Support » Plugin: Contact Form by WPForms - Drag & Drop Form Builder for WordPress » How do I know if reCAPTCHA is working?

  • Resolved OsakaWebbie

    (@osakawebbie)


    This is a small bilingual site that gets almost no real traffic. I recently needed to rebuild it, and I decided to use WPForms instead of CF7 for the first time. I like the interface!

    The old site had reCAPTCHA v3 (because that’s the only type CF7 supports now) – I never saw any spam. With this rebuild, at first I thought I’d see how effective WPForms’ honeypot is, but only a few minutes after the site went live, I got a spam submission on the English form. So I added reCAPTCHA v2 Invisible. But in the 24 hours since then I’ve gotten two more spam messages (both on the English form also).

    I know it’s possible that these spam are being sent by humans manually entering stuff, but I never got them before. How do I know whether reCAPTCHA is working? reCAPTCHA’s admin page shows no activity at all, and I obviously don’t have a bot to test it with. Would the checkbox version be better?

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Ethan Choi

    (@ethanchoi)

    Hi @osakawebbie,

    The reCAPTCHA integration should be working if you see the reCAPTCHA field loaded on the site page.

    However, if you’re still having spam with reCAPTCHA enabled, you can consider increasing security level of the reCAPTCHA integration on your site by going to your reCAPTCHA account.

    Then in the settings of your current integration, you can go to Security Preference to adjust the slider.

    If you’d prefer not to use Google’s reCAPTCHA, we have a Custom CAPTCHA addon. This enables you to set up math captcha or custom text questions. This addon is available with all of our paid licenses.

    Alternatively, you can consider the following third-party plugins to protect your forms against spam:

    WordPress Zero Spam: This plugin is simple to set up, and works right out of the box.

    Spam protection, AntiSpam, FireWall by CleanTalk: This option requires registration, and offers more settings for customization. Just a heads up that this is a premium plugin with yearly subscription plans, though it offers a 7 days free trial.

    Just to note that we’ll not be able to provide support for third-party plugins.

    I hope this helps!

    Thread Starter OsakaWebbie

    (@osakawebbie)

    Thanks for the reply.

    The reCAPTCHA integration should be working if you see the reCAPTCHA field loaded on the site page.

    I’m trying to use v2 Invisible, so I wouldn’t expect to see a field, right?

    The security preference was at the lowest setting, so I increased it to about halfway and will wait and see if there is any change (I only get one or two a day, so it won’t be evident immediately). But the reCAPTCHA dashboard still says 0 total sessions, 0 suspicious requests, and “no data to display”, so I still wonder if it’s doing anything.

    Some of these form submissions, in addition to being spam themselves, are putting stuff like this in my Name field:
    #file_links["C:\Frazes.txt",1,N]: #file_links["C:\Links_Dating.txt",1,N]
    I have no such files on my PC, so I’m not hacked and being used – perhaps they are supposed to be files on the spammer’s PC to populate fields? Weird.

    Plugin Support Ethan Choi

    (@ethanchoi)

    Hi @osakawebbie,

    With the Invisible reCAPTCHA v2 enabled, you should see a reCAPTCHA badge on the lower right corner of your browser (please see this screenshot).

    I’ve gone to the URL you’ve shared to take a look, and it seems that reCAPTCHA may not have been enabled in the form. In case it helps, here’s a brief outline of the steps:

    1. Generate reCAPTCHA keys in your Google reCAPTCHA account.

    2. Add the keys to WPForms’s Settings page, by going into your WordPress admin area > WPForms > Settings > reCAPTCHA (here’s a screenshot)

    3. In the form builder of your specific form, go to Settings > General to select Enable Google Invisible v2 reCAPTCHA (screenshot)

    For more details, you can check out our step-by-step tutorial on how to set up reCAPTCHA.

    When you get the chance to check your settings, please let me know how it goes.

    Thanks!

    Thread Starter OsakaWebbie

    (@osakawebbie)

    Oh, I thought that badge was only for v3, but I guess it makes sense that it would also show for the invisible v2.

    Yes, those steps were helpful – I had failed step #3. It’s enabled now and the badge is showing.

    I’ll mark this resolved, but I have a curiosity question: Which test happens first when a bot submission is attempted – your honeybot or reCAPTCHA? Since reCAPTCHA keeps a tally for 7 days, I’m curious whether that would include all the submissions or only the ones not caught by the honeypot field.

    Plugin Support Ethan Choi

    (@ethanchoi)

    Hi @osakawebbie,

    The reCAPTCHA check is done first, before the form is submitted (the form is not submitted if failed). Then, the honeypot test is done on form submission when we process all the data in PHP.

    Hope this helps!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘How do I know if reCAPTCHA is working?’ is closed to new replies.