HOW to Improve WordPress Website’s Security With Google Invisible reCAPTCHA Plugin
While web trends are always changing, one thing is for sure: There will always be spam.
Security experts over the years have researched a variety of ways to control and outwit spammers, most notably CAPTCHA. A CAPTCHA is a program designed to distinguish between humans and bots — CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
The first CAPTCHAs were introduced in 1997 and were effective for a while. However, early iterations of CAPTCHA failed to keep up with the evolution of modern technology. Bots learned to simply bypass CAPTCHA more often than not, infecting websites and crashing servers.
CAPTCHAs also had a usability problem. As they grew more complex to counter these evolving bots, actual humans found it difficult to pass tests like these:
Can you read the first word? I’m not sure I can.
Luckily, security experts have been working on better solutions. After several iterations of its own CAPTCHAs (called “reCAPTCHAs”), Google introduced Invisible reCAPTCHA. This free service automatically snuffs out spam and allows visitors to enjoy an uninterrupted browsing experience without the irritating tests.
In this post, we’ll discuss why you should consider using Google Invisible reCAPTCHA to secure your WordPress website, and how to integrate it with your pages.
Invisible reCAPTCHA is a Google CAPTCHA service that identifies spam traffic without additional input from visitors. This technology uses machine learning and risk analysis techniques to analyze web browsing behavior. Because of this, visitors will only need to solve a CAPTCHA problem if their browsing patterns appear suspicious.
To understand what sets Invisible reCAPTCHA apart, let’s look back at what led up to this technology. The first iteration of Google reCAPTCHA required visitors to identify certain images and interpret distorted text, like in the example above. As of 2018, this version of reCAPTCHA has been phased-out by Google.
Google then created the reCAPTCHA v2, which includes the “I’m not a robot” task — website visitors simply check a box to proceed, and the CAPTCHA detects bots by tracking mouse movement toward the box. Humans tend to move the mouse in curved, irregular patterns, while bots move the cursor in straight lines.
While v2 was pretty effective, Google continued to develop a more robust way of curbing spam. Introduced in 2018, Invisible reCAPTCHA (or reCAPTCHA v3) uses an internal scoring system to detect abusive traffic and requires no additional user input.
Why use Google Invisible reCAPTCHA in WordPress?
With the rapid growth of the WordPress community, WordPress websites have become one of the most attractive targets for cybercriminals and spam. WordPress website owners face many security threats, including spam comments, fake registrations, and brute-force login attempts.
WordPress websites are so frequently targeted because security vulnerabilities are made public after they’re patched, which leaves outdated WordPress software susceptible. Also, hackers assume that many WordPress users are inexperienced and don’t take the necessary precautions.
With reCAPTCHA, you can add one more layer of security to your website with minimal work — it will save you potentially hours of sifting through spam traffic, or worse, cleaning up after a successful break-in.
Plus, there’s another important factor to consider here — the user experience. The less users must do to prove they’re human, the better. Even ticking a box can negatively impact the user experience.
Invisible ReCAPTCHA doesn’t interrupt visitors with security questions, fuzzy words, or checkboxes. Visitors browse your site as normal, and Google handles the bot detection behind-the-scenes. It’s the best of both worlds, and it’s completely free to use.
How to Add Google reCAPTCHA to WordPress
Adding Invisible reCAPTCHA to your WordPress site is a fairly simple process — you just need a Google account and a WordPress reCAPTCHA plugin. For this tutorial, we’ll use the reCaptcha by BestWebSoft plugin, the most popular plugin for this purpose.
Other popular reCAPTCHA plugin options include Invisible reCaptcha for WordPress — which integrates with BuddyPress, Gravity Forms, and Contact Form 7 — and Simple Google reCAPTCHA. Setup is similar for all of these plugins, and all have similar abilities. All are free, so you can sample different options to see which you prefer.
To get started with the reCaptcha by BestWebSoft plugin:
1. Log into your WordPress dashboard.
2. Under Plugins > Add New, install and activate thereCaptcha by BestWebSoft plugin. This will add a new reCaptcha option to your admin panel.
4. On the registration page, complete the required fields. Here you can choose between reCAPTCHA v2 or reCAPTCHA v3. For Invisible reCAPTCHA, select reCAPTCHA v3. When finished, click Submit.
5. After registering, you’ll get your site key and your secret key. Keep this window open, as you’ll need these codes shortly. Keep these keys hidden from everyone besides your site administrators.
6. Return to your WordPress dashboard and choose reCaptcha > Settings. Under Authentication, paste in your site key and secret key in the corresponding fields.
7. Under General, choose your reCAPTCHA Version based on what you selected while registering for your keys. For an Invisible reCAPTCHA, choose Invisible.
8. Select where on your site you want to place your reCAPTCHA. In the free version of this plugin, you can place reCAPTCHA on your login form, registration form, reset password form, and/or comments form.
The paid version of the plugin also lets you place reCAPTCHA on forms provided by additional plugins, like WooCommerce.
You may also hide the reCAPTCHA by WordPress user role and hide the reCAPTCHA badge on active pages. Check the corresponding boxes if this applies to you.
9. At the bottom of the screen, click Save Changes.
10. You now have reCAPTCHA enabled on your selected pages. If you haven’t chosen to hide the badge, you should see the reCAPTCHA logo in the bottom right corner of these pages:
Protect Your WordPress Website from Spam
With Google Invisible reCAPTCHA, you can detect harmful traffic on your website with little to no impact on the visitor experience. Without verification measures, you open your site to all sorts of risks — there’s little excuse not to add this extra protection.
In addition to installing reCAPTCHA, there are other things you can and should do to harden your WordPress site. For example, admins should regularly update their WordPress installation as security fixes are patched, and you might also consider a WordPress security plugin for extra protection. WordPress is only secure when admins take the proper steps, so see our WordPress security checklist for a comprehensive look at what the safes