How to set up reCAPTCHA
How to set up reCAPTCHA for WordPress and WooCommerce registration, reset password and login forms with WP Cerber
What is reCAPTCHA and how does it work?
reCAPTCHA is a human verification mechanism which created and maintained by Google as a free web service.
Every time when a user submits the form with reCAPTCHA, the WP Cerber plugin makes an HTTP request to the Google server to make sure that the form has been submitted by a human, not a bot. If the Google server replies with negative “No it ‘s a bot”, further processing of the form will be interrupted and user see the message: ERROR: Human verification failed. Please click the square box in the reCAPTCHA block below.
By the way: Why reCAPTCHA does not protect WordPress from brute-force attack.
Let’s set up reCAPTCHA for WordPress forms
You can easily set up reCAPTCHA on the web site having the WP Cerber plugin installed. But before you can start using reCAPTCHA on any website, you have to obtain a Site key and a Secret key on the Google website. To get the keys you have to have Google account.
Register your website and obtain both keys here: https://www.google.com/recaptcha/admin
- After keys have been created for you, go to the reCAPTCHA settings page of the WP Cerber plugin.
- Copy keys to the appropriate fields in the reCAPTCHA settings.
- Check checkboxes for all forms you want to be verified with reCAPTCHA.
- Make sure that reCAPTCHA widget is displayed correctly.
reCAPTCHA for WooCommerce
Important note for WooCommerce users: you cannot enable and use two reCAPTCHA widgets (for two forms) on the same page. Only one widget per page is allowed. So, if you have two forms on the same page, choose only one, more important form. This is the limitation of the Google service, not the plugin.
First of all, inspect the Activity tab.
If you see the message “reCAPTCHA settings are incorrect”, that means that your key and secret are not correct and have not been recognized by Google server.
If you see the message “Request to the Google reCAPTCHA service failed”, that means that your web server is unable to connect to external servers. Ask hosting provider for this issue. Sometimes hosting providers block outgoing HTTP requests from websites.
Although Google offers this service for free, it’s not completely free. Because Google is a huge business and doesn’t offer something for free. So, you have to pay something in return and in this case you will share some, unknown for us, details about your browser and your website.
The following explanation has been taken from Google website, you can check it when you register your website on reCAPTCHA service page.
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data and the results of integrity checks, and sending that data to Google for analysis. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at
What does reCAPTCHA look like?
Sometimes you might see a bit complicated graphical reCAPTCHA with a set of images.
Last posts from WordPress security blog
- Brute-force, DoS, and DDoS attacks – what’s the difference? 04/10/2017
- WP Cerber 4.5 03/22/2017
- Instant mobile and browser notifications with Pushbullet 03/20/2017
- Best WordPress Plugins for Two-Factor Authentication 03/15/2017
- WordPress 4.7.3 – six security issues has been fixed 03/06/2017
Let's make things clear with these intruder activities that happens every day with any website. How are they dangerous? What tools or plugin can mitigate them? What are chances that we can do that successfully?
WP Cerber allows you to easily enable desktop and mobile notifications and get all those notifications from your WordPress instantly and for free. In a desktop browser, you will get popup messages even if you logged out of your WordPress. Last posts from WordPress security blog Brute-force, DoS, and DDoS attacks – [...]