How To Use hCaptcha To Protect Against WordPress SPAM Bots

Update: Shield v20+ now comes with an advanced built-in bot detection feature, called the silentCAPTCHA, that removes the need to use any CAPTCHA on your WordPress login, contact and comment forms.

Google reCAPTCHA and hCAPTCHA are no longer available from the Shield v18.5 onward.

If you run a WordPress site that has interaction with visitors, such as comments, or user registrations, you’ll be familiar with CAPTCHA.

CAPTCHA is used in the global fight against SPAM. This can be spam in the form of WordPress comments, user registrations, or anything else that asks a visitor to complete a form on a webpage

CAPTCHA can also be used to mitigate login attacks by ensuring that the user logging into a site is actually a human being. It’s easy to create a script that will perform automated logins to a WordPress site, but far more difficult when there’s a mechanism within the form to detect automated submissions – mechanisms such as CAPTCHA.

Easily the most common type of CAPTCHA in common use throughout the web is Google’s reCAPTCHA. It works quite well in most scenarios, though it isn’t perfect.

ShieldPRO has supported Google reCAPTCHA v2 (+Invisible) for several years now. But Google reCAPTCHA isn’t the only solution. A new service has been made recently available which can be used to replace Google reCAPTCHA altogether.

This new service we’re referring to is called hCaptcha, and is available for all users of Shield Security v9.0 and above.

What is hCaptcha?

In summary, hCaptcha has been designed as a drop-in alternative to Google reCAPTCHA. This means that developers can make a few simple switches and immediately replace their Google implementation with hCaptcha.

There is another interesting angle to hCaptcha, however – you can get paid to use it.

hCaptcha has positioned itself quite differently to reCAPTCHA in terms of what is does and how it handles your data, with privacy at the forefront. In-fact, it’s even GDPR and CCPA-friendly.

How Does ShieldPRO Support hCaptcha for WordPress?

With ShieldPRO 9.0 you have the option of selecting either Google reCAPTCHA v2, or hCaptcha.

In order to use hCaptcha, you’ll need to sign-up for an account with them and register your site URLs in much the same way as for Google reCAPTCHA. You can’t use the keys from 1 service with the other – they’re not interchangeable.

A benefit of choosing hCaptcha instead of Google reCAPTCHA is that you don’t need to register for separate API keys to use its invisible variant. With Google’s reCAPTCHA service, you need to create separate keys for the 2 different types.

It’s really quite simple to get up and running with hCaptcha on your WordPress site:

• Register an account on the hCaptcha website
• Ensure you’re running ShieldPRO 9.0 or above.
• Copy the hCaptcha Secret Key from your Settings page into your ShieldPRO settings.
• Add a new site to your hCaptcha control panel.
• Copy-Paste the new site key into your ShieldPRO settings.
• and save!

It’s really as simple as that.

Once you’ve successfully setup your hCaptcha account and stored your keys with Shield, you can go to your Comment SPAM and Login Guard modules within ShieldPRO and turn on hCaptcha form protection as you desire.

Questions, Comments or Suggestsions

We like to keep ShieldPRO current, and continue to provide you with options in how you implement your WordPress site security.

We hope that the addition of hCaptcha as a tool to enhance your WordPress security meets this criteria.

If you’ve any questions about this new feature, please drop us a message below.