- What is CAPTCHA and What Is It For
- What Types of CAPTCHA Exist: From Text to Behavioral Analysis
- Where CAPTCHA Must Be Used
- How to Install CAPTCHA on a Website Yourself
- How to Add CAPTCHA to a WordPress Site Using the Contact Form 7 Plugin
- How to Add CAPTCHA to a WordPress Site Using the WPForms Plugin
In 2018, British bank HSBC suffered bot attacks aimed at stealing customer passwords; in 2023, a post appeared on Reddit from the administrator of a ticket website reporting 82 000 fake registrations per day; and in February of the same year, Ticketmaster faced massive bot activity, which led to significant disruptions in the operation of its web resource. And these are just a few cases where a classic authentication system could have stopped malicious software, thereby protecting the company’s confidential information and preserving its reputation.
You might think: “These are internet projects of large companies. I just rented cheap hosting and registered a free domain, published my first articles, so harmful bots don’t threaten me”. In reality, such software threatens everyone — from spam comments on informational websites to fake registrations in online stores. And this is where CAPTCHA comes in — a simple yet effective protection against spam bots. Therefore, let’s take a closer look at what CAPTCHA is and how to use it, regardless of the type and size of the web resource.
What is CAPTCHA and What Is It For
CAPTCHA is an automated public test for visitors of online projects that helps distinguish real users from malicious software. The main idea behind CAPTCHA is that there are tasks which are easy for humans but difficult and costly for computers. For example, selecting images with bicycles: a real user will instantly recognize the needed objects, while a bot would have to perform complex computer image processing.
Thus, what may seem like a simple technology at first glance actually performs a number of useful functions:
- prevents spam in contact forms — no need to constantly clean your inbox from hundreds of junk messages;
- stops spam comments under articles — preserves reputation, minimizes the risk of lower search engine rankings (comments may contain external links to suspicious sites);
- provides additional protection from login form attacks — CAPTCHA prevents bots from hacking accounts and stealing user data;
- blocks fake registrations — helps keep the user database "clean", and you won't have to spend money on unnecessary mailings;
- maintains site stability — malicious software can be used to scan a web resource and send many requests per minute, and CAPTCHA prevents this, allowing you to maintain high page loading speed and stay within your hosting plan’s resource limits;
- prevents fake orders — CAPTCHA blocks bots so you don’t waste time searching for real orders among hundreds of "empty" ones, face warehouse issues, or deal with skewed analytics.
CAPTCHA is a time-tested way to protect websites from spam, mass fake account registrations, password guessing, and inflated metrics. It can indeed be considered quite reliable: the task is generated dynamically, the answer is verified on the server side, not on the client side, and each request is unique, meaning it contains hashes or tokens that cannot be predicted.
However, the technology is not something extraordinary — it can also be bypassed, but it is not profitable for bots to do so. For example, image recognition requires the use of neural networks, which is quite costly, so it makes no sense for attackers to invest in bypassing CAPTCHA on small websites.
In short, the main goal is to increase the cost of hacking for bots, stop mass automated attacks and spam. That’s why CAPTCHA is often the primary protection mechanism on small web resources and a part of the security system on large online projects.
Read also: How to protect a WordPress site and not become a victim of open source vulnerabilities
What Types of CAPTCHA Exist: From Text to Behavioral Analysis
The technology has constantly evolved in response to the development of bots and automated attacks. The first concepts appeared between 1997 and 2000, when researchers were looking for a way to distinguish a human from a program. The first CAPTCHA was very simple: an image with distorted text or numbers that the user had to enter into a form. Later, other versions emerged with improved authentication methods such as image recognition, behavioral analysis, and hidden scripts.
The following types of CAPTCHA exist:
- Classic (text-based) — letters and numbers in various arrangements (standard, tilted, upside down) on a colored background. Such a complex task for bots is easily solvable by a human, making it possible to perform reliable verification without negatively affecting user behavior on the site.
- Math (mathematical) — solving a simple arithmetic problem, for example, “2+3”.
- Image (graphic) — selecting images with bicycles, traffic lights, cats, and so on. This type is often used by Google, as it has a huge database from Google Street View. However, it greatly annoys users, since selected images are often replaced by new ones, requiring the test to be repeated.
- Slider — you need to drag a puzzle piece to complete the image. A sort of mini-puzzle for bored users.
- Audio — you must listen to a recording and enter the digits or words. Often used as an alternative to other types for visually impaired users.
- reCAPTCHA v2 — you need to check a box that says “I’m not a robot”. Sometimes a graphic CAPTCHA is added, requiring the selection of specific images.
- reCAPTCHA v3 (invisible) — no tasks need to be completed. The system analyzes user behavior and determines whether it is malicious software or a real person who simply wants to leave a comment.
You’ve likely encountered the types of CAPTCHA listed above, but there are also hidden user verification methods. These include Honeypot CAPTCHA — an invisible field in a form; if someone fills it out, it’s 100% a bot, since a real user wouldn’t even know there was a check. There’s also Time-based CAPTCHA — it analyzes the speed at which the form is filled out: if the data is entered too quickly, the system suspects malicious software.
It’s worth noting that bots are constantly evolving, so news headlines like “Artificial intelligence solved reCAPTCHA v2 with incredible efficiency” continue to appear. But CAPTCHA isn’t standing still either. One of the newest verification methods is biometric CAPTCHA, which uses facial, voice, or fingerprint recognition to confirm the user is human. Efforts are also being made to improve functionality using neural networks: Adaptive AI CAPTCHA creates unique tasks in real time that adapt to the user.
In February 2025, a groundbreaking system called IllusionCAPTCHA was introduced. It is based on the use of visual illusions to create tasks that are intuitive for humans but incredibly difficult for malicious software. For example, an image of a forest may conceal a specific object or text: a real user will be able to solve the task, although it is more complex than standard CAPTCHAs, while the hidden content remains invisible to artificial intelligence. Plus, the system provides bots with misleading hints designed to lead them to obvious mistakes.
Where CAPTCHA Must Be Used
Malicious software can cause numerous problems that require significant time and money to resolve, so it would seem logical to implement protection as soon as a user lands on a website. However, placing CAPTCHA across an entire web project is an extreme measure needed only in cases of active attacks by automated scanners, parsers, or DDoS bots. Such protection annoys users, lowers conversions, and harms reputation.
We recommend using CAPTCHA for the following website forms:
- contact forms — no mass spam, automated mailings, or fake requests, which means avoiding bot submissions, preserving real inquiries, and maintaining reputation;
- registration — protection against fake accounts that could send spam, manipulate ratings and reviews;
- login — a security mechanism against brute-force password attacks, and consequently, account hacking, data leaks, financial and reputational losses;
- comments or reviews — no advertising messages or malicious links that not only damage reputation but also negatively impact search engine optimization;
- shopping cart in an online store — prevention of automated fake orders, helping to avoid distorted analytics, unnecessary processing costs, and logistics issues;
- internal systems — an additional security layer against unauthorized access to the website’s control panel or data.
CAPTCHA is essential protection for any form that could be useful to hostile software. That’s why it’s important to carefully analyze your online project and implement CAPTCHA in potentially vulnerable areas.
Read also: How to protect your Cityhost account in times of information instability
How to Install CAPTCHA on a Website Yourself
The simplest way to protect the admin panel is by using Cityhost’s features. When you register hosting or a domain, purchase a VPS server, or rent a dedicated server with our company, you can enable reCAPTCHA v2 (“I’m not a robot”) on your website’s admin panel directly from the user dashboard. To do this, go to “Hosting 2.0” → “Websites” → “Security” and activate “PROTECTED PAGES (CAPTCHA)”.
To protect other forms on your website using CAPTCHA, the following plugins can help, depending on your content management system:
- WordPress. A popular option is reCAPTCHA by BestWebSoft — it easily connects Google reCAPTCHA to login forms, comments, and registration. Plus, CAPTCHA is built into widely used form plugins like WPForms and Contact Form 7.
- OpenCart. Most templates come with built-in support for this technology. There are also many modules available, including Google’s official reCAPTCHA solution.
- Joomla. Offers a built-in reCAPTCHA plugin to protect all types of forms.
- Drupal. Also includes a CAPTCHA module with intuitive settings.
How to Add CAPTCHA to a WordPress Site Using the Contact Form 7 Plugin
As an example, let’s look at how to add CAPTCHA to a WordPress site using the Contact Form 7 plugin:
- Go to the Google reCAPTCHA admin panel, sign in with your Google account, and fill out the form to register your site. We initially chose version 3 — this is an important point that we’ll cover in more detail after the instructions.
- Save the Site Key and Secret Key. These are what will allow you to connect Google reCAPTCHA to your WordPress site.
- Now install CAPTCHA using one of the plugins mentioned above. We'll use Contact Form 7. Simply go to the WordPress admin panel → Contact → Integration.
- Click Setup Integration, then enter the Site Key and Secret Key.
If the “Protected by reCAPTCHA” badge appears on the site, the integration was successful. But there’s one important note: Google reCAPTCHA v3 works invisibly — it automatically analyzes user behavior and assigns a score. If a user seems suspicious, the form won’t submit or will show an error.
How to Add CAPTCHA to a WordPress Site Using the WPForms Plugin
You can use Google reCAPTCHA v2, in which case a “I’m not a robot” checkbox will appear in your forms. First, in the Google reCAPTCHA administrative panel, we register a new project (the same site is possible), only now we select the “Challenge (v2)” CAPTCHA type.
To better illustrate how easily CAPTCHA integrates with various plugins, let’s walk through a test using WPForms. Go to WPForms → Settings → CAPTCHA, select the version with the checkbox display, enter your keys, and save the settings.
Next, you need to add reCAPTCHA to a form. Go to All Forms and click on the desired form, then select reCAPTCHA (it will be added automatically) and click Save.
Now the selected form includes CAPTCHA, which will protect you from spam, fake registrations and orders, and various bot attacks.
And as you’ve probably noticed, adding CAPTCHA to your site takes just a few minutes and doesn’t require paid versions of CMS plugins. You get a time-tested security technology that will save your time and resources, maintain a good reputation in the eyes of your target audience and search engines, and help your web resource grow and generate income!
Like the article? Tell your friends about it: 
