Overview
With the avalanche of spam, fraudulent orders and fake bots around, you need to take steps beyond a basic WordPress installation to protect your site. To prevent non-human access to areas such as your WordPress login page, contact forms and WooCommerce, you can integrate a CAPTCHA system (which determines if a human is using the computer or not) using technologies such as hCaptcha.
This article will step you through the setup process.
Instructions
There are two parts to the process, first you need to generate the Site Key and Secret Key from the hCaptcha system and then install the plugin on your website.
Generating the hCaptcha Site Key and Secret Key (New Account)
- Go to the hCaptcha website and Sign Up for a new account (or login if you already have one). If asked, you want to select Add hCaptcha for Publishers to my website or app:
- This will then ask to either signup via your Google account (if you have one) or alternatively, via email.
- Once your account is created, it will automatically create the first Site Key and Secret Key for you:
- Leave this window or tab open and then proceed to the WordPress plugin installation instructions below.
Generating the hCaptcha Site Key and Secret Key (Existing Account)
- Go to the hCaptcha website and Log In.
- Choose your login method (eg, Google or Email) and you should then get the hCaptcha Dashboard showing:
- Go to Sites at the top right of the dashboard:
- Click on New Site, then enter the details. You can give the site a name (so that it’s easier to find in the list, as well as restricting access for that key to your domain name:
- Next, set the Passing Threshold to Auto:
- At the top right of the screen, click Save. This will then return you to the list of existing sites, with your new site located at the top.
- Click on Settings, then the Site Key should be visible at the top:
- To get a copy of your Secret Key, click on your profile image at the top right open the Account menu then select Settings:
- The Secret Key (which is common across all sites) will then be displayed:
- Proceed to the WordPress plugin installation instructions below.
hCaptcha WordPress Plugin Installation
- Login to your WordPress dashboard.
- Go to Plugins -> Add New:
- In the right-hand search box, search for “hCaptcha“. You should see the following result:
- Click Install, then Activate.
- After the plugin has been activated, it will return you to the list of WordPress plugins. Find the hCaptcha plugin in the list, then select Settings:
- Enter the Site Key and Secret Key generated in the instructions above:
- Next, set the hCaptcha Size to Invisible:
This provides the protection and only forces the image matching display if a bot is detected / suspected. - Then, select which areas you want to enable hCaptcha for. This will involve reviewing your website for the type of contact form/s used, if WooCommerce is installed, what theme is in use and similar. As a bare minimum, you can disable hCaptcha for users who are logged in (since you’ve already verified them) and then enable for logins, password resets, signups and comments:
- Click Save hCaptcha Settings at the bottom of the page.
- In a different browser (or incognito window), open the pages to ensure they’re still functional.
hCaptcha should not be visible on these pages if you selected Invisible above.