Wordpress security

The Best reCAPTCHA For WordPress

November 21, 2019 by Agnes Talalaev

In this article, we will go over how to install reCAPTCHA for WordPress, what is CAPTCHA in general, what types of CAPTCHAS there are and what is the difference between the options seen on the web.

What is CAPTCHA?

You may have seen some “tests” around the web when trying to make an account or log in to somewhere, but before finishing the registration you have to guess a text written in cursive crossed out with lines and curves.

Or needed to complete a task by choosing a specific element out of pictures like the crosswalks example below.

reCAPTCHA for WordPress
Confident CAPTCHA example

These “tests” are scattered around the web when trying to make an account, post a comment, reply or log in to an account to differentiate whether the user is human or not.

And these things are called CAPTCHAS.

CAPTCHA stands for:

COMPLETELY
AUTOMATED
PUBLIC
TURING TEST
to tell COMPUTERS
and HUMANS APART

What a great acronym, right.

CAPTCHA history goes back to the late 1990s when a search engine Altavista tried to prevent bots adding malicious or spam URLs into the Altavistas database.

They wanted to make sure spam links won’t end up in the search engine and though about a task that both computers and humans are good at – optical character recognition.

ocr
Image from Forbes | The future of OCR is machine learning

Bringing the optical character recognition to the next level, they made the characters hard to recognize for computers, but still recognizable for humans.

In addition to recognizing text, there are other types of captchas too, let’s take a look.

Different Types Of Captchas

There are different types of CAPTCHAs that you can use on your website. It is important to understand the specific need for your website, so you can make an informed decision based on the problem you are solving.

Here are some of the various types of CAPTCHAs you may have come into contact with. Of course, there are always pros and cons.

Word Problems, Math Problems, And Audio

A word problem captcha is when a user has to answer a simple question. It may be for example a word or a few words that a user has to rewrite.

In some cases, there can be some further instructions to only write one word, the last word or a word in a different color.

reCAPTCHA for WordPress
reCAPTCHA V1 example from support.google.com

The word solving captcha has a downfall since bots are becoming more and more intelligent and may be able to solve the problem as a human would. So it might not be the most secure option out there.

Another one is a math problem, which can be a simple 2+2 that needs an answer. These problems are usually harder for bots to guess so it is a bit more secure one than a word problem captcha.

And lastly the audio captcha, which is as you can see above added mostly to the word and math problems as well to help out those who are visually impaired.

ReCaptcha

ReCAPTCHA is a free service from Google that has currently three versions: V1, V2, and V3. The ReCaptcha V1 has many forms like word solving, audio and math problems as mentioned above.

The reCAPTCHA V2 has been made very easy for a user. The task to the user is to click on a box indicating, “I am not a robot”.

The reCAPTCHA V2 also tracks the finger (on the phone) or mouse movement and figures if the box is checked directly in the middle. If it’s directly in the middle, it is an indication that it might be a robot.

Here is a reCAPTCHA V2 example:

animated checkbox widget
reCAPTCHA V2 example from support.google.com

Other types of CAPTCHAs worth mentioning are:

  • Social media sign-in, which is a way for a user sign up or sign in using their Facebook, Instagram, Snapchat, Google, or other social media account.
  • Time-based CAPTCHA, which monitors the time that takes to fill the form and understand if the form is filled instantly, which may indicate that being a bot.
  • Honeypot CAPTCHA is tricking bots with hidden-for-a-human fields to trigger the bot in filling these and the action then will ban the pot.
  • and more.

Can ReCaptcha be bypassed?

There have been fixes on the Google reCAPTCHA. For example in May 2018, Google pushed a fix for a security flaw that allowed attackers to circumvent the reCAPTCHA bot protection system.

ReCAPTCHA is not foolproof and in some cases, it can be bypassed. However, according to security researcher Andres Riancho, a vulnerability existed which allowed the protections to be circumvented every time.

– ZDNet, May 2018

As Riancho’s findings were based on an exploit that could bypass reCAPTCHA mechanisms every time, the researcher asked Google to re-read the vulnerability report.

By 31 January, Google had requested additional information, and only 24 hours later confirmed the bug.

“Google decided to fix this issue in their REST API, and I believe it was a wise move, their fix is simple:

If the HTTP request to /recaptcha/api/siteverify contains two parameters with the same name, then [it] return[s] an error. Fixing it this way they are protecting the applications which are vulnerable to the HTTP Parameter Pollution and the reCAPTCHA bypass, without requiring them to apply any patches.”

– ZDNet, May 2018

You can read more about that issue from Riancho’s blog or ZDNet.

As we have mentioned before in our articles, nothing can be truly 100% secure, there always might be a way to bypass, even if it’s made by very experienced developers. Security is something that needs constant work, and therefore we should never stop improving.

How to add reCAPTCHA to a WordPress site with WebARX?

Firstly, if you don’t have an account on WebARX, you can register here and add the WebARX WordPress security plugin to your site. Learn how to do it from here.

It’s easy and won’t take you more than 3 minutes. In addition to reCAPTCHA for WordPress, you will have access to many other important security features like managed web application firewall. Also other features like 2-factor authentication, firewall logs & analytics, software vulnerability monitoring, brute-force/XML-RPC protection and more here.

With WebARX you will have to option to enable reCAPTCHA for:

  • post comments;
  • login form;
  • registration form;
  • password reset form.

You can choose from invisible and normal reCAPTCHA V2. ReCAPTCHA V3 for WebARX users will be available in 2020.

Installing reCAPTCHA for WordPress

  1. Log into your WordPress Dashboard.
  2. On your left side menu click Settings -> Security.
  3. Stay on the Hardening tab and scroll a bit down to reCAPTCHA.

You will see different options where to enable reCAPTCHA for WordPress. Check the boxes you want and choose your preferred version.

WordPress WebARX plugin
Screenshot of WebARX WordPress Plugin

After that, you will need a site and secret key for the reCAPTCHA feature.

How to get the site and secret key for the reCAPTCHA for WordPress?

You have to enter your own reCAPTCHA keys in order to use the reCAPTCHA feature, here is how.

  1. Login to your Google account at https://www.google.com 
  2. Go here: https://www.google.com/recaptcha/admin 
  3. Scroll down to the “Register a new site” section.
  4. In the label, enter your site name.
  5. Check “reCAPTCHA v2” OR “Invisible reCAPTCHA” depending on which reCAPTCHA version you want to use. (The “Invisible reCAPTCHA” feature is only available in our plugin version 1.3 and up.)
  6. In the domains field, enter your domain(s).
  7. Check the checkbox to agree to the terms.
  8. Click on “Register“.
  9. You will now see the “Site key” and “Secret key” which you will need to copy over to our plugin.
reCAPTCHA secret key and site key WebARX

After you have copied the site key and secret key and have your preferred options set click “Save settings” in the WebARX plugin.

Conclusion

CAPTCHAs play an important role in keeping the internet spam-free and making everyone’s experience a little bit better.

Always keep your site secure and add the important security features to your site. WordPress security is mostly affected by plugins and themes. In fact, 98% of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.

Therefore, keep the number of plugins on your WordPress site low, make sure you trust the source and developer and keep your software updated.

Links:

Learn more about reCAPTCHA V1 and V2: https://support.google.com/recaptcha/?hl=en

WebARX support article on how to get the site and secret key for the reCAPTCHA feature: https://support.webarxsecurity.com/en/articles/2165240-how-to-get-the-site-and-secret-key-for-the-recaptcha-feature

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla