reCAPTCHA: Easy for Humans and Hard for bots

Secure your website without causing user friction.

Captchas are used on many websites to protect user accounts from bots and other automated programs, preventing them from accessing the website.

According to Imperva's research, harmful bots generate 25.6% of all web traffic in 2020. They are used by spammers to send automated messages to users, and by hackers to attack websites with automated scripts that often wreak havoc on the site’s performance.

Additionally, the hackers may delete the pages, posts, or steal important customer information from your website.

The most common methods of authentication are:

  • 2FA - 2-factor authentication
  • SSL certificate

In order to distinguish between real humans and bots, Luis von Ahn, David Abraham, Manuel Blum, Michael Crawford, Ben Maurer, Colin McMillen, and Edison Tan at Carnegie Mellon University's main Pittsburgh campus developed CAPTCHA which was later acquired by Google.

In short, CAPTCHA stands for:

Completely Automated Public Turing Tests to tell Computers and Humans Apart.

A CAPTCHA test can be easily beaten by robots or hackers, which prompted the development of reCAPTCHA.

Here we will dig deeper into what reCAPTCHA is and how it can be implemented on your website.

  1. What is reCAPTCHA?
  2. How does Google reCAPTCHA work?
  3. How to install reCAPTCHA on a website?

What is reCAPTCHA?

reCAPTCHA is a free service and an automated system that helps websites protect their users from spam and junk emails. It can be used to verify that users are human and not automated scripts.


The service was originally developed by Google primarily to protect Google's search as a way to prevent the creation of spam comments.

Use Cases

  1. Prevents from fraudulent transactions such as purchasing goods with stolen credit cards.
  2. Prohibits propagation of false information and malicious links.
  3. Puts an end to brute-force attacks, in which hackers repeatedly try to log in using hundreds of different passwords.
  4. Protects you from hackers who sign up from multiple email accounts and then use them for illegal purposes.
  5. Stops cybercriminals from posting dodgy comments and mentioning other websites on blogs or news websites.
  6. To increase the security of online shopping.

Is reCAPTCHA free?

There is no charge for the first million API calls per month. reCAPTCHA enterprise plans are available to organizations that generate over 1 million API calls monthly.

Each API calls up to 10 million in reCAPTCHA enterprise costs $1, and a custom cost will be applied for calls above 10 million.

How does Google reCAPTCHA work?

First, few websites, including IRCTC, use traditional Captcha, which forces users to identify distorted letters and auto-numeric data.


To pass the test, form fields must be filled out with the correct text after humans interpret the distorted text. In this method, the letters are distorted in such a way that they cannot be identified by bots. It is recommended that users try again if the letters do not match.

Bots that are built using Artificial Intelligence and Machine Learning can now recognize distorted text and get through these tests with flying colors with a percentile accuracy of 99.8%. Thus, in their place, reCAPTCHA takes up the slack and was called "No CAPTCHA reCAPTCHA".

Some reCAPTCHAs still use the same method with a minor difference in the text. The texts are sourced from real-world images, pictures of street addresses, print books, old newspapers, and so on.

Over time, Google has upgraded the functionality of reCAPTCHA tests, which include:

  • Image recognition
  • Checkbox


The verification process of the Image reCAPTCHA test uses 9-16 real-life lower resolution images in the form of squares. The images could be identical or they could be different.

Users will be asked to choose an image, such as a zebra crossing, traffic lights, fire hydrant, etc. Following the selection of the boxes with appropriate images, users should submit the verification test. In Google's view, if a user's answer matches most other users' responses, then the answer is deemed correct.

This test will present images we are likely to see daily and can easily be identified by humans. Even the most intelligent AI bots will have difficulty selecting objects from low resolution.

Checkbox reCAPTCHA

reCAPTCHAs of this type do not require any tests or recognition of anything to pass them. The user has to select the checkbox with the text "I'm not a robot" to pass the test.

Since it is very easy for bots to click on the checkbox, you might wonder how it can be a way to detect spammers.

Checkbox reCAPTCHA
Checkbox reCAPTCHA

Google automatically captures the cursor movement of users who click on the check box. This action cannot be simulated by a bot since it clicks the checkbox in a straight line, so it fails the test.

The green check box icon will appear upon clicking the checkbox in response to the cursor movement made by the user. Furthermore, this test examines the user's browser's HTTP cookies and history.

For visually impaired users, this test is also available in an audio version. Users will hear distorted audio, prompting them to enter the correct answer in the respective field.

How to install reCAPTCHA on a website?

Installing reCAPTCHA can be done manually or using a WordPress plugin. You must select the type and location of the reCAPTCHA test you wish to use on your site.

Tests are available in four types; you can choose one among them based on the needs of your users and what kind would give them the best user experience.

Below listed are the four different types of reCAPTCHA:

  1. reCaptcha v3
  2. reCaptcha v2 - “I’m not a robot” Checkbox
  3. Invisible reCaptcha v2
  4. reCaptcha Android

Depending on your preferences, you can choose where to place the reCAPTCHA service on your website. This service is typically accessible through online forms such as sign up, contact, and others.

Before installing, get the API key from reCAPTCHA admin panel.

Fill out the form to receive the reCAPTCHA API key.

Google reCAPTCHA
Google reCAPTCHA
  1. Specify the name of the label
  2. Choose the type of reCAPTCHA you would like to use on your site.
  3. Fill in the domain. It is also possible to enter more than one domain.
  4. Under Owners, the email will be automatically assigned to your Gmail account since it is a Google tool. Alternatively, you can add one or more e-mail addresses.
  5. Submit the form by clicking on the "Accept reCAPTCHA Terms of Service" button.

Upon submitting the form you will be provided with an API and a secret key. Use the API key in the HTML form and the secret key to communicate between your site and reCAPTCHA.

Installing Manually

Install reCAPTCHA manually by adding it in the PHP or HTML file. Access the root folder of your site and add the following code in the header of your PHP forms as per your preference.

<script src="" async defer></script>

Copy and paste the below code before the submit line.

<div class="g-recaptcha" data-sitekey="your_site_key"></div>

Installing reCAPTCHA Using a WordPress Plugin

WordPress plugins make it easy to install reCAPTCHA. As a first step, you need to identify the reCAPTCHA WordPress plugin that you wish to install on your website. There are several remarkable plugins for reCAPTCHA installation on your site.

The following steps will guide you through finding WP plugins:

  1. Log in to your WordPress dashboard.
  2. Navigate to the Plugins section.
  3. Use the search bar to look for "reCAPTCHA".

The plugin will list out the various options available within WordPress, allowing you to choose the one that suits your preferences. Make sure the plugin is compatible with your WordPress version before installing.

WordPress reCAPTCHA Plugins
WordPress reCAPTCHA Plugins

To install the reCAPTCHA WordPress plugin:

  1. Click "Install Now" on the selected WordPress plugin.
  2. Click the "Activate Plugin" to install and enable the WP reCAPTCHA plugin.

After you have installed the plugin, navigate to the location (Ex: Contact Form, Sign Up Form) where you will need to add the reCAPTCHA service in the Dashboard.

To set up the integration,

  1. Click on the Setup integration button under reCAPTCHA
  2. Enter the generated API and secret key and to see if the keys have been added, click on the "Setup integration" button again after clicking "Save Changes".

WordPress will display the two keys after the integration process has been completed.

To add reCAPTCHA to a sign up form:

  1. Navigate to Dashboard --> Contact --> Add New.
  2. Add a title in the "Enter title here" section to each form in order to distinguish them if you are adding reCAPTCHA to many forms.
  3. Add reCAPTCHA before the “[submit “Submit”]” line in your code and click on "SAVE" button.

It will generate a short code for you. Copy the code and paste it into the Gutenberg editor, and the form and reCAPTCHA test will be automatically integrated.


As a conclusion, reCAPTCHA certainly presents a threat to benign bot traffic while also helping you eliminate malicious bot traffic from your website or app.

It uses an advanced risk analysis engine to determine the likelihood that a given user is actually a human. It's also fast, easy to integrate and works on all devices.

It improves the user experience for both website owners and end users. Therefore, if you have not yet considered using Recaptcha on your website, you should definitely do so.

Stay on top by protecting your site from malicious bots and delivering the best to your customers.



CMO at Atatus.

Monitor your entire software stack

Gain end-to-end visibility of every business transaction and see how each layer of your software stack affects your customer experience.