CityHost.UA
Help and support

What is CAPTCHA: Understanding the Basic Website Protection Method

 23
03.07.2025
article

 

 

In 2018, British bank HSBC suffered bot attacks aimed at stealing customer passwords; in 2023, a post appeared on Reddit from the administrator of a ticket website reporting 82 000 fake registrations per day; and in February of the same year, Ticketmaster faced massive bot activity, which led to significant disruptions in the operation of its web resource. And these are just a few cases where a classic authentication system could have stopped malicious software, thereby protecting the company’s confidential information and preserving its reputation.

You might think: “These are internet projects of large companies. I just rented cheap hosting and registered a free domain, published my first articles, so harmful bots don’t threaten me”. In reality, such software threatens everyone — from spam comments on informational websites to fake registrations in online stores. And this is where CAPTCHA comes in — a simple yet effective protection against spam bots. Therefore, let’s take a closer look at what CAPTCHA is and how to use it, regardless of the type and size of the web resource.

What is CAPTCHA and What Is It For

CAPTCHA is an automated public test for visitors of online projects that helps distinguish real users from malicious software. The main idea behind CAPTCHA is that there are tasks which are easy for humans but difficult and costly for computers. For example, selecting images with bicycles: a real user will instantly recognize the needed objects, while a bot would have to perform complex computer image processing.

Example of a Google CAPTCHA

Thus, what may seem like a simple technology at first glance actually performs a number of useful functions:

  • prevents spam in contact forms — no need to constantly clean your inbox from hundreds of junk messages;
  • stops spam comments under articles — preserves reputation, minimizes the risk of lower search engine rankings (comments may contain external links to suspicious sites);
  • provides additional protection from login form attacks — CAPTCHA prevents bots from hacking accounts and stealing user data;
  • blocks fake registrations — helps keep the user database "clean", and you won't have to spend money on unnecessary mailings;
  • maintains site stability — malicious software can be used to scan a web resource and send many requests per minute, and CAPTCHA prevents this, allowing you to maintain high page loading speed and stay within your hosting plan’s resource limits;
  • prevents fake orders — CAPTCHA blocks bots so you don’t waste time searching for real orders among hundreds of "empty" ones, face warehouse issues, or deal with skewed analytics.

CAPTCHA is a time-tested way to protect websites from spam, mass fake account registrations, password guessing, and inflated metrics. It can indeed be considered quite reliable: the task is generated dynamically, the answer is verified on the server side, not on the client side, and each request is unique, meaning it contains hashes or tokens that cannot be predicted.

However, the technology is not something extraordinary — it can also be bypassed, but it is not profitable for bots to do so. For example, image recognition requires the use of neural networks, which is quite costly, so it makes no sense for attackers to invest in bypassing CAPTCHA on small websites.

Example of a common Google reCAPTCHA v2 CAPTCHA

In short, the main goal is to increase the cost of hacking for bots, stop mass automated attacks and spam. That’s why CAPTCHA is often the primary protection mechanism on small web resources and a part of the security system on large online projects.

Read also: How to protect a WordPress site and not become a victim of open source vulnerabilities

What Types of CAPTCHA Exist: From Text to Behavioral Analysis

The technology has constantly evolved in response to the development of bots and automated attacks. The first concepts appeared between 1997 and 2000, when researchers were looking for a way to distinguish a human from a program. The first CAPTCHA was very simple: an image with distorted text or numbers that the user had to enter into a form. Later, other versions emerged with improved authentication methods such as image recognition, behavioral analysis, and hidden scripts.

The following types of CAPTCHA exist:

  • Classic (text-based) — letters and numbers in various arrangements (standard, tilted, upside down) on a colored background. Such a complex task for bots is easily solvable by a human, making it possible to perform reliable verification without negatively affecting user behavior on the site.
  • Math (mathematical) — solving a simple arithmetic problem, for example, “2+3”.
  • Image (graphic) — selecting images with bicycles, traffic lights, cats, and so on. This type is often used by Google, as it has a huge database from Google Street View. However, it greatly annoys users, since selected images are often replaced by new ones, requiring the test to be repeated.
  • Slider — you need to drag a puzzle piece to complete the image. A sort of mini-puzzle for bored users.
  • Audio — you must listen to a recording and enter the digits or words. Often used as an alternative to other types for visually impaired users.
  • reCAPTCHA v2 — you need to check a box that says “I’m not a robot”. Sometimes a graphic CAPTCHA is added, requiring the selection of specific images.
  • reCAPTCHA v3 (invisible) — no tasks need to be completed. The system analyzes user behavior and determines whether it is malicious software or a real person who simply wants to leave a comment.

You’ve likely encountered the types of CAPTCHA listed above, but there are also hidden user verification methods. These include Honeypot CAPTCHA — an invisible field in a form; if someone fills it out, it’s 100% a bot, since a real user wouldn’t even know there was a check. There’s also Time-based CAPTCHA — it analyzes the speed at which the form is filled out: if the data is entered too quickly, the system suspects malicious software.

It’s worth noting that bots are constantly evolving, so news headlines like “Artificial intelligence solved reCAPTCHA v2 with incredible efficiency” continue to appear. But CAPTCHA isn’t standing still either. One of the newest verification methods is biometric CAPTCHA, which uses facial, voice, or fingerprint recognition to confirm the user is human. Efforts are also being made to improve functionality using neural networks: Adaptive AI CAPTCHA creates unique tasks in real time that adapt to the user.

In February 2025, a groundbreaking system called IllusionCAPTCHA was introduced. It is based on the use of visual illusions to create tasks that are intuitive for humans but incredibly difficult for malicious software. For example, an image of a forest may conceal a specific object or text: a real user will be able to solve the task, although it is more complex than standard CAPTCHAs, while the hidden content remains invisible to artificial intelligence. Plus, the system provides bots with misleading hints designed to lead them to obvious mistakes.

Buy cheap reliable hosting in Ukraine

Read also: The Triumph and Threats Of Artificial Intelligence — How Neural Networks Affect Our Lives and How It Is Regulated By Law More details

Where CAPTCHA Must Be Used

Malicious software can cause numerous problems that require significant time and money to resolve, so it would seem logical to implement protection as soon as a user lands on a website. However, placing CAPTCHA across an entire web project is an extreme measure needed only in cases of active attacks by automated scanners, parsers, or DDoS bots. Such protection annoys users, lowers conversions, and harms reputation.

We recommend using CAPTCHA for the following website forms:

  • contact forms — no mass spam, automated mailings, or fake requests, which means avoiding bot submissions, preserving real inquiries, and maintaining reputation;
  • registration — protection against fake accounts that could send spam, manipulate ratings and reviews;
  • login — a security mechanism against brute-force password attacks, and consequently, account hacking, data leaks, financial and reputational losses;
  • comments or reviews — no advertising messages or malicious links that not only damage reputation but also negatively impact search engine optimization;
  • shopping cart in an online store — prevention of automated fake orders, helping to avoid distorted analytics, unnecessary processing costs, and logistics issues;
  • internal systems — an additional security layer against unauthorized access to the website’s control panel or data.

CAPTCHA is essential protection for any form that could be useful to hostile software. That’s why it’s important to carefully analyze your online project and implement CAPTCHA in potentially vulnerable areas.

Read also: How to protect your Cityhost account in times of information instability

How to Install CAPTCHA on a Website Yourself

The simplest way to protect the admin panel is by using Cityhost’s features. When you register hosting or a domain, purchase a VPS server, or rent a dedicated server with our company, you can enable reCAPTCHA v2 (“I’m not a robot”) on your website’s admin panel directly from the user dashboard. To do this, go to “Hosting 2.0” → “Websites” → “Security” and activate “PROTECTED PAGES (CAPTCHA)”.

Example of a CAPTCHA on the website of the hosting provider Cityhost

To protect other forms on your website using CAPTCHA, the following plugins can help, depending on your content management system:

  • WordPress. A popular option is reCAPTCHA by BestWebSoft — it easily connects Google reCAPTCHA to login forms, comments, and registration. Plus, CAPTCHA is built into widely used form plugins like WPForms and Contact Form 7.
  • OpenCart. Most templates come with built-in support for this technology. There are also many modules available, including Google’s official reCAPTCHA solution.
  • Joomla. Offers a built-in reCAPTCHA plugin to protect all types of forms.
  • Drupal. Also includes a CAPTCHA module with intuitive settings.

How to Add CAPTCHA to a WordPress Site Using the Contact Form 7 Plugin

As an example, let’s look at how to add CAPTCHA to a WordPress site using the Contact Form 7 plugin:

  1. Go to the Google reCAPTCHA admin panel, sign in with your Google account, and fill out the form to register your site. We initially chose version 3 — this is an important point that we’ll cover in more detail after the instructions.

Site registration form in the reCAPTCHA system

  1. Save the Site Key and Secret Key. These are what will allow you to connect Google reCAPTCHA to your WordPress site.

Saving keys for installing reCAPTCHA on the website

  1. Now install CAPTCHA using one of the plugins mentioned above. We'll use Contact Form 7. Simply go to the WordPress admin panel → Contact → Integration.

Integrating CAPTCHA with a WordPress site via the Contact Form 7 plugin

  1. Click Setup Integration, then enter the Site Key and Secret Key.

Adding a CAPTCHA to a website using the Contact Form 7 plugin

If the “Protected by reCAPTCHA” badge appears on the site, the integration was successful. But there’s one important note: Google reCAPTCHA v3 works invisibly — it automatically analyzes user behavior and assigns a score. If a user seems suspicious, the form won’t submit or will show an error.

How to Add CAPTCHA to a WordPress Site Using the WPForms Plugin

You can use Google reCAPTCHA v2, in which case a “I’m not a robot” checkbox will appear in your forms. First, in the Google reCAPTCHA administrative panel, we register a new project (the same site is possible), only now we select the “Challenge (v2)” CAPTCHA type.

How to create a reCAPTCHA v2 for a website

To better illustrate how easily CAPTCHA integrates with various plugins, let’s walk through a test using WPForms. Go to WPForms → Settings → CAPTCHA, select the version with the checkbox display, enter your keys, and save the settings.

Installing a CAPTCHA on a website via the WordPress WPForms plugin

Next, you need to add reCAPTCHA to a form. Go to All Forms and click on the desired form, then select reCAPTCHA (it will be added automatically) and click Save.

Adding a CAPTCHA widget to a website using WPForms

Now the selected form includes CAPTCHA, which will protect you from spam, fake registrations and orders, and various bot attacks.

Example of displaying reCAPTCHA v2 on a website

And as you’ve probably noticed, adding CAPTCHA to your site takes just a few minutes and doesn’t require paid versions of CMS plugins. You get a time-tested security technology that will save your time and resources, maintain a good reputation in the eyes of your target audience and search engines, and help your web resource grow and generate income!

Domain name verification with convenient registration


Like the article? Tell your friends about it:

Author: Bohdana Haivoronska

Journalist (since 2003), IT copywriter (since 2013), content marketer at Cityhost.ua. Specializes in articles about technology, creation and promotion of sites.