In just 10 minutes, you can dramatically improve the defense of your WordPress website by adding hCaptcha to protect your website’s forms. Owners of WordPress websites are all too familiar with the ongoing battle against malicious bots and website attackers.
I recently talked in a post on enforcing strong passwords in WordPress about the maximum time it takes a password cracker to calculate out your password. Anything you can do that would slow down how quickly an attacker can attempt to login increases that amount of time exponentially.
Another common attack – bots are often deployed to look for website contact forms to attempt to send out phishing emails to the website operators – hoping to get access to whatever they can through the attempt.
Do you run an Ecommerce site using WordPress and WooCommerce? Adding hCaptcha to verify submissions to your store can help keep your site from potential scam purchases.
These are only a handful of examples of ways applying a captcha can be beneficial to your website. I’m sure you can think of others on your own.
This article is part of a series on WordPress security. Be sure to check out additional articles in the series for additional valuable information.
Why hCaptcha Instead Of Google’s reCaptcha?
If you’re asking, “Why use hCaptcha instead of reCaptcha?” … that’s an excellent question! Two reasons.
1 – hCaptcha is easier to sign up for and implement. Seriously … try looking at Google’s documentation on anything sometime.
2 – hCaptcha is more privacy respecting than reCaptcha. Whereas Google collects data absolutely everywhere they can about anyone, hCaptcha only cares “whether a visit is good or bad” and complies with GDPR, CCPA, and all other major privacy regulations.
Creating Your hCaptcha Account
The first thing you’ll need is an account on hCaptcha’s website (affiliate). On the front page of the website, click either of the blue Sign Up buttons to begin.
Next, you’re asked to choose what kind of account you’re looking to create. We’re going to choose Add hCaptcha for Publishers to my website or app.
Next you’re asked to provide your email address, country, and to complete a captcha verifying that you are indeed a human.
And that’s all it takes to get signed up. A new Sitekey is automatically generated for you as part of the account creation process. You’ll need the Sitekey and Secret key displayed on this screen when you go to configure the hCaptcha WordPress plugin.
If you think you might have need for multiple keys, it’s a good idea to go into the settings for your Sitekey and include additional information such as the Name and what domain(s) the key would be used on. After making changes, be sure to click Save.
Locating Your Secret Key
If you happen to have already misplaced your account’s Secret Key, it can by found by clicking on the profile picture icon in the top right corner of the screen and choosing Settings from the menu.
Creating additional Sitekeys can be done easily from the Sites page and clicking the blue New Site button. The interface for creating a new key is nearly identical to the Settings page we went over earlier.
NOTE – while you’re able to create multiple Sitekeys with your account, you only have a single Secret key for the account.
hCaptcha WordPress Plugin
Now that you’ve got a hCaptcha account and have obtained your Sitekey and Secret Key, we next need to install the hCaptcha WordPress plugin. Once the plugin is installed and activated, go to the Settings menu and select hCaptcha.
Paste in your Sitekey and Secret key where indicated and select any forms that you need hCaptcha to protect. At minimum, any WordPress site can protect the login form, registration form, lost password form, and comment forms – and I recommend doing so.
In addition to the standard WordPress forms, hCaptcha is designed to integrate easily with a number of 3rd party forms from bbPress, BuddyPress, Contact Form 7, Divi, Elementor, Gravity Forms, Ninja forms, WooCommerce, and others. Go through the list on the SETTINGS page to identify which forms your website is using that it can protect select them. Once you’ve made all of your selections, click the blue Save hCaptcha Settings button.
Check That It Works
Once you’ve configured hCaptcha for the various forms you need it to protect, check them out to be sure everything is working properly. NOTE – if you selected “turn off when logged in” you’ll need to either logout or open your website in an incognito / private browser.
I’ve provided a couple examples of what this might look like – one on a WordPress login screen …
… and the other on a WordPress comment form.
A few minutes is all that’s required to add additional protection against bots to your website and act as a form of brute-force prevention against password hackers by deploying hCaptcha. Consider checking out my recent posts on Enforcing Strong Passwords In WordPress and Setup Two-Factor Authentication On WordPress for additional easy-to-implement yet effective security measures for WordPress. Pairing hCaptcha with two-factor authentication makes for an amazingly effective defense against potential intruders.
If you found this tutorial helpful or have any questions, I encourage you to please share it with others and/or leave a comment below. Thanks for reading and I hope you visit again soon!