How to Add CAPTCHA Protection in WordPress Forms?

At this moment, launching a WordPress site is one of the easiest ways to kickstart your online presence. However, you have to protect the site to keep your hosting service and offer better user experience. The moment you launch your WordPress site, you will start receiving hundreds of spam comments on your blog. In addition, many bots will target your login and other forms to hack your site by auto posting comments with URL. These problems will only increase when your site grows in size and popularity. In this article, we will explain how to add CAPTCHA protection in WordPress forms to protect your site from spammers.

WordPress Forms to Protect

The problem with WordPress is that anyone can try to login to your admin panel as the login URL has a common syntax for all installations. WordPress by default uses some forms that you need to protect:

• Login form
• Registration form if you have enabled user registration
• Password reset form

In addition, you can create different forms using plugins.

• Contact form allowing users to contact you
• WooCommerce or any other online store login form (remember this is a customer login form which is different than default WordPress login form)
• Social or forum sites using plugins like bbPress for registration or BudddyPress for forum posting
• Premium membership login if you have custom plugin to manage subscription

So, there will be easily four to five forms in any WordPress site and you may have more with additional plugins. We strongly recommend using a membership plugin for registration and disable the default WordPress registration function to avoid spamming.

Why You Should Protect WordPress Forms?

Akismet is a popular plugin that helps to automatically filter spam and bot submitted comments. There are also plugins like Jetpack, All In One WP Security & Firewall to prevent brute force attacks and lock suspicious users. However, all these mechanisms work only after someone tries to spam or attack the site through the forms on the site. For example, Akismet will not stop spam comment submissions. It will only help to save your time by sending the comments to spam and trash section automatically.

Unlike these plugins, CAPTCHA works effectively to prevent malicious actions and stop bots and spammers. Since, automated bots cannot guess the CAPTCHA image or number, they will stop crawling and submitting the forms. Though, malicious users can still spam the forms by entering the CAPTCHA code, it will be very less frequency compared to automated submissions.

How to Add CAPTCHA Protection in WordPress Forms?

There are many types of CAPTCHA available to protect the form submissions.

• Honeypot protection
• Google reCAPTCHA protection
• Showing simple math question or an image with letters and numbers

We will explain all these options in detail. However, we recommend using a simple image CAPTCHA as it effectively works to protect your forms.

Honeypot Protection

This is a soft way of protection without disturbing real user’s experience on your site. Honeypot protection is a method to add a hidden field in your forms which will not be visible on the browser frontend. However, this hidden field will be there in the source code and hence bots can find this field. The plugin offering this protection will simply stop any form submissions with the value filled for the hidden field. If the hidden field is not filled, then the plugin will assume it is a real human user.

Unfortunately, there are not many plugins offer this honeypot protection for WordPress. You can use All In One WP Security & Firewall (AIOWPS) plugin to enable honeypot protection to all the forms in your site. You can enable this option under “WP Security > Brute Force > Honeypot” section. This plugin will redirect the robots to localhost IP address http://127.0.0.1/ when the hidden filed is filled. However, you can only enable this option for login form to protect brute force attack and not on other forms like comment submission form.

Google reCAPTCHA Protection

This is the most popular way to add CAPTCHA protection in WordPress forms. However, you need to get site key and secret key from Google using your Google account and integrate them with the plugin. You can use V3 and V2 invisible mode without any user interaction. If you want to use traditional I’m not a robot v2, all users need to select a checkbox before submitting the form. If Google detects suspicious action, then user need to identify the correct images to proceed further. Remember the followings when using Google reCAPTCHA on your site receiving global traffic:

• Many countries block Google services including reCAPTCHA. There will be no way for users to load the form when the service is blocked by ISP (Internet Service Provider). For example, China completely blocks Google and you will lose customers and users by enabling reCAPTCHA.
• Google will annoy users by showing endless CAPTCHA even though user identified correct images.

Therefore, Google reCAPTCHA may not be a user friendly option especially for your customers. You can still use Google reCAPTCHA if you do not have much traffic from China and other countries blocking Google services. You can use the same AIOWPS plugin for this purpose also. Go to “WP Security > Brute Force” section and navigate to “Login Captcha” tab. Here you can enable “Use Google reCAPTCHA as default” option by providing site key and secret key.

In you do not want to use bigger plugin like AIOWPS for this purpose, then you have dedicated plugins like reCAPTCHA by BestWebSoft. With this plugin you have lots of settings to enable V2, V3 or invisible reCAPTCHA with light or dark theme. In addition, you can enable reCAPTCHA in all default WordPress forms and Contact Form 7 forms.

Below is how the reCAPTCHA protection will look like in WordPress comments form.

When the user is challenged, they will see a list of images for verification as shown below.

You can get the complete details of passed and failed requests in your Google reCAPTCHA account’s “Analytics” section.

Adding Simple CAPTCHA

This is the most effective way without disturbing or annoying users. You can use a plugin that offers a mathematical question or image CAPTCHA in the forms.

Math Question CAPTCHA

There are many plugins available for adding this kind of captcha equation to comments and other forms. You can try the AIOWPS plugin for this purpose also. After installing and activating the plugin, go to “WP Security > SPAM Prevention” section. Enable the options under “Comment SPAM”, “BuddyPress” and “BBPress” to protect corresponding forms. You can also enable comment spam IP monitoring to block the IP addresses from where the spam comments are posted.

Similarly, you can enable CAPTCA in login and password reset forms under “WP Security > Brute Force” section.

This plugin will add a simple mathematical equation to protect your site from automated bots. The default login form will look something like below:

The comment submission form will look with a mathematical equation like below:

Image CAPTCHA with Alphanumeric Characters

This is one of the most simple ways to add CAPTCHA protection in WordPress forms out of all available options. You can achieve this will simple plugins like Captcha Code. After installing and activating Captcha Code plugin, go to “Settings > Captcha Settings” section.

• Select capital or small or both letters to be shown in the CAPTCHA image.
• Choose the CAPTCHA type as alphanumeric, alphabets only or numbers only.
• The plugin allows you to show 3 to 6 characters in the CAPTCHA image.
• Enable or disable CAPTCHA protection for login, register, lost password and comments form.
• You also have an option to disable CAPTCHA for logged in users to offer good user experience for logged in users.  

We recommend selecting capital letters, alphabets only and 3 characters. This will make the CAPTCHA easier for users while protecting your form. It will look simple on the forms like below:

Check out this article if you are not seeing the image captcha on forms.

Final Words

As mentioned, internet is filled with automated bots and hackers. Common WordPress setup makes the bots and hackers work much easier by sending automated queries to your forms. Good part is that you have plenty of simple plugins to add CAPTCHA protection in WordPress forms. This will help to stop bots as well save your time. If you are a single user managing the site, it is also a good idea to change the login URL for added security. Remember that image and math captcha solutions will not work with most of the caching plugins like WP Rocket. In such a case, you may need to use Google reCAPTCHA which will work with WordPress caching setup.