Google Launches Invisible reCAPTCHA

Three years ago Google introduced its new reCAPTCHA v2 API, replacing distorted text challenges with a simple “I’m not a robot” checkbox for validating users. This was a welcome improvement over the fuzzy text in a box that frustrated and infuriated real humans.

reCAPTCHA v1
reCAPTCHA v2 photo credit: Google Online Security Blog

reCAPTCHA v1 is no longer supported as of May 2016 and most sites have moved on to use v2. WordPress.org was one of the early adopters of reCAPTCHA v2 and still uses it to validate users on its registration form.

The evolution of reCAPTCHA technology continues, as Google opened up registration for its new Invisible reCAPTCHA today. With the exception of the “Protected by reCAPTCHA” badge on forms, the newest implementation is invisible. It doesn’t require the user to click anything. Invisible reCAPTCHA validates users in the background and is invoked when the user clicks on an existing button on the site. It can also be invoked by a JavaScript API call. If it deems the traffic to be suspicious, it will require the user to solve a captcha.

Invisible reCaptcha for WordPress

Invisible reCaptcha for WordPress is the first plugin to implement the new API. It was launched in December 2016, shortly after Invisible reCAPTCHA went into beta. The settings page lets users paste in the site key and secret key Google issues after registering on the reCAPTCHA site.

Invisible reCaptcha for WordPress has options to enable protection on the WordPress login, registration, comments, and forgot password forms. It is compatible with WooCommerce for protecting the login, registration, product review, lost password, and reset password forms. The plugin also works with Contact Form 7 to protect form submission.

On the frontend users will see the “Protected by reCAPTCHA” badge. I’m not fond of the sticky badge on the right side of the viewport that slides out on hover, as it seems too obtrusive. It looks better in the context of the form, and the plugin offers an option to display it inline and add custom CSS.

After testing the plugin and seeing Invisible reCAPTCHA in action, I was impressed with how easy it was to set up. It took less than a minute to get my site added at Google and the plugin configured. However, I was disappointed that the captcha is not truly invisible. Google’s overt branding on what is meant to be an invisible product makes it only a slight improvement over the v2 checkbox implementation in terms of what the user sees when interacting with the form. It is possible to hide the badge using CSS but this may violate reCAPTCHA’s policies, as the badge links to Google’s terms and privacy documents.

Invisible reCaptcha for WordPress is free on WordPress.org and should greatly reduce the spam coming through WordPress forms. The plugin is compatible with Multisite and can be activated network-wide or on a single site. Detailed instructions for extending it to protect any plugin or custom form are available on WordPress.org.

There are 16 comments

Comments are closed.