Introducing reCAPTCHA v3 (and how to update Contact Form 7 appropriately)

December 12, 2018

We are excited to announce that Google’s reCAPTCHA v3, which helps you detect abusive traffic on your website without any user friction, has now become the standard for use with WordPress plugins. This version returns a “score” based on the interactions with your website and provides you more flexibility to take appropriate actions.

Over the last decade, reCAPTCHA has continuously evolved its technology. In reCAPTCHA v1, every user was asked to pass a challenge by reading distorted text and typing into a box. To improve both user experience and security, Google introduced reCAPTCHA v2 and began to use many other signals to determine whether a request came from a human or bot. This enabled reCAPTCHA challenges to move from a dominant to a secondary role in detecting abuse, letting about half of users pass with a single click. Now with reCAPTCHA v3, they are fundamentally changing how sites can test for human vs. bot activities by returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.

Contact Form 7 and other plugins will need to be reconfigured to use this new version. Sometimes you just need to create new keys (see below) but other times some more work will be required.

Contact Form 7 5.1 and later uses this new reCAPTCHA v3 API. reCAPTCHA v3 works in the background so users don’t need to read blurred text in an image or even tick the “I’m not a robot” checkbox. API keys for reCAPTCHA v3 are different from those for v2; keys for v2 don’t work with the v3 API. You need to register your sites again to get new keys for v3.

Registering a Site

To start using reCAPTCHA, you first need to register the WordPress site. reCAPTCHA is Google’s service so you need a Google account to use it. Sign in to Google with the account, and go to the My reCAPTCHA page. You will see a simple registration form like the following:

My reCAPTCHA page

Choose reCAPTCHA v3 from type options, and enter the domain of the website in the Domains field.

After you register a website, you will get the site key and secret key for the site.

Site details

Next, move to the WordPress admin screen and open the Contact > Integration menu page.

Integration menu page

You will see a box titled “reCAPTCHA” there. Click the “Setup Integration” button in the box. It will display input fields Site Key and Secret Key. Copy-paste the two keys you received in the previous step into the fields, and click the “Save Changes” button.

Entering the API keys

That’s it. Now your contact forms use reCAPTCHA’s score to verify whether the form submission is from a human or from a spam bot.

reCAPTCHA v3 doesn’t need a CAPTCHA widget (the “I’m not a robot” checkbox used in reCAPTCHA v2) to work, so [recaptcha] form-tags are no longer necessary. If [recaptcha] form-tags are found in a form template, Contact Form 7 5.1 or higher ignores them and replaces them with an empty string.