One of the plugins available in the Kadence Full and Lifetime Bundles is Kadence reCAPTCHA, a simple and lightweight plugin that helps site owners add reCAPTCHA to contact forms, login forms, testimonial submission forms, and even WooCommerce review forms. Kadence reCAPTCHA adds GDPR support for privacy consent so no information will pass to Google reCAPTCHA without first getting user consent.
The Kadence reCAPTCHA plugin was recently updated to version 1.2.0, adding some new features and functionality including an option to hide the reCAPTCHA v3 badge, an option to change the reCAPTCHA v3 threshold score, an option to place a notice on forms, and a new settings panel.
Today, we’re reviewing how to use these features in Kadence reCAPTCHA, as well as looking at what reCAPTCHA is and why you might need it on your WordPress website.
What is reCAPTCHA?
reCAPTCHA is a free service offered by Google that any site owner can use. A “CAPTCHA” is a Turing test designed to distinguish human activity from bot activity. These protections are easy for humans to solve, but difficult for bots. There are two versions of reCAPTCHA that are currently available, v2 and v3. Both can be used by sites using Kadence reCAPTCHA.
ReCAPTCHA v2 asks the site visitor to solve a puzzle, such as identifying all of the pictures of traffic signals, boats, bridges, and motorcycles. This implementation of reCAPTCHA can feel clumsy and undesirable to site visitors, adding friction to the experience of submitting forms. reCAPTCHA v2 has improved its functionality in recent years, offering more user-friendly options that provide protection while at the same time offering a seamless experience for the end user.
There are now 2 different versions of Google’s reCAPTCHA v2 that you can use, the “I’m not a robot” checkbox and an invisible badge. The invisible badge is triggered when the site visitor completing your form clicks submit. Any visit to your site that looks like a bot will be prompted to solve a captcha.
ReCAPTCHA v3 detects abusive traffic on your website without interaction from site visitors. Instead of showing a CAPTCHA puzzle to complete, reCAPTCHA v3 returns a score so that the site owner can choose the most appropriate action. These scores allow a site owner to perform risk analysis for various use cases. The site owner has full control over what to do with the results of that analysis. This may require some tuning, and there is no option for an end user to override a false positive. Instead, a user may be presented with an error message fully interrupting their form submission or purchase. As such, reCAPTCHA v3 should be tested thoroughly before implementation in a full production environment.
Google also offers reCAPTCHA Enterprise. The enterprise solution is built on the same API as reCAPTCHA but offers enhanced detection as a part of their Google Cloud product. There is a charge for this service from Google, but it comes with advanced reporting. If you have already used reCAPTCHA, there are steps to migrate your existing reCAPTCHA site credentials to Google reCAPTCHA Enterprise. If not, you will still need to start with either reCAPTCHA v2 or reCAPTCHA v3.
Why sites should use reCAPTCHA
Malicious form submission activity is a fact of life for site owners, and reCAPTCHA protects against these types of automated attacks, either from spam bots or brute force login attacks. Let’s take a deeper look at these types of attacks, and it becomes apparent why site owners should consider using reCAPTCHA.
Brute Force Login Attacks
Brute force attacks, often called credential-stuffing attacks, happen when a malicious attacker attempts to use lists of passwords to login. These lists are found in a breach from another compromised system or sometimes they are a dictionary file. Attackers use these collections of possible passwords to attempt entry to a website or other systems.
For WordPress sites, attackers attempt to use these stolen credentials to access the wp-admin portion of your site to take over the site for malicious purposes. These attackers may try to infect WordPress pages with malware, redirecting site visitors to malicious websites. Or, they may try to use a compromised site to host phishing pages to collect passwords for bank accounts, or even email accounts.
These attacks are always automated, so foiling them is fairly simple with some layered approaches to security, including the use of reCAPTCHA. Using reCAPTCHA on your login forms, whether for administrators, customers, students or other user types makes it more difficult for attackers use automated attacks on your site.
Spam Form Submissions
While spam form submissions to contact forms, comment forms, review forms and others are less dangerous than a brute force login attack looking to take over a WordPress site, they still can be annoying and take time for site owners to clean out. As well, spam form submissions use a site’s resources and computing power, resources that are better used by serving useful content to authentic site visitors interested in your business. As with most malicious attacks, our goal is to make it troublesome for malicious attackers so that they take their merry band of bots elsewhere.
Which version of reCAPTCHA should you use?
Determining which version of reCAPTCHA is best for your site is dependent upon your site’s individual needs. No matter which version you choose, monitor and test your forms and their submissions to ensure that your site visitors are not negatively impacted by reCAPTCHA. If you choose to use Google’s reCAPTCHA v3, you may need to tune the implementation to ensure that site submissions are not blocked by reCAPTCHA v3 false positives identifying valid human traffic as bot traffic.
Getting started with Kadence reCAPTCHA
Getting reCAPTCHA set up might seem daunting at first, but we’ve made these steps easy to follow here. Both Kadence reCAPTCHA and Google have provided easy-to-use tools to integrate this capability into your forms.
Step 1. Turn site caching off
If you’re using any kind of caching on your site, whether through a CDN, page caching, or a caching plugin, ensure that your site is in development mode prior to adding reCAPTCHA to your forms. Whenever we are adding additional functionality to our site, any caching of forms and their supporting scripts may cause issues as we add reCAPTCHA. If you’re unsure of whether or not your site is using caching, you might want to check with your hosting provider to find out if there are any settings you should be aware of.
Step 2. Setup an account and your site with Google reCAPTCHA
First, you’ll need to set up an account and obtain site keys. Head over to Google’s reCAPTCHA admin pages and set up a site. You’ll have to enter a few details about your site and tell reCAPTCHA which service you’d like to use for your website. Use the primary domain, as all subdomains will work with the primary domain. (For example, if you’re using davessupercooldiner.com as your primary domain, vegas.davessupercooldiner.com for the Las Vegas location would work with the same set up. And if you’re Dave and you have a diner, let us know, we’d love to visit!)
If you’re setting up the site reCAPTCHA for a client, you can add the client’s email address and let reCAPTCHA know that both you and your client would like notifications about configuration issues or increases in suspicious submissions.
Step 3. Obtain your reCAPTCHA site key and secret key
Once you’ve agreed to Google reCAPTCHA’s terms of service, click the gear icon to obtain your reCAPTCHA keys. There will be two keys that you’ll use, one called the site key, another called the secret key. You’ll need both, so keep this window open. In the example below, we’re setting up a v2 invisible reCAPTCHA, but the site key and secret key work the same for v3.
Step 4. Enter your reCAPTCHA keys into Kadence reCAPTCHA
Make sure you have Kadence reCAPTCHA installed and activated on your site. Then, in your WordPress Administration dashboard, head to Settings > ReCAPTCHA Settings. On that page, you’ll see a form where you can first select which version of reCAPTCHA you are using, then paste your reCAPTCHA site key and secret key. These values will be used by any form you create on your site with Kadence. In the example below, we’re setting up a reCAPTCHA v3.
We need to also tell the plugin which reCAPTCHA score threshold we’d like to use. This will be something you may need to tune for your specific site. You’ll be able to monitor your scores within your Google reCAPTCHA admin console. Most site owners start with 0.5 and tune the threshold up or down depending on the results they see.
Step 5. Set up form settings in Kadence reCAPTCHA
Next, tell Kadence reCAPTCHA where you’d like to use reCAPTCHA on your site. There are a number of places where you can enable reCAPTCHA, and Kadence reCAPTCHA allows you to configure reCAPTCHA anywhere on your site. Enable for post and page comments, lost password forms, registration, WooCommerce checkout, WooCommerce reviews, and use it to lessen the impact of brute force login attacks on your login forms.
Step 6. Set up design settings for your forms
On the Kadence reCAPTCHA design settings, you’ll see different options depending on whether or not you’re using Google’s reCAPTCHA v2 or v3. As v2 can have a visual component to it, you’ll need to instruct how Kadence reCAPTCHA should appear to your users. As well, for GDPR consent, you’ll want to enter what consent messages you would like Kadence reCAPTCHA to display to your site visitors.
If you’re using reCAPTCHA v3 which does not have a visual component, you’ll need to determine whether or not you’re hiding the badge, which will require an update to your privacy and terms of service.
Step 7. Test your forms!
Step 8. Monitor your forms
If submission frequency changes, double check your site’s reCAPTCHA data in Google’s reporting. In the same area where you created your site keys, reCAPTCHA will provide you with analytics to show you how reCAPTCHA is working for you.
How to get Kadence reCAPTCHA
Kadence reCAPTCHA is only available with our Full or Lifetime Bundles. At the time of this blog post, these bundles are available at 40% off as a part of our Black Friday sale.
The Kadence team is dedicated to providing easy to use, simple set up plugins like Kadence reCAPTCHA to help site owners create useful, fast, and effective sites. If you’re a customer using the Full or Lifetime Bundle, you’ll get access to any new products like Kadence reCAPTCHA that our team develops.