Google ReCaptcha For Secure WordPress Login and To Block Comment SPAM

By 29th February 2016 September 7th, 2017 WordPress News and Updates, WordPress Security

Google ReCaptcha is both powerful and elegant – it should be on all WordPress sites.

The Shield team is always on the lookout for great ways to improve security. Simple, yet powerful techniques to thwart hackers is the name of the game.

With v5.0 of Shield you now have access to Google ReCaptcha for both WordPress login and comments. It’ll prevent spam, and brute-force bot login attempts.

Find out what ReCaptcha is and how to get it on your site

What is Google ReCaptcha?

Google Old Captcha

Google Old Captcha

You’ll remember the old Google reCaptcha system. It was frankly very frustrating for users and we never liked it.

As you can see in the example to the right how effective it is. Not only did bots struggle with it, but humans did too.

I’m sure it was effective, but it was also quite frustrating.

What’s different with the new Google ReCaptcha?

You’ll have probably started to see this popping up more and more lately… we certainly have.

WordPress Google ReCaptcha Example

Sometimes Google ReCaptcha isn’t sure

So we thought we’d investigate and we liked what we saw.

The new system simply works by offering a checkbox that the visitor needs to click. It sends off various data to Google who then respond with success or failure.

In the event that they’re “not sure”, you’ll get a popup window that asks you to complete a simple question. (see screenshot)

After answering the question provided, you’ll be verified and you’ll be able to submit the form as normal.

It’s elegant. And now you can have add to your WordPress sites!

More info from Google’s blog can be found here.

How To: Google ReCaptcha v2 for WordPress

We’ve provided 2 main uses for ReCaptcha – WordPress login and WordPress comments.

You are free to turn it on for 1 or the other, or both.

The feature is available from v5.0 of Shield and there a few steps necessary to complete before you can make full use of it.

1) Create your own ReCaptcha Keys

Google ReCaptcha Register Your Domains

Register ReCaptcha Domains

  1. Go here
  2. Enter a label for these keys – something that you will recognise
  3. Enter all your WordPress domains in the large text area – 1 per line
  4. Click Register
  5. You’ll then be presented with a screen displaying your Recaptcha Secret and Recaptcha Site Keys

2) Enter your new keys in the Shield plugin options

  1. Within the WordPress admin area click on Dashboard under the Shield security menu.
  2. Then open the tab ‘Third Party Services’
  3. You’ll see 2 options: ‘Recaptcha Secret Key’ and ‘Recaptcha Site Key’
  4. Supply the keys that were created in the previous section and save.
WordPress Shield Security ReCaptcha Options

WordPress Shield Security ReCaptcha Options

3) Turn on Recaptcha for Login / Comments

Now that you’ve enabled your very own Google ReCaptcha, you can now turn it on across your site.

For comment SPAM, look under the ‘Comments SPAM‘ section, the ‘Bot SPAM‘ tab, and you’ll see the option to enable ReCaptcha For Comments.

The same goes for Login: Login Protection > Brute Force > Enable Google ReCaptcha

Easy, right?!

Get Google ReCaptcha For WordPress Today

Google ReCaptcha is now very easy to use and if you’re already using Security Plugin you don’t need another plugin.

Get your domains registered and start today!

Feedback, suggestions, questions or comments? Please comment below, thank you! 🙂

Join the discussion 8 Comments

  • CssMfc says:

    About activating this security layer… On reCaptcha page there is step 2 and step 3
    Adding the code to the and the code for the form (where rC should be displayed) , may be a stupid question but I have to ask:
    I must add those codes too or just those 2 keys on my website > Shield settings ?

    PS: I might posted twice, sorry for that if that happened

    View Comment
  • Daniel Howard says:

    I think there’s an important bug with the implementation of recaptacha on logins (in version 5.1.0)

    If you submit the wrong password and ignore the recaptcha, the error message returned is ‘The password you entered for the username X is incorrect. ‘
    If you submit the right password and ignore the recaptcha, the error message returned is ‘Whoops. Google reCAPTCHA was not submitted.’

    This means the recaptcha is completely useless. An attacker can ignore the recaptcha while brute forcing, and detect they have discovered the right password from the error message.

    The recaptcha value must be checked before the password is considered for this to be any use.

    View Comment
    • Paul G. says:

      Hi Daniel,

      Thanks for pointing this out. It’s highlighted some improvements for the logic of this code, and other code, and the next release will see significant improvements in this area.

      Thanks again!

      View Comment
      • Daniel Howard says:

        Thanks for the reply Paul. I would suggest that the error message is changed to say the same thing in all cases. ‘Login failed’ or something equally generic. Then the attacker doesn’t know if the captcha was wrong, the username was wrong or the password was wrong.

        View Comment
        • Paul G. says:

          I may consider this as an option for future releases, but that sort of change would throw the world of WordPress logins into complete confusion as people wouldn’t know what they’re doing wrong. 🙂

          View Comment
  • Lindsay says:

    I tried to enable the reCaptcha for login and comments, but it messed up the reCaptcha that I already had enabled on my Forms. I’m using Gravity Forms and when the reCaptcha is enabled within the Shield plugin, it stops displaying on the front-end display of the forms. So, the user can’t submit, because the reCaptcha has disappeared. Do you have any familiarity with this issue?

    View Comment
    • Paul G. says:

      Hi Lindsay,

      I don’t unfortunately have any familiarity with this… I’d suggest you choose 1 or the other. Having two plugins both providing the ReCaptcha isn’t a good idea. Remove one of the implementations and you should be fine.

      View Comment
  • Help says:

    If anyone needs to know the place to enter the keys has changed to:
    Shield > Dashboard > Google

    View Comment

Leave a Reply