You’re about to make an online purchase but all of a sudden you’re asked to decode a strangely twisted word, make a simple calculation, or identify which images presented include a bus. What just happened? What is this popup that looks like a cross between a game and a test – but that’s definitely wasting your time?
You were confronted with a CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart. It’s a method used by website owners to identify human visitors and users, then enable logged in users to make purchases, view pages, or create accounts. It also works as a way to block bots and fraudulent users.
This blog post examines CAPTCHAs, what they’re used for, and how this technology relates to WordPress website security. We’ll also look at the different kinds of CAPTCHA and their limitations.
Table of contents
What is a CAPTCHA?
Don’t let the complicated sounding acronym intimidate you. The concept behind CAPTCHA is not difficult to grasp. It stands for: Completely Automated Public Turing test to tell Computers and Humans Apart. Alan Turing was a highly influential computer scientist from the early twentieth century who worked on ways to distinguish machine responses from human responses in text-only channels. It is a modified version of his ‘Turing test’ that is used in modern CAPTCHAs.
CAPTCHAs are designed to test whether a computer user is human or machine, by asking them to perform a task that a machine or code could not perform. In this way, it provides a proof of personhood before allowing the user to proceed. The assumption is that an automated bot lacks the sophistication to accurately interpret visualized data. CAPTCHA works by distorting visual displays, making it harder for automated mechanisms to process the data.
CAPTCHAs and Website Security
What Problem Do CAPTCHAs Solve?
The problem that CAPTCHAs solve is one of computer security. A CAPTCHA provides a way of authenticating something important about the identity of the user. A CAPTCHA differs from the usual user credential such as a password because it is not designed to authenticate individual identity. Rather, its purpose is to authenticate that the user is human.
However, CAPTCHA and password authentication do share a common structure. They are both forms of challenge-response authentication:
- With CAPTCHA, the challenge is to reproduce the text presented or identify something (e.g. a pattern) in an image, and the response is the attempt to do so
- Even more recent and advanced CAPTCHA, such as ReCAPTCHA v3, which analyzes behavior rather than reproductions for identification, still uses that behavior as a response input from user
- A significant difference is that there is no password reset equivalent with CAPTCHA
- In the case of password authentication, the challenge is the request to enter your password, and the response is the correct password
CAPTCHA as we know it today was created to prevent malicious hackers’ bots from gaining unauthorized access to websites or areas in websites where they could be used to commit fraud. Bots are software apps that can also be used for an array of negative purposes:
- Unethical marketing practices, e.g. harvesting email and IP addresses
- Anti-democratic abuse, e.g. interfering with online polls
- Online website fraud, e.g. breaking into online accounts using brute force attacks, or stealing sensitive data such as login credentials, health files or financial information
- Malicious online behavior, e.g. spreading spam comments, posting unwanted content or low-quality links, all of which hurts your SEO
What are the Different Types of CAPTCHA?
The nature of CAPTCHA has evolved over time and continues to do so. That leaves you with multiple CAPTCHA options. Some of the older versions are still in use, while the newest version is far from widespread. The general trend over time is to make CAPTCHAs less intrusive, less time consuming, and less detrimental to the user experience (UX). But newer versions do not make the older ones obsolete, although they work very differently.
So what is the difference between CAPTCHA, reCAPTCHA, and NoCAPTCHA?
CAPTCHA
The first version of CAPTCHA was a sequence of letters, numbers of a combination that are displayed as a distorted or twisted picture. Sometimes a background color gradient is added. The task of the user is to decipher this sequence correctly as proof of personhood. There is usually a text box directly below where users can enter what they see.
reCAPTCHA
Types of reCAPTCHA
- ReCAPTCHA is a Google CAPTCHA service that includes different types of CAPTCHA.
- reCAPTCHA v1 – shut down since March 2018
- reCAPTCHA v2 – “I’m not a robot” Checkbox (also known as NoCAPTCHA reCAPTCHA)
- reCAPTCHA v 2 – Invisible reCAPTCHA badge
- reCAPTCHA Android
- reCAPTCHA v3
- reCAPTCHA v1
The first version of reCAPTCHA challenge usually contains a full, proper word with no numerals. The word is often displayed as an image and not in straightforward text, often taking on a distorted appearance, similar to the first version of CAPTCHA. But a strike-through is added to the text to increase the difficulty of a computer program deciphering it. Other visual rather than verbal versions of reCAPTCHA were used too, such as photographs and objects in a grid, with the challenge to select those that match (all crosswalks, for example). There are other audio and calculation-based CAPTCHAs.
NoCAPTCHA reCAPTCHA
This type takes the form of a checkbox that simply requires a tick from the user, so they can indicate “I’m not a robot”. So it seems simpler and is from the user’s viewpoint. But in the background, this CAPTCHA tracks the user’s entire activity, such as how the cursor has moved prior to the interaction, as well as during and after ticking the box. All these provide information to strongly suggest the user is not a malicious bot with an automated script, since the behavior indicates manual functioning.
Invisible reCAPTCHA
This version of CAPTCHA uses neither a checkbox nor any sort of challenge. It is called ‘invisible’ because it works in the background to distinguish bots from humans using a combination of machine learning and risk analysis that can adapt to threats. No challenges are displayed at all if the user is deemed to be of low risk
reCAPTCHA v3
The latest version of reCAPTCHA verifies the legitimacy without any user interaction. The aim of Google with it is to make the user experience as frictionless as possible.
Other
As well as Advanced NoCAPTCHA & Invisible CAPTCHA, there are other different types of CAPTCHA checks, such as human-assisted OCR (Optical Character Recognition) and TYPE-IN.
Does CAPTCHA Technology Have Limitations and Drawbacks?
CAPTCHA technology has received many different sorts of criticism across the course of its evolution:
- The completion of CAPTCHA tasks slows down and complicates user tasks that would otherwise be straightforward to perform
- Many of the CAPTCHA tasks themselves are difficult to complete successfully and result in alienating or even excluding the very human users they are designed to verify
- Users with visual or auditory processing disorders, those with learning disabilities, or people with dyslexia, can find it difficult to complete CAPTCHAs, and report that
- CAPTCHA methods are discriminatory and a act as a violation of their right to access technology, services and data
- Different concerns have been raised by data and privacy experts over CAPTCHA regarding its potential reliance on tracking cookies and the possible use of data collection for targeted advertising
- CAPTCHAs are used to keep anti-spam bots out, but they allow human spammers in since they’re designed to let humans pass (check our Still experiencing spam with CAPTCHA on WordPress? blog post)
Other criticisms focus on different threats commonly posted by malicious hackers to defeat CAPTCHA safeguards:
- The most sophisticated attempt to bypass CAPTCHA is the use of machine learning to build automated ways to solve CAPTCHA tests, such as the Google AI neural network named LaMDA, which effectively passed a CAPTCHA test. For example, some artificial intelligence companies have developed algorithms that can solve certain CAPTCHA schemes with a high success rate.
- A more primitive method is to relay CAPTCHA tasks to a workshop of poorly paid human operators who are employed to recognize and decode them in bulk.
- Malicious hackers have found security vulnerabilities in the CAPTCHA implementation that they can exploit to bypass CAPTCHA barriers. Some CAPTCHA systems are particularly susceptible to brute-force attacks, for example, by which bots enter credentials into a login form with speed and repetition until they gain access.
CAPTCHA and WordPress Websites
You can add CAPTCHA to a WordPress website by means of a CAPTCHA plugin. We also strongly recommend the use of a specialist WordPress CAPTCHA security plugin to harden your WordPress websites and block malicious bots completely. So, what are the characteristics of the best WordPress CAPTCHA plugins?
What WordPress CAPTCHA Plugins to Use
When considering which WordPress plugin for CAPTCHA plugin to use, we suggest using one that has the following features:
- A good reCAPTCHA plugin should be able to accommodate various CAPTCHA versions. First, determine which CAPTCHA version best suits your present and future needs, and base your choice around those priorities.
- You should be able to display it on all the important and vulnerable pages. Of course, this means it must be able to be deployed on multiple areas of your website rather limited to one page or form.
- The plugin must work for any other forms or third-party plugins you add to your website. This is especially important if you have an ecommerce website that you want to link with, such as WooCommerce, for example.
- You should be able to deploy CAPTCHA plugins on single sites and multisite environments
Displaying CAPTCHA at check out
How to Install CAPTCHA on Your WordPress Website
Although this is not a how-to guide, you may find it helpful if we provide you with a general overview of what you need to do to have your CAPTCHA up and working on our WordPress website.
Step #1 – Select the best plugin that has the features mentioned above
Step #2 – Install and active this plugin to add CAPTCHA to your WordPress website
Step #3 – Copy the secret keys or site key generated by the Google reCAPTCHA console to add to your website
Step #4 – Create and add Google reCAPTCHA to your website if your plugin uses it, for different versions and to view traffic analytics
Step #5 – Configure your plugin settings to ensure all important pages are secured
Where to Enable CAPTCHA on Your WordPress Site
Whichever CAPTCHA WordPress plugin you decide to use, once it is installed, activated, and added to your website, you must configure the settings to protect key areas. In other words, CAPTCHA protection must be enabled for all the important and vulnerable pages on your WordPress website. This task is usually performed from a general settings option.
We strongly recommend that you pay keen attention to these pages and forms:
- All WordPress login forms (for users and admin)
- Login forms for any ecommerce plugins and other external plugins for WordPress (e.g., WooCommerce login or any login page for ecommerce sites)
- User registration forms and registration pages
- Every password reset form and password recovery page
- Comment forms or any area with a comments section
- Contact forms
- All other WordPress forms
CAPTCHA placements
Test the CAPTCHA 4WP Plugin Now
CAPTCHA 4WP is easy to install and configure, offering enhanced security and spam protection. It includes many features and benefits such as multiple CAPTCHA providers, ReCAPTCHA V3 failover, and much, much more! Get started with CAPTCHA 4WP today.
