Most websites have at least some type of form on them – it might be a contact form, a newsletter sign-up form, an event registration form, or a job application form. Often these forms become the target for spam bots – electronic code that attempts to fill out a form making it look somewhat believable (such as a properly formatted name and email), but which then contains links to other websites or code. The intent is to inject your site with malicious code or links, often in an attempt to steal information from your database such as contact information.

The way to get around this is to use a form element called CAPTCHA. The CAPTCHA was created at Carnegie Mellon University in 2000. The name is short for Completely Automated Public Turing test to tell Computers and Humans Apart. Over time the bad guys’ computers have been getting smarter and people have not. So, the CAPTCHAs have to get harder for users, because they’re easier for the computers. As a result there are hundreds of kinds of CAPTCHAs available for form designers. One of the big ones is reCAPTCHA. Google bought that one and now offers it for free. Users have to decipher two words for reCAPTCHA. One of them, usually the easier one, is lifted from an old book. A computerized scanner has failed to read it properly, and reCAPTCHA users get a chance to do the job right, thereby helping Google digitize books. For you, this process helps to keep bots from submitting your forms.

Over time, Google has improved their CAPTCHA tool, with reCAPTCHA v2 to be much easier for users. Now instead of entering text, users can just put their mouse over the checkbox and the tool understands that this is not an automated spam bot. In the fall of 2018, Google released something called reCAPTCHA v3, which uses a behind-the-scenes scoring system to help you detect abusive traffic all over your website without asking users to do anything.

As mentioned, reCAPTCHA is a service provided by Google. It’s free, but requires a site key and secret key. You can easily generate those keys for your site by visiting Google’s reCAPTCHA setup page. Click on the button labeled “Admin Console” in the upper right on this page. Then click on the + icon to register a new site. You should now see a page that looks like this:

Fill out each of these fields and accept the terms of service. For now, use reCAPTCHA v.2 as shown.

As soon as you click on the “submit” button, you will be shown your site key and secret key. You will copy and paste these into your form.

Now you’ll need to create a form. The first thing to do install and activate WPForms. Next, you’ll need to create a WordPress form. If you already have a form created, you simply need to configure reCAPTCHA settings in WordPress. To start, go to WPForms » Settings. Then, click on the reCAPTCHA tab.

Choose v2 reCAPTCHA to add an interactive reCAPTCHA box to your form. Paste your site and secret keys under the reCAPTCHA settings. Be sure to SAVE your settings.


Now, you need to add reCAPTCHA to your WordPress form. This is simple to do. In the form editor, click on the “reCAPTCHA” button.

You will then get a confirmation dialog box as shown:

Save your form and you are ready to add it to your website. Notice that it should say “reCAPTCHA” enabled.

To add this form to your website, copy the shortcode provided and insert it into a page, post, or widget where you want it to appear.

The reCAPTCHA will now appear as part of the form, helping you to greatly eliminate unwanted spam bots from filling out your form.