Protecting WordPress Forms With hCaptcha

pinterestPinterestlinkedinLinkedInredditReddit

In just 10 minutes, you can dramatically improve the defense of your WordPress website by adding hCaptcha to protect your website’s forms. Owners of WordPress websites are all too familiar with the ongoing battle against malicious bots and website attackers.

I recently talked in a post on enforcing strong passwords in WordPress about the maximum long it takes a password cracker to calculate out your password. Anything you can do that would slow down how quickly an attacker can attempt to login increases that amount of time exponentially.

Another common attack – bots are often deployed to look for website contact forms to attempt to send out phishing emails to the website operators – hoping to get access to whatever they can through the attempt.

Do you run an Ecommerce site using WordPress and WooCommerce? Adding hCaptcha to verify submissions to your store can help keep your site from potential scam purchases.

These are only a handful of examples of ways applying a captcha can be beneficial to your website. I’m sure you can think of others on your own.

This article is part of a series on WordPress security. Be sure to check out additional articles in the series for additional valuable information.

Why hCaptcha Instead Of Google’s reCaptcha?

If you’re asking, “Why use hCaptcha instead of reCaptcha?” … that’s an excellent question! Two reasons.

1 – hCaptcha is easier to sign up for and implement. Seriously … try looking at Google’s documentation on anything sometime.

2 – hCaptcha is more privacy respecting than reCaptcha. Whereas Google collects data absolutely everywhere they can about anyone, hCaptcha only cares “whether a visit is good or bad” and complies with GDPR, CCPA, and all other major privacy regulations.

Creating Your hCaptcha Account

The first thing you’ll need is an account on hCaptcha’s website (affiliate). On the front page of the website, click either of the blue Sign Up buttons to begin.

hCaptcha Signup Process - Front Page
hCaptcha Signup Process – Front Page

Next, you’re asked to choose what kind of account you’re looking to create. We’re going to choose Add hCaptcha for Publishers to my website or app.

hCaptcha Signup Process - Choose hCaptcha for Publishers
hCaptcha Signup Process – Choose hCaptcha for Publishers

Next you’re asked to provide your email address, country, and to complete a captcha verifying that you are indeed a human.

hCaptcha Signup Process - Email & Country
hCaptcha Signup Process – Email & Country

And that’s all it takes to get signed up. A new Sitekey is automatically generated for you as part of the account creation process. You’ll need the Sitekey and Secret key displayed on this screen when you go to configure the hCaptcha WordPress plugin.

hCaptcha Signup Process - Welcome Message
hCaptcha Signup Process – Welcome Message

If you think you might have need for multiple keys, it’s a good idea to go into the settings for your Sitekey and include additional information such as the Name and what domain(s) the key would be used on. After making changes, be sure to click Save.

hCaptcha Sitekey Settings
hCaptcha Sitekey Settings

Locating Your Secret Key

If you happen to have already misplaced your account’s Secret Key, it can by found by clicking on the profile picture icon in the top right corner of the screen and choosing Settings from the menu.

Locate hCaptcha Secret Key
Locate hCaptcha Secret Key

Additional Sitekeys

Creating additional Sitekeys can be done easily from the Sites page and clicking the blue New Site button. The interface for creating a new key is nearly identical to the Settings page we went over earlier.

New hCaptcha Sitekey
New hCaptcha Sitekey

NOTE – while you’re able to create multiple Sitekeys with your account, you only have a single Secret key for the account.

hCaptcha WordPress Plugin

Now that you’ve got a hCaptcha account and have obtained your Sitekey and Secret Key, we next need to install the hCaptcha WordPress plugin. Once the plugin is installed and activated, go to the Settings menu and select hCaptcha.

Paste in your Sitekey and Secret key where indicated and select any forms that you need hCaptcha to protect. At minimum, any WordPress site can protect the login form, registration form, lost password form, and comment forms – and I recommend doing so.

hCaptcha WordPress Plugin Settings
hCaptcha WordPress Plugin Settings

In addition to the standard WordPress forms, hCaptcha is designed to integrate easily with a number of 3rd party forms from bbPress, BuddyPress, Contact Form 7, Divi, Elementor, Gravity Forms, Ninja forms, WooCommerce, and others. Go through the list on the SETTINGS page to identify which forms your website is using that it can protect select them. Once you’ve made all of your selections, click the blue Save hCaptcha Settings button.

Check That It Works

Once you’ve configured hCaptcha for the various forms you need it to protect, check them out to be sure everything is working properly. NOTE – if you selected “turn off when logged in” you’ll need to either logout or open your website in an incognito / private browser.

I’ve provided a couple examples of what this might look like – one on a WordPress login screen …

Testing hCaptcha - WordPress Login
Testing hCaptcha – WordPress Login

… and the other on a WordPress comment form.

Testing hCaptcha - WordPress Comment Form
Testing hCaptcha – WordPress Comment Form

Conclusion

A few minutes is all that’s required to add additional protection against bots to your website and act as a form of brute-force prevention against password hackers by deploying hCaptcha. Consider checking out my recent posts on Enforcing Strong Passwords In WordPress and Setup Two-Factor Authentication On WordPress for additional easy-to-implement yet effective security measures for WordPress. Pairing hCaptcha with two-factor authentication makes for an amazingly effective defense against potential intruders.

If you found this article helpful or have any questions, I encourage you to please share this article with others and/or leave a comment below. Thanks for reading and I hope you visit again soon!

pinterestPinterestlinkedinLinkedInredditReddit

Leave a Comment

Your email address will not be published.