Google Launches Invisible reCAPTCHA

Three years ago Google introduced its new reCAPTCHA v2 API, replacing distorted text challenges with a simple “I’m not a robot” checkbox for validating users. This was a welcome improvement over the fuzzy text in a box that frustrated and infuriated real humans.

reCAPTCHA v1
reCAPTCHA v2 photo credit: Google Online Security Blog

reCAPTCHA v1 is no longer supported as of May 2016 and most sites have moved on to use v2. WordPress.org was one of the early adopters of reCAPTCHA v2 and still uses it to validate users on its registration form.

The evolution of reCAPTCHA technology continues, as Google opened up registration for its new Invisible reCAPTCHA today. With the exception of the “Protected by reCAPTCHA” badge on forms, the newest implementation is invisible. It doesn’t require the user to click anything. Invisible reCAPTCHA validates users in the background and is invoked when the user clicks on an existing button on the site. It can also be invoked by a JavaScript API call. If it deems the traffic to be suspicious, it will require the user to solve a captcha.

Invisible reCaptcha for WordPress

Invisible reCaptcha for WordPress is the first plugin to implement the new API. It was launched in December 2016, shortly after Invisible reCAPTCHA went into beta. The settings page lets users paste in the site key and secret key Google issues after registering on the reCAPTCHA site.

Invisible reCaptcha for WordPress has options to enable protection on the WordPress login, registration, comments, and forgot password forms. It is compatible with WooCommerce for protecting the login, registration, product review, lost password, and reset password forms. The plugin also works with Contact Form 7 to protect form submission.

On the frontend users will see the “Protected by reCAPTCHA” badge. I’m not fond of the sticky badge on the right side of the viewport that slides out on hover, as it seems too obtrusive. It looks better in the context of the form, and the plugin offers an option to display it inline and add custom CSS.

After testing the plugin and seeing Invisible reCAPTCHA in action, I was impressed with how easy it was to set up. It took less than a minute to get my site added at Google and the plugin configured. However, I was disappointed that the captcha is not truly invisible. Google’s overt branding on what is meant to be an invisible product makes it only a slight improvement over the v2 checkbox implementation in terms of what the user sees when interacting with the form. It is possible to hide the badge using CSS but this may violate reCAPTCHA’s policies, as the badge links to Google’s terms and privacy documents.

Invisible reCaptcha for WordPress is free on WordPress.org and should greatly reduce the spam coming through WordPress forms. The plugin is compatible with Multisite and can be activated network-wide or on a single site. Detailed instructions for extending it to protect any plugin or custom form are available on WordPress.org.

16 Comments


  1. Great News! Invisible reCaptcha for WordPress seems a very good plugin..Will install right away.

    Report


  2. we’ve come full circle. back in the day wp hashcash was used for similar anti-spam purposes. that plugin still works but some spammers can get past it simply by enabling javascript execution in their bots. maybe they use headless browsers automated with phantomjs or something.

    google obviously does more than ask for proof of work from browsers so hopefully it’ll be better than wp hash cash.

    Report


  3. Thank you Sarah for featuring my plugin here on WPTavern.

    ~Mihai

    Report


  4. I’ve always used the Anti-Spam plugin from Webvitaly, and this has been hugely effective (it’s also invisible like the Google one, except it doesn’t require you to tick anything).

    It’s only for blog comments, but a great little plugin.

    Report


    1. +1 on Anti-Spam by Webvitaly. I use it all the time. I don’t get automated form spam because I enable the anti-spam honeypot on Gravity Forms. (I do get occasional real humans offering me products and services I don’t need.) I hate CAPTCHA.

      Report


      1. Especially the CAPTCHA that seems like it’s stuck in 1999, with indecipherable text and strikethroughs…. guh.

        Report


      2. Yep, it goes on every WordPress site I launch, so easy to use and so effective. And damn these humans all the way to Hades! :)

        Report


      3. Ya Sallie, many people don’t utilize the Gravity Forms options enough :) I have never used a captcha ever on my contact forms and only get valid submissions. This is on high traffic sites. Besides the additional spam options, I think they handle their field requirement checking differently.

        Report


  5. That plugin is magic,

    An anti-spam solution should be an headache for spammers, not legitimate users.

    But then, the lock in front of your door, is your headache, not the thiefs’

    Report


  6. I switched the WordPress.org registration form over to using this new Invisible reCAPTCHA code today. It’s relatively straightforward to do if you already use the v2 API.

    Report


  7. The setup is so easy and there is no delay regarding page loading time. Google probably has a very good algorithm to fight the spams without ugly captchas. It’s great that we have finally a WordPress plugin that integrates Google spam detection into our websites. And it’s free!!! Many thanks to the developer !

    Report


  8. The new feature is awesome and it welcomes more genuine comments. Must replace the existing re-captcha plugin.

    Report


  9. Just started using it, for too long I’ve been getting spammed to death by fake users.

    I also noticed registration spam on a different website, not sure how they benefit from creating profiles on websites without actually ever commenting or having links on their profile pages.

    Report


  10. While this is a good thing for end users I wonder how exactly that words and characters that are indecipherably by machines will now be converted. An invisible captcha (or a simple checkbox like the new system) will no longer ask users to decipher those unreadable words so I expect the digitization project to be majorly slowed with this move.

    Report

Comments are closed.