Overview

With the avalanche of spam, fraudulent orders and fake bots around, you need to take steps beyond a basic WordPress installation to protect your site. To prevent non-human access to areas such as your WordPress login page, contact forms and WooCommerce, you can integrate a CAPTCHA system (which determines if a human is using the computer or not) using technologies such as hCaptcha.

This article will step you through the setup process.

Tip

hCaptcha is an alternative system to Google’s reCAPTCHA

Instructions

There are two parts to the process, first you need to generate the Site Key and Secret Key from the hCaptcha system and then install the plugin on your website.

Generating the hCaptcha Site Key and Secret Key (New Account)

  1. Go to the hCaptcha website and Sign Up for a new account (or login if you already have one). If asked, you want to select Add hCaptcha for Publishers to my website or app:
    secure your wordpress website with hcaptcha
  2. This will then ask to either signup via your Google account (if you have one) or alternatively, via email.
  3. Once your account is created, it will automatically create the first Site Key and Secret Key for you:
    secure your wordpress website with hcaptcha
  4. Leave this window or tab open and then proceed to the WordPress plugin installation instructions below.

Generating the hCaptcha Site Key and Secret Key (Existing Account)

  1. Go to the hCaptcha website and Log In.
  2. Choose your login method (eg, Google or Email) and you should then get the hCaptcha Dashboard showing:
    secure your wordpress website with hcaptcha
  3. Go to Sites at the top right of the dashboard:
    secure your wordpress website with hcaptcha
  4. Click on New Site, then enter the details. You can give the site a name (so that it’s easier to find in the list, as well as restricting access for that key to your domain name:
    secure your wordpress website with hcaptcha
  5. Next, set the Passing Threshold to Auto:
    secure your wordpress website with hcaptcha
  6. At the top right of the screen, click Save. This will then return you to the list of existing sites, with your new site located at the top.
  7. Click on Settings, then the Site Key should be visible at the top:
    secure your wordpress website with hcaptcha
  8. To get a copy of your Secret Key, click on your profile image at the top right open the Account menu then select Settings:
    secure your wordpress website with hcaptcha
  9. The Secret Key (which is common across all sites) will then be displayed:
    secure your wordpress website with hcaptcha
  10. Proceed to the WordPress plugin installation instructions below.

hCaptcha WordPress Plugin Installation

  1. Login to your WordPress dashboard.
  2. Go to Plugins -> Add New:
    secure your wordpress website with hcaptcha
  3. In the right-hand search box, search for “hCaptcha“. You should see the following result:
    secure your wordpress website with hcaptcha
  4. Click Install, then Activate.
  5. After the plugin has been activated, it will return you to the list of WordPress plugins. Find the hCaptcha plugin in the list, then select Settings:
    secure your wordpress website with hcaptcha
  6. Enter the Site Key and Secret Key generated in the instructions above:
    secure your wordpress website with hcaptcha
  7. Next, set the hCaptcha Size to Invisible:
    secure your wordpress website with hcaptcha
    This provides the protection and only forces the image matching display if a bot is detected / suspected.
  8. Then, select which areas you want to enable hCaptcha for. This will involve reviewing your website for the type of contact form/s used, if WooCommerce is installed, what theme is in use and similar. As a bare minimum, you can disable hCaptcha for users who are logged in (since you’ve already verified them) and then enable for logins, password resets, signups and comments:
    secure your wordpress website with hcaptcha
  9. Click Save hCaptcha Settings at the bottom of the page.
  10. In a different browser (or incognito window), open the pages to ensure they’re still functional.
    hCaptcha should not be visible on these pages if you selected Invisible above.

Advice

Ensure you only ever have one CAPTCHA plugin or integration for your site to avoid conflicts.

Was this article helpful?

Related Articles