BotBlocker offers seamless integration with reCAPTCHA v3, giving you a modern and invisible way to filter bots and suspicious activity on critical site pages. Here’s how it works, why it matters, and how to set it up in a few minutes.
The score that Google assigns to each visitor depends on several factors: how the user navigates the page, mouse movement patterns, how quickly forms are filled in, and whether the session shows signs of automation. A brand new visitor with no browsing history on your site may receive a lower score simply because there is no behavioral data to compare against. This is normal and does not mean the visitor is a bot.
That is why choosing the right threshold in BotBlocker matters. If you set it too high, you risk turning away real customers. If you set it too low, automated traffic gets through. For most WordPress sites, a threshold between 0.5 and 0.7 is a practical starting point. You can adjust it over time once you review your logs and see how your real visitors are being scored.
BotBlocker makes this adjustment easy. You do not need to touch any code. Everything is handled through the settings panel, where you can change the threshold at any time and see the effect immediately in your protection logs.
Not every page on your site carries the same level of risk. High-value targets for bots include login pages, registration forms, checkout pages, comment sections, and contact forms. These are the entry points where automated scripts try to create fake accounts, submit spam, or brute-force passwords.
Enabling protection selectively on these pages keeps your site secure without adding unnecessary overhead to low-risk pages like your blog archive or about page. BotBlocker lets you choose exactly which pages are covered, so you stay in control of where the verification runs.
According to Google’s official reCAPTCHA v3 documentation, the service is specifically designed to run on multiple pages at once so that the scoring engine has more behavioral context to work with. Running it on several pages improves accuracy for the entire site, not just the individual page where it is active.
Your Secret Key should never be exposed publicly. It is used on the server side to verify the score returned by Google, and if someone else gets access to it, they could potentially manipulate verification responses. Keep it stored only in your WordPress admin panel and avoid sharing it in code repositories or public files.
Your Site Key is intended to be public and is embedded in your site’s frontend. It identifies your site to Google but carries no security risk on its own. However, it is domain-locked, which means it will only work on the domain you registered in the reCAPTCHA Admin Console. If you move your site to a new domain, you will need to register a new set of keys.
For more information on key management and security best practices, see the Google Cloud reCAPTCHA key documentation.
Is reCAPTCHA v3 free?
Yes, Google offers the service free for most use cases.
Will users see any widget or challenge?
No, reCAPTCHA v3 is invisible for real users – no checkbox, no puzzles.
How do I know it’s working?
BotBlocker logs show reCAPTCHA scores for each verification event; you can monitor stats and blocked attempts.
Can I use it on more than one domain?
Each set of keys is tied to a specific domain. If you run multiple sites, you need to register a separate site in the reCAPTCHA Admin Console for each one and add the corresponding keys to each BotBlocker installation.
What happens if a real user gets a low score?
It depends on your threshold setting. If BotBlocker is configured to block scores below 0.5, a user who scores 0.4 may be blocked or challenged. This is rare for genuine human visitors, but it can happen. Reviewing your logs regularly helps you spot any patterns and adjust the threshold if needed.
