

reCAPTCHA in practice
Photo from http://www.captcha.net/

The point is that reCAPTCHA added a second part to the test to put millions of human users to work — a few seconds at a time — to digitize historical text for ongoing record keeping. Now sites were protected from bots and users weren’t totally wasting their time. 

Google purchased the technology in 2009 and improved upon it over the years. You see, artificial intelligence (AI) eventually became sophisticated enough to read and decipher even the most challenging text with 99.8 percent accuracy. By doing so, they could pass the test and trick it into thinking bots were humans. 

To deal with this new issue, reCAPTCHA made things even more challenging, introducing new options like the famous “I’m not a robot” check box. 

I'm not a robot checkbox

Today, reCAPTCHA is a widely-used security measure that protects websites from various spambots and cybercriminals by helping to ensure that comments on blog posts or in forums, and submissions on forms come from real people. 

What are the different versions of reCAPTCHA?

There are technically four different types of active reCAPTCHAs. Instead of text, some tests may use images, audio, or even math equations. They also utilize some variation of  “No CAPTCHA reCAPTCHA”, which determines whether a user is suspicious simply based on their behavior on a site.

If you’re setting up WordPress website security, you may have the option to choose between different reCAPTCHA types. For example, you can select a checkbox or background verification:

options for type of reCAPTCHA

Here are the different types of reCAPTCHA:

  • ReCAPTCHA v2 (“I’m not a robot” checkbox): This is the simplest and easiest test to add with limited coding knowledge. Sometimes it passes or approves users right away and prompts them to check a box. Other times, it asks them to verify that they’re human with a puzzle challenge.
  • ReCAPTCHA v2 (Invisible reCAPTCHA badge): For this version, there’s usually no checkbox. It simply uses an existing button on your site or a JavaScript API call for verification. You’ll see a badge that says Protected by reCAPTCHA. Essentially, verification happens in the background. Only the strangest behavior will prompt a test.
  • ReCAPTCHA v2 (Android): This version utilizes a reCAPTCHA Android library that’s part of Google Play’s SafetyNet APIs. This validates requests from within an Android app, so it’s not the right choice to use for a WordPress site. 
  • ReCAPTCHA v3: This is the most advanced and discreet of all the versions. Visitors won’t even know it’s happening. It uses a JavaScript API and automatically assigns a score to each user to approve or deny them. This version also gives more advanced developers extended flexibility for integrations with other security measures to dictate the level of site security. 
  • ReCAPTCHA Enterprise: Like v3, this runs in the background. It gives each site visitor a score based on their behavior. If a visitor is deemed suspicious, it may require them to verify their identity through custom options determined by each site — two-factor authentication or email verification. As its name implies, this is typically for enterprise-level sites and requires advanced customization.

What should I consider when choosing a reCAPTCHA version?

Since reCAPTCHA Enterprise is reserved for larger companies, it’s safe to say that most websites will need either reCAPTCHA v2 or reCAPTCHA v3. Still, it’s important to know what you’re getting into with each one. 

What are the pros and cons of reCAPTCHA v2? 

The most significant advantage of reCAPTCHA v2 is that, whether you choose to include the “I’m not a robot” checkbox or leave it discreetly running in the background, it protects you from spam while offering humans the opportunity to prove that they’re real. 

With the invisible version, if it detects suspicious behavior, it will require a test. If it doesn’t, the user can proceed none the wiser. 

However, any reCAPTCHA v2 test can seriously hurt the user experience for site visitors. To combat increasingly smart AI technology, tests have become so tricky that many real humans have trouble passing.

The test’s difficulty may leave users frustrated, wondering why they fail when they are actual humans. In fact, the situation has become so bad that popular tech magazines give people tips on passing these tests.

Plus, it’s also important to consider the accessibility of reCAPTCHAs. A graphical puzzle, for example, would be inaccessible for people who have vision impairments. So, if you do decide to use reCAPTCHA v2, it’s important to present other options, like audio or text-based tests.

What are the pros and cons of reCAPTCHA v3?

reCAPTCHA v3 was specifically designed to improve the user experience. With no verification tests to complete, it’s seamless. Website visitors are happily unaware of the entire process. 

It also gives administrators much more control. With reCAPTCHA v3, you have advanced options to customize your interaction with Google’s API to adjust scoring thresholds and define what is considered suspicious behavior. 

Some may consider this added control a good thing, while others may find it a weighty and cumbersome responsibility. Additionally, some critics believe that reCAPTCHA v3 may pose a privacy risk because it provides Google with too much data. 

In addition, reCAPTCHA v3 can deter good bots from doing important work. People tend to remember the villains like spambots, but forget about their positive counterparts. Good bots deal with things like SEO and performance monitoring. If you get in their way, your overall website success could suffer. 

A final downside is that, since spam scoring happens in the background, there’s no alternative test provided to suspicious users (like with the invisible reCAPTCHA v2 badge). Visitors who are wrongly flagged as bots don’t have an opportunity to prove their legitimacy. This means that you could turn away real customers, clients, and followers.

Can bots bypass reCAPTCHA?

This is the big question. Unfortunately, the answer may not be straightforward or definitive.

The many versions of reCAPTCHA are evidence that malicious spambots evolve quickly.

They’re constantly adapting to outsmart reCAPTCHA. When the original CAPTCHA was introduced, it was revolutionary in its ability to decipher between real users and bots. But it didn’t take long before the bots caught on. People have even started using human labor to get past tests manually. 

Computer scientists are regularly working to increase the effectiveness of reCAPTCHA, however. Some have proposed new challenges, like puzzles that require a user to maneuver pieces or nursery rhyme completion games based on the location of site visitors.

That’s one major reason tests have become so frustrating for real users — difficulty has had to increase to stay ahead of computer learning. Unfortunately, it seems we’re at a point where to continue to outsmart computers, we have to make tests that are sometimes too difficult for real users to solve — a major problem. 

It’s gotten so bad that Amazon now owns a patent for a new kind of CAPTCHA-esque test that is so difficult to solve that only a computer can do it. Meaning… if you pass, you’ve actually failed because you’ve proven that you can’t possibly be human. 

So can reCAPTCHA stop bots? 

Yes, it can stop many of them. But it can’t stop them all. And the percentage of bots that make it through is increasing by the day. This means you can’t simply rely on reCAPTCHA to prevent spam submissions. You’d be signing up for a highly imperfect, temporary system that’s only going to get less effective. 

So what should you do? 

Other security measures to protect your website from spambots

1. Lock down your comment forms

The best place to start is by configuring your WordPress comments in a way that protects your site against bots. Navigate to Settings → Discussion in your site dashboard and and consider requiring:

  • Comment authors to submit a name and email
  • Users to be registered and logged in to comment
  • Comments to be manually approved before publication
  • Authors to have a previously approved comment to submit a new one

In the Comment Moderation box, you can also flag a comment that contains a certain number of links — lots of links is a common indication of spam. Or, if you’re getting a lot of spam that contains certain words, email addresses, IP addresses, and other characteristics, you can ban them entirely.

2. Protect your login forms

To lock down your login forms without using a CAPTCHA, you can implement two-factor authentication. This requires a user to have both login details and a physical device to access your site. When someone logs in, they’ll have to enter a username and password as well as a one-time code that’s sent to the mobile device on file. This is virtually impossible for bots to get past.

3. Use honeypot

Honeypots are an option for protecting contact forms. Think of them as a mouse trap for bots. They essentially create a hidden field in your forms that isn’t visible to site visitors but that can be seen by spambots. If the field is filled out, the bot is stopped in its tracks.

Many contact form plugins allow you to implement this feature in their default settings.

4. Protect your comment and contact forms with Akismet

Akismet is hands-down the best way to eliminate the headaches of bots (or even real humans) spamming your comments or sending unwanted messages through forms on your site. 

With millions of users, Akismet has blocked over 500,000,000,000 spam submissions at the time of writing this article. With each one, it learns a bit more. So while bots might have AI to get past reCAPTCHAs, Akismet’s AI is working to protect your site in an entirely different way. 

Akismet can accurately identify spammy behavior and keeps a blocklist of words, IP addresses, names, and emails to prevent pests. Plus, it gives you control to provide feedback about any spam it misses or real comments that it accidentally flagged. Then, it customizes its spam-fighting solution just for your site. Amazing. 

Akismet homepage with description of features

You can get a free version of Akismet for your personal blog. In addition, there are three paid plans for commercial sites starting at just $10 per month. 

Win the fight against spam bots

Spam bots and less-than-ethical cyber actors are always trying to take advantage of visitors and the sites they love (like yours!). They can cause annoyance or even do real-world damage.

CAPTCHA and reCAPTCHA have evolved many times over the years and continue to be one trusted way to prevent bots from flooding sites. But these solutions aren’t perfect, and sites need other measures to prevent spam from causing trouble. Consider protecting login forms with two-factor authentication, deploying WordPress best-practices, and using Akismet to filter comment and contact form submissions automatically.