Protect contact forms with Google reCAPTCHA: Effectively reduce spam in WordPress

Contact forms are essential for many WordPress websites. They allow visitors to quickly send an enquiry, a support request, a quote request or feedback on your services. At the same time, unprotected forms are among the most popular targets for spam bots.

Spam bots automatically scan the internet for forms and send large volumes of unwanted messages. These often contain advertising, phishing links, SEO spam, malware references or completely meaningless content. Google reCAPTCHA can help detect and block such automated form submissions.

Briefly explained: reCAPTCHA is a bot protection service from Google. It helps form plugins distinguish real visitors from automated spam bots. reCAPTCHA v3 is often used for WordPress because it works in the background and does not display image puzzles.

Why contact forms should be protected

An unprotected contact form can quickly become a spam gateway. Bots automatically fill in form fields and send messages at high frequency. This is not only annoying, but can also have technical and organisational consequences.

Typical problems caused by form spam are:

  • overfilled mailboxes: Genuine customer enquiries get lost among spam messages.
  • loss of time: Spam has to be manually deleted and checked.
  • security risk: Messages may contain dangerous links.
  • server load: Very many form requests can consume resources.
  • delivery problems: Large volumes of form emails can make overview and email processing more difficult.
  • poor user experience: If protection measures are configured incorrectly, real visitors may be blocked.

Good spam protection should therefore achieve two things at the same time: block bots and disturb real visitors as little as possible.

What is Google reCAPTCHA?

Google reCAPTCHA is a service that helps websites detect automated access, spam and abuse. Depending on the version, users are actively checked or assessed in the background.

Google distinguishes, among others, between reCAPTCHA v2, reCAPTCHA v3 and reCAPTCHA Enterprise. According to Google, reCAPTCHA v3 returns a score for each request without interrupting users with a visible task. This score is based on interactions with the website.

For WordPress contact forms, reCAPTCHA v3 is often used because it works in the background. Visible image puzzles such as “Select all traffic lights” are usually not required.

reCAPTCHA v2 or reCAPTCHA v3?

Which version makes sense depends on the form plugin, privacy concept and amount of spam. Many modern form plugins directly support reCAPTCHA v3.

Variant How it works Suitable for
reCAPTCHA v2 Users often have to actively confirm or solve a task. Forms with high spam pressure where visible verification is acceptable.
reCAPTCHA v3 Works in the background and evaluates requests based on a score. Contact forms where user-friendliness is important.
reCAPTCHA Enterprise Advanced variant for more comprehensive security and risk analyses. Larger projects with increased protection requirements.

Contact Form 7 has natively supported reCAPTCHA v3 since version 5.1; anyone who wants to use reCAPTCHA v2 there needs an additional solution. WPForms also offers CAPTCHA options in its settings, including Google reCAPTCHA, hCaptcha and Cloudflare Turnstile.

1. Create reCAPTCHA keys with Google

To make reCAPTCHA work on your website, you need two keys: a website key, also called Site Key, and a secret key, also called Secret Key.

Google explains the difference as follows: the Site Key is used on the website to call reCAPTCHA. The Secret Key is used for communication between your application and the reCAPTCHA server and must remain protected.

The typical process:

  1. Open the Google reCAPTCHA Admin Console.
  2. Sign in with your Google account.
  3. Register a new website.
  4. Select the appropriate reCAPTCHA type, for example reCAPTCHA v3.
  5. Enter your domain, for example example.ch.
  6. Accept the terms, if applicable.
  7. Create the keys.
  8. Copy the Site Key and Secret Key into your WordPress form plugin.
Important: The Secret Key must not be publicly visible. Enter it only in the designated settings of your form plugin.

2. Enter the domain correctly

When creating the reCAPTCHA keys, you must enter your domain correctly. Use the domain without a path. For example:

example.ch

Not:

https://www.example.ch/kontakt/

If your website is accessible with and without www or uses subdomains, check which domain variants need to be entered in the reCAPTCHA administration.

3. Set up reCAPTCHA in Contact Form 7

Contact Form 7 offers its own integration for reCAPTCHA v3. The plugin describes reCAPTCHA as protection against spam and automated abuse.

The typical process in WordPress:

  1. In the WordPress dashboard, open Contact > Integration.
  2. Find the reCAPTCHA section.
  3. Click Set up integration or a comparable button.
  4. Enter the Site Key.
  5. Enter the Secret Key.
  6. Save the settings.
  7. Test your contact form.

With Contact Form 7 v3, reCAPTCHA runs in the background. Usually, you do not need to insert an additional reCAPTCHA shortcode into the form.

4. Set up reCAPTCHA in WPForms

WPForms also supports various CAPTCHA methods. According to the WPForms documentation, you can find the CAPTCHA settings under WPForms > Settings in the CAPTCHA tab. There you can select Google reCAPTCHA and configure the desired type.

The typical process:

  1. Open WPForms > Settings.
  2. Switch to the CAPTCHA tab.
  3. Select reCAPTCHA.
  4. Select the appropriate reCAPTCHA type.
  5. Enter the Site Key and Secret Key.
  6. Save the settings.
  7. Open your form in the WPForms builder.
  8. Activate reCAPTCHA for the desired form.
  9. Save and test the form.

Depending on the form plugin, the exact process differs slightly. Therefore, always check the documentation of the form plugin you are using.

5. Activate reCAPTCHA in the form

Entering the keys is not sufficient for every plugin. Some plugins additionally require reCAPTCHA to be activated in the respective form.

Therefore, check:

  • Are the Site Key and Secret Key saved correctly?
  • Is reCAPTCHA activated in the form itself?
  • Is the correct reCAPTCHA version being used?
  • Is the domain correctly stored in the Google console?
  • Is the form displayed correctly after saving?
  • Does a test enquiry work?

With reCAPTCHA v3, a small reCAPTCHA logo or badge often appears on the website. Depending on the integration and Google requirements, the notice about reCAPTCHA and the Google terms must be correctly visible or linked.

6. Understand the reCAPTCHA v3 score

reCAPTCHA v3 does not work with a visible puzzle, but with a risk assessment. Google describes that reCAPTCHA v3 returns a score for requests so that websites can respond appropriately.

Put simply:

  • High score: The request appears more trustworthy.
  • Low score: The request appears more suspicious.

How strictly a form reacts depends on the plugin and its settings. If the check is too strict, real users may be blocked. If it is too loose, spam may still get through.

7. Test the form after setup

After activation, you should definitely test the form. Send a normal test enquiry and check whether the message arrives correctly.

Test:

  • desktop browser,
  • smartphone,
  • different browsers,
  • form with required fields,
  • form with error messages,
  • form with a longer message,
  • form after clearing the cache,
  • form in an incognito window.

Also check whether email delivery works correctly. reCAPTCHA blocks spam, but does not replace a clean SMTP configuration.

8. Privacy: use reCAPTCHA consciously

reCAPTCHA is an external Google service. As a result, data may be transmitted to Google when the form is loaded or used. This must be taken into account in your privacy review.

Check in particular:

  • Is reCAPTCHA mentioned in your privacy policy?
  • Is reCAPTCHA loaded already when the page is accessed or only when the form is used?
  • Is consent required?
  • Is a consent manager used?
  • Is there a more privacy-friendly alternative?
  • Does the integration fit the Swiss nFADP and, where applicable, the GDPR?
Legal notice: This guide does not constitute legal advice. Check reCAPTCHA, privacy policy and consent settings according to your website, your target market and the services used.

9. reCAPTCHA and loading time

reCAPTCHA loads external scripts from Google. This can affect loading time and the number of external requests. Especially on performance-critical websites, reCAPTCHA should be loaded specifically and not unnecessarily on every page.

Check:

  • Is reCAPTCHA loaded only on pages with forms?
  • Is the script embedded globally by a form plugin?
  • Does reCAPTCHA affect PageSpeed values?
  • Are there conflicts with caching or JavaScript optimisation?
  • Does reCAPTCHA still work after minification and caching?

If your form is only on the contact page, reCAPTCHA should ideally not be loaded on every subpage of your website.

10. Alternatives to reCAPTCHA

reCAPTCHA is not the only way to reduce form spam. Depending on privacy requirements, user experience and spam volume, alternatives may be useful.

Possible alternatives or additions:

  • Honeypot: Invisible field that detects many simple bots.
  • Cloudflare Turnstile: CAPTCHA alternative with a different technical approach.
  • hCaptcha: Alternative CAPTCHA solution.
  • Antispam plugins: Special WordPress plugins against form and comment spam.
  • Rate limiting: Limiting very many requests within a short time.
  • Firewall rules: Blocking suspicious access.
  • Form validation: Server-side checking of inputs.

For many normal contact forms, a combination of honeypot, form validation and server-side protection is already sufficient. In cases of heavier spam, reCAPTCHA can be an additional layer of protection.

11. Combine reCAPTCHA with hosting protection

reCAPTCHA protects the form at application level. In addition, hosting protection can help detect or block malicious requests at an early stage.

At CURIAWEB, depending on the hosting environment, additional protection can be used at server level, for example security mechanisms against malicious access, malware or suspicious activities. Such protection layers do not completely replace reCAPTCHA, but complement the security strategy.

CURIAWEB security tip: Use multiple layers of protection: clean form validation, spam protection, up-to-date plugins, secure PHP version, SSL, backups and server-side security mechanisms.

12. Common mistakes with reCAPTCHA

If reCAPTCHA does not work, it is often due to small configuration errors. Check systematically before switching plugins.

  • Wrong key type: v2 keys are used for v3 or vice versa.
  • Domain not entered: The website domain is not correctly stored in the reCAPTCHA console.
  • Secret Key inserted publicly: The secret key was used incorrectly.
  • reCAPTCHA not activated in the form: Keys are saved, but form protection is not active.
  • Cache conflict: JavaScript is delayed, combined or blocked.
  • Consent blocker blocks reCAPTCHA: The form only works after consent or not at all.
  • Assessment too strict: Real users are incorrectly blocked.
  • No test enquiry: Errors go unnoticed until the first real customer enquiry.

13. SEO and GEO: Why spam protection is indirectly important

reCAPTCHA is not a direct SEO ranking factor. However, a properly protected form can indirectly contribute to the quality of your website. Genuine enquiries arrive more reliably, spam is reduced and visitors experience a more professional website.

For GEO, meaning Generative Engine Optimization, trust is important. A website with a functioning contact form, clear privacy policy, visible contact options and stable technology appears more reliable than a website with broken forms or spam problems.

What matters here:

  • forms must work reliably,
  • spam protection must not block real visitors,
  • privacy must be explained transparently,
  • contact options should be clearly visible,
  • technical errors should be avoided.

Recommended procedure

  1. Check spam volume: Is spam coming through the contact form, comments or registration?
  2. Check form plugin: Does it support reCAPTCHA v3, v2 or alternatives?
  3. Create reCAPTCHA keys: Generate Site Key and Secret Key in the Google console.
  4. Enter domain correctly: Check main domain and relevant subdomains.
  5. Store keys in the plugin: Enter Site Key and Secret Key cleanly.
  6. Activate form protection: Enable reCAPTCHA in the form depending on the plugin.
  7. Send test enquiry: Check function and email delivery.
  8. Check privacy: Adjust privacy policy and consent concept.
  9. Check performance: Verify whether reCAPTCHA loads only where it is needed.
  10. Monitor spam rate: Adjust thresholds or additional protection measures if necessary.

Frequently asked questions about reCAPTCHA in WordPress

What is Google reCAPTCHA?

Google reCAPTCHA is a bot protection service that helps websites detect spam and automated abuse. It is often used for contact forms, registrations and logins.

What is the difference between Site Key and Secret Key?

The Site Key is used on the website to call reCAPTCHA. The Secret Key is used for secure server communication and must remain protected.

Is reCAPTCHA v3 better than v2?

reCAPTCHA v3 is more user-friendly because it works in the background. reCAPTCHA v2 can make sense under strong spam pressure, but it more often disturbs visitors with visible checks.

Why does the reCAPTCHA logo appear at the bottom of my website?

With reCAPTCHA v3, a badge is often displayed. Depending on the integration and Google requirements, it must be visible that reCAPTCHA is used and that Google terms apply.

Can reCAPTCHA block all spam messages?

No. reCAPTCHA reduces many automated spam attempts, but it is not complete protection against every type of abuse. A combination with honeypot, firewall, form validation and updates is advisable.

Is reCAPTCHA relevant for privacy?

Yes. reCAPTCHA is an external Google service and should be taken into account in the privacy review, privacy policy and, where applicable, consent management.

Why does my form no longer work after activating reCAPTCHA?

Possible causes are incorrect keys, wrong reCAPTCHA type, cache conflicts, JavaScript optimisation, consent blockers or an incorrectly entered domain.

Are there alternatives to reCAPTCHA?

Yes. Depending on the form plugin, honeypot, hCaptcha, Cloudflare Turnstile, antispam plugins or server-side protection mechanisms can be alternatives or additions.

Security comes first

A protected contact form is only one part of a secure WordPress website. With WordPress hosting from CURIAWEB, you benefit from stable Swiss infrastructure, SSL included, fast NVMe technology and a solid foundation for professional web projects.

Learn more about backup strategies
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Install WordPress via Softaculous Auto-Installer

How to Install WordPress via Softaculous Auto-Installer WordPress is the world's leading...
How to Manually Install WordPress via Installation Archive

How to Manually Install WordPress via Installation Archive In this tutorial, we will guide you...
WordPress Configuration: How to Adjust General Settings for Optimal Results

WordPress Configuration: How to Adjust General Settings for Optimal Results After the initial...
What is a WordPress Plugin and How Do You Install It?

What is a WordPress Plugin and How to Install a New One? Introduction Plugins are components...
How to Install a New Theme in WordPress

How to Install a New Design (Theme) in WordPress Introduction It is obvious how fundamentally...