You can read this text in 8 minutes

No Comments

CAPTCHA/reCAPTCHA Spam Protection – What Is It?


The vast majority of well-designed and optimized websites use contact forms, online polls or other forms of communication with the users, such as comments systems etc. Unfortunately, every website owner knows that such solutions, however necessary, are a perfect environment for spam bots. But don’t worry – every digital Joker has to face his Batman. One of them is reCAPTCHA – a security solution that protects your website from annoying bots.

How Does Spam Work?

In 2004, Bill Gates at the World Economic Forum surprised the audience with a bold statement: “spam [problem] will be solved in 2 years”. And he clearly underestimated the power of the phenomenon of unwanted messages. Spam still spreads the world like a true plague and spam bots every day are getting smarter and more effective. In today’s world, more sophisticated ones are mostly autonomous, persistently searching the Web for contact forms and other interactive elements of websites in order to scream their pre-programmed marketing messages.

CAPTCHA – What Is It?

The term CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. In a nutshell, it is an automatic tool that protects the website from spam bots. We can call it an online verification method that allows you to distinguish computer programs from human users – it quite accurately determines whether a human or a machine (bot) is active on the website and checks who makes entries in the web forms. The verification is mainly performed on the basis of a mini-game that requires users to extract some data from the displayed photo or select images matching the pattern (image recognition captchas).

The purpose of CAPTCHA verification

Imagine you are running an online store and giving your customers the possibility to write product reviews thanks to the comment system. In this case, you want to make sure that the entries are credible and actually come from your customers or at least from people visiting your site. Instead, you can often find lots of auto-generated spam posts. Some of them may contain, for example, links to a competitor’s store.

Usually such comments are published by bots, and here comes Captcha challenge in order to secure the digital gates. This solution allows for basic user verification and, in consequence, protects the website from unwanted content. After implementation of Captcha, the user can verify himself as a human, and then send the data.

How does CAPTCHA verification work?

There is more than one method of CAPTCHA user verification. The oldest is based on text recognition and fuels text based captchas. Words (or combinations of random letters and numbers) are distorted, mixed, rotated or combined with additional graphics such as colors, lines, dots, or pattern on the background. To solve the test, the user has to decipher distorted text and type the hidden keyword. If it matches, the gate is unlocked. However sometimes really sophisticated, text based captchas are not a bulletproof solution – advanced bots are usually able to break into the digital walls. 

Over time, traditional CAPTCHAs gained more advanced systems than just the verification of the text. Nowadays the most popular form of conducting the test is based on image recognition CAPTCHAs. Instead of blurred words, the user gets an image with specific instructions of solving the test. Often it uses screenshots from Google Maps which serve as graphic material for determining the elements indicated for recognition. From the series of displayed photos the user has to identify images containing e.g. a bus, a motorcycle, a hydrant, etc.

image based captcha - example
Image-based Captcha

Other CAPTCHA verification methods are:

  • Sound recognition – allows blind and visually impaired users to pass the test;
  • Basic mathematical riddles and equations to solve, e.g. 21 + 37;
  • Riddles and minigames (e.g. rebuses).

Unfortunately, it’s worth knowing that none of the early anti-spam methods could provide full protection – most advanced spam bots based on machine learning and artificial intelligence were able to outsmart the system and make CAPTCHA vulnerable. Moreover, the more complex tests significantly lower the website user-friendliness and hurt user interaction. Spam is a problem, but infuriated users won’t buy anything from your store. That’s why a new solution, called reCAPTCHA, had to arise.

I’m Not a Robot! Here Comes Google reCAPTCHA

An alternative to traditional CAPTCHAs is a solution that is much more comfortable for users. Modern CAPTCHAs are equipped with a system called reCAPTCHA – a service that was originally developed at Carnegie Mellon University in Pittsburgh and later acquired by Google. It is able to detect strange behavior and conclude that the user visiting the website may be a computer program. In most cases, to confirm not being a bot the user must click the checkbox “i am not a robot”. Simple as that?

Verseo Ads Banner
Verseo Ads Banner
reCaptcha - screenshot
ReCaptcha – screenshot of a login panel

Not quite. What happens when the visitor is not easy to identify as a human? In this case, the system shows complex reCAPTCHA test. Mostly the images contain plain picture puzzles in which you have to choose all the ones that show something specific. In general, this mechanics is much more user-friendly than conventional CAPTCHA tests, since all many users have to do is to click a simple checkbox and then they can login to their accounts.

reCAPTCHA developers brag – and not without the right to do so – about the effectiveness of their system. The service works in the background, and Google is able to gather information about everyone who clicks on the checkbox, getting the date and localization. In combination with all the data that Google already collected from this user, it can accurately create a behavior profile, which in consequence simplifies the verification. Everyone who tries to dodge this type of profiling, gets hard-to-solve riddles and complicated image based CAPTCHAs to solve.

reCaptcha success rate is hard to estimate, but only small percentage of most advanced bots can pass such tests. reCaptchas are able to block approximately over 99% spam-sending programs.

Should You Implement reCAPTCHA On Your Website?

By using reCAPTCHA you increase the security of your contact forms. You also protect your website content from spam, e.g. suspicious links or unwelcome comments. You can also be sure that your opinion polls will receive responses from real, existing people, and not from bots. The same rule applies to the newsletter: only real and active e-mail addresses will be entered into the database.

Without reCAPTCHA, it is difficult to imagine the existence of online stores. The use of anti-spam verification at the stage of placing an order or user registration increases the security of purchases and transactions on the Internet – one of the foundations of any successful e-commerce business.

However, keep in mind that reCAPTCHA can be a little heavy for web servers. You have to check the parameters of your CMS and website’s hosting and determine if it can handle it without the risk of significant decrease in website’s loading time.

Implementing reCAPTCHA doesn’t directly affect SEO and site rankings in Google or other search engines. Page loading speed is one of over 200 positioning factors, though, so some websites may need to get some changes in the back-end in order to get ready for collision-free reCAPTCHA tests implementation.  And it’s worth it, because the website becomes protected from spam and is therefore more user-friendly.

Food for thought…

While implementing reCAPTCHA, always remember about physically challenged people. It should be designed in such a way that alternative solutions are available to take into account different forms of disability (e.g. blind users who use screen readers and other reCAPTCHA users).

reCAPTCHA Alternatives

reCAPTCHA is by far the most popular anti-spam test in the world. It is not the only solution though – you can check also similar digital Turing tests that can be your ally in the fight against evil bots. You can find, among others:

New call-to-action
New call-to-action
  • Akismet (an anti-spam plugin for WordPress)
  • hCaptcha
  • Honeypot – it is not a single brand, but rather a method of bamboozling bots. In the case of web forms, it can, for example, add a hidden form field – a human can’t see it, but a computer program will likely fill this field, exposing itself as a bot.

Another way is to set up 2FA authentication on your site – such advanced system gives you almost 100% protection, but can be quite demanding from the users when it comes to logging in. Two-Factor authentication secures the process by adding one more verification method than just a login and a password.

How to Turn reCAPTCHA Tests On the Website? Step-by-step Guide

reCaptcha is available in 3 versions (v2 and v3 for individual users and businesses, and Enterprise businesses only) and is a free service for most site owners – if your website doesn’t generate more than 1 million API requests per month, Google won’t charge you a penny. In the Enterprise version, after exceeding this limit, you pay $1 for 1 thousand requests.

1. Sign in or register to Google – you need a basic account.

2. Go to, click “v3 Admin Console” and click “+” (“add a website”);

reCaptcha website screenshot
How to implement recaptcha on the website – step 2

3. Fill in the form – label, domain(s), type of Captcha (older recaptcha v2 or newer v3 – the latest version), e-mail address, etc.;

recaptcha registering panel screenshot
How to implement recaptcha on the website – step 3

4. Read the terms and regulations and tick the checkbox;

5. You will get two reCAPTCHA API keys – a private one and the public one (don’t close this tab in your browser).

How to implement recaptcha on the website – step 5

Now you can get to turning the CAPTCHA on. It can be done by copying and pasting the code into your website. But be careful – it is an interference in the website code, and done in the wrong way may damage the site. If you use WordPress or other popular CMS, you can find many plugins in order to inject the code properly and safely without the risk of making the site incompatible with reCAPTCHA challenge.

Food for thought…

If you use Google reCaptcha, you are obligated to mention that on your web pages. Google prepared a special badge that is located usually in the corner and contains a logo and links to the Policy Privacy and Terms of Service. You can hide it if it’s contrary to your vision of page layout. In this case, Google requires you to mention this information in other way – the example is shown on the image below.

New call-to-action
New call-to-action
recaptcha obligatory note
ReCaptcha in a web form – obligatory note (source: Google Developers)

Good luck and keep the spam bots in Captchivity!

Reduce your advertising costs by  20%!