Securing forms in Wordpress with Google reCAPTCHA

Form attacks come in a number of guises, most commonly:

  • Brute force attacks - where an attacker repeatedly tries different usernames & passwords to try and access your WordPress login, registration or password reset forms.
  • Contact Form spam - where an unprotected form on your site is repeatedly used to send you spam email.

A relatively simple way to stop both of these issues is by implementing Google reCAPTCHA.

For an explanation of what Google reCAPTCHA is and how to obtain the necessary 'keys' used in this guide please see our separate guide detailing how to sign-up for Google reCAPTCHA and obtain your keys. Please read and follow the instructions in that guide before continuing here.

Brute force attacks

We suggest the use of a plug-in to enable Google reCAPTCHA on your site's various WordPress forms (login, register, password reset etc.)

Advanced noCaptcha & invisible Captcha (v2 & v3) (external link opens in a new window). There is a paid version of this plugin - but the free version will handle most requirements.

You'll need to be logged in to WordPress as an Administrator, or have sufficient privileges to be able to install a plugin.

  1. From the WordPress dashboard, select Plugins > Add New or from the Plugins screen click the Add New button.
  2. Start typing advanced nocaptcha into the search box and the correct plugin should show up in the results.
    Click the Install Now button.
  3. Once the plugin has installed click the Activate button.
  4. Access the settings for the plugin - either via the left hand menu or by clicking the Settings link underneath the plugin name.
  5. Within the plugin's settings start by selecting the version of reCAPTCHA that you have keys for.
    Then, copy and paste your Site and Secret keys into the appropriate boxes.
    Finally, select the WordPress forms you'd like to protect with reCAPTCHA.
  6. The Other Settings section changes slightly depending upon which version of captcha you select.
    The default settings here are usually fine.
    Click Save Changes to finish and the WordPress forms you selected will now be protected with reCAPTCHA.

Contact Form Spam

We suggest using a form plugin that has built-in reCAPTCHA capability either built-in or by leveraging another plugin - there are many to choose from.

We are suggesting Contact Forms by WPForms (external link opens in a new window) - as the free version has captcha functionality built-in and will function well as a basic contact form in most cases.

The process for enabling other plugins will likely be similar.

This guide only walks you through how to enable the reCAPTCHA function - you will need to consult the plugins online documentation to actually build your form.

You'll need to be logged in to WordPress as an Administrator, or have sufficient privileges to be able to install a plugin.

  1. From the WordPress dashboard, select Plugins > Add New or from the Plugins screen click the Add New button.
  2. Start typing wpforms into the search box and the correct plugin should show up in the results.
    Click the Install Now button.
  3. Once the plugin has installed click the Activate button.
  4. From the left-hand menu select WPForms > Settings.
  5. Click the reCAPTCHA tab.
    Select the Type of reCAPTCHA you are using and enter your Site and Secret keys.
    Click Save Settings to complete the process.

Any forms you now create will be protected by Google reCAPTCHA


How did we do?


Powered by HelpDocs (opens in a new tab)
© Krystal Hosting Ltd 2002–