reCAPTCHA v2 in BotBlocker: An Additional User Verification Method and How to Set Up Keys

To block bots and automate abuse, BotBlocker supports integrating reCAPTCHA v2 as one of the additional methods for verifying users on critical pages. This adds an extra layer of defense, stopping even the most persistent automated scripts.

Why Use reCAPTCHA v2?

• Detects and blocks suspicious, automated actions with a user-friendly widget (“I’m not a robot”)
• Effective against most bots and scripts that bypass basic browser and JavaScript checks
• Can be enabled on user verification pages, login forms, registration, comments, or any place where suspicious traffic is detected

How reCAPTCHA v2 Works in BotBlocker

• When enabled, reCAPTCHA v2 is shown to users who are subject to additional verification (for example, after suspicious activity is detected)
• Users must solve the CAPTCHA to proceed – bots and automated tools usually fail this check
• This greatly reduces the risk of brute force, spam registrations, or scripted abuse

What Happens When a Bot Fails the Check

When an automated script encounters the CAPTCHA widget, it typically cannot simulate the mouse movements and behavioral patterns that Google’s system analyzes. The verification request is sent from the user’s browser to Google’s servers, which return a score or a pass/fail result. BotBlocker then reads this result and either allows the user to continue or blocks the request entirely. This happens in real time, with no noticeable delay for legitimate users. The process relies on Google’s own infrastructure, which means the accuracy of the check is maintained independently of your server’s resources. You can read more about how the verification process works in Google’s official reCAPTCHA documentation.

How to Create reCAPTCHA v2 Keys: Step-by-Step

1. Go to the reCAPTCHA admin console:
   https://www.google.com/recaptcha/admin
2. Log in with your Google Account.
3. Register a new site:
   • Label: Enter any name to identify your site
   • Choose “reCAPTCHA v2” (Checkbox or Invisible as needed)
   • Enter your domain(s) (e.g., example.com, without “http://” or “/”)
   • Accept terms and submit
4. Copy your Site Key and Secret Key:
   • After registration, you will see two codes: Site Key (for front-end) and Secret Key (for back-end)
5. Add keys to BotBlocker settings:
   • Go to your WordPress admin panel → BotBlocker Integrations → reCAPTCHA v2
   • Paste both keys into the corresponding fields and save changes
6. Test the integration:
   • Visit the user verification or login page as a visitor to ensure reCAPTCHA appears and functions correctly

Where to Place the Widget on Your Site

Placement matters. A CAPTCHA widget placed on the wrong page can frustrate regular visitors without providing any real security benefit. The most effective spots are pages where abuse is actually likely: login screens, new account registration forms, password reset pages, and comment sections. If your site has a contact form that regularly receives spam submissions, adding a check there is also a reasonable step. Avoid placing it on product pages, blog posts, or any page where the user is just browsing. The goal is to intercept automated requests at the point where they do damage, not to add friction for every visitor across your entire site.

Recommendations for Using reCAPTCHA v2

• Use reCAPTCHA only on verification, login, or registration pages – not on every page, to avoid annoying real users
• Update your keys if you change domains or move to production
• Monitor user feedback to ensure CAPTCHA does not cause usability issues
• If your site serves users with disabilities, make sure the audio challenge option is available – Google includes this by default in the widget, but verify it works in your setup
• Keep your domain list in the reCAPTCHA admin console up to date. Keys tied to the wrong domain will silently fail, meaning the widget loads but verification never completes. More on domain configuration can be found in the Google reCAPTCHA domain validation guide

FAQ

Do I need to pay for reCAPTCHA v2?
No, the standard service is free for most websites.

Will it block real users?
Rarely. reCAPTCHA v2 is designed to be user-friendly, but provide an alternative if users report problems.

Can I use reCAPTCHA v3?
BotBlocker also supports reCAPTCHA v3; choose the version that best fits your needs.

What if the widget does not load?
This usually happens when the domain in the admin console does not match the domain where the widget is displayed. Double-check your registered domains and make sure there are no typos. Also confirm that your server is not blocking outgoing requests to Google’s API endpoints.

Does CAPTCHA affect page load speed?
The widget loads an external script from Google’s servers. On most connections this adds less than half a second to page load. To minimize the impact, load the script only on pages where the widget is actually needed, rather than site-wide. Google provides guidance on loading reCAPTCHA efficiently in their developer docs.

Bot Blocking Settings

Defining Hostings in BotBlocker