Understanding reCaptcha including its working principles

reCAPTCHA is a framework that web hosts can use to recognize a person when anyone tries to gain access. This tool evolved, and its first form required clients to unravel hard-to-understand text or match pictures. The next version continued this technology of interpreting text and matching pictures, but this task was only displayed if the cookie analysis failed. The third generation of the tool is expected to run naturally as clients load pages or click buttons, without any task for visitors.

A decade ago, reCAPTCHA evolved to use social activity research on the user's browser to understand if the client was a human or a bot. The following year, another reCAPTCHA API was deployed, including one that checked a user's humanity, asking to simply click a single checkbox.

Such an approach was called no CAPTCHA reCAPTCHA. However, the user could still be asked to solve the puzzle of matching images if the framework had questions about the client's humanity. Google additionally introduced another kind of CAPTCHA, which was supposed to become more accessible for mobile clients.

A few years later, Google presented the new reCAPTCHA, invisible to users. Confirmation of humanity happens behind the scenes, without the need to solve puzzles if the client is considered a generally safe user.

ReCAPTCHA keeps malicious programming items from participating in oppressive exercises on your site, utilizing a high-level hazard and hardship research system. In this way, real human clients will actually want to sign in, browse pages, and store, while fake clients will be deprived of this opportunity.

What Magento problems do reCAPTCHA solve

Since online stores are essentially free-access web sites for users, they can benefit from checking that a legitimate user has been granted access. CAPTCHA solves the following problems:

  • Stopping unwanted advertising;
  • Blocking mass distribution of links to other resources to increase rankings in search engines;
  • Manipulating surveys;
  • Protection from placing false orders;
  • Gaining access to personal information;
  • Spreading malicious code.

Where reCAPTCHA can be used

The reCAPTCHA can be used to protect your store's frontend and backend.

The admin panel can be protected with reCAPTCHA on the login page and when the client requires resetting access credentials. reCAPTCHA can be utilized simultaneously with Commerce CAPTCHA with almost no issues.

The retail frontend is also protected by reCAPTCHA. Therefore, it can be utilized to sign in to the client account when communicating through the Contact Us form and in various other areas available to the customer on the frontend.

How to activate reCAPTCHA in a store

To use the reCAPTCHA tool, a store must obtain access credentials to its API. These keys are available with no financial cost through the reCAPTCHA official site. Before receiving the keys, a store manager should know what type of reCAPTCHA he needs to utilize.

There are several available CAPTCHA types:

  • reCAPTCHA v3. It is an invisible variant whose algorithm rates humanity by interaction with the user. The total score determines the probability that the user is human.
  • reCAPTCHA v2. This is another invisible variant that verifies humanity without direct user interaction. If the algorithm cannot verify the user's humanity, it asks to solve an image choice puzzle.
  • reCAPTCHA v2. This variant produces a checkbox on the page for the user to tick. It has the marking "I am not a robot".

Create reCAPTCHA

  1. Generate the access keys for CAPTCHA. Log into your account at the Google reCAPTCHA site. Create a Google account, if necessary.

  2. Get a name for keys. Each reCAPTCHA type requires a different set of access credentials.

  3. Choose the reCAPTCHA type you want to use.

  4. Specify the domain name of the store for which the keys are generated. In the case of multiple stores, each of which has an individual domain name, the latter should be specified on a new line. Additionally, specify all subdomains and virtual machines that will use this CAPTCHA.

  5. Accept the Terms of Service.

  6. Specify whether the tool should send notifications of suspicious traffic detected.

  7. Submit the data to get the access keys.

Important note: not all keys are suitable for every type of reCAPTCHA. An error can lead to problems. For example, keys for reCAPTCHA v2 "I'm not a robot" are not suitable for reCAPTCHA v2 Invisible.

Install reCAPTCHA in Magento2

When the access keys have been generated, it is time to activate the tool in the store. Follow the algorithm:

  1. Log in with an admin account.
  2. Navigate to Stores > Settings > Configuration. Set the Store View to Default Config, and afterward, expand the Security menu. Click the Google reCAPTCHA panel.
  3. For reCAPTCHA v2 ("I am not a robot"), do the following:

- Enter a website key in Google API Website Key. - Enter a secret key in Google API Secret Key. - Choose the size of the puzzle box. It can be regular or compact. - Specify a visual theme from the available light or dark. - Enter a code to specify the language in the Language Code section. - Specify what text should be displayed when the user’s humanity validation fails in the Validation Failure Message. 4. For reCAPTCHA v2 Invisible, specify similar information as mentioned above. Additionally, enter the location of the badge in the Invisible Badge Position. 5. reCAPTCHA v3 Invisible requires identical configuration data. Also, specify a Minimum Score Threshold for identifying the user as a person. Stick to the default 0.5 value unless you have specific requirements. 6. Ensure that the Use system value checkbox is disabled for each manually configured field. Enable reCAPTCHA for the login and password reset page.

Continue configuring the CAPTCHA for the store frontend:

  1. Navigate to the Security panel and choose reCAPTCHA Storefront.
  2. Specify the configuration information for each reCAPTCHA type. The data fields are identical to the configuration fields for admin.
  3. Ensure that the Use system value for each enabled element is unchecked.
  4. Specify the storefront pages where the tool should be used: login, password reset, new account, Contact Us and Product Review forms, subscriptions, payment forms.
  5. After saving the configuration, navigate to Cache Management to flush your Magento full page cache.


reCAPTCHA is a popular tool to increase the security of any web site. However, it has some disadvantages, distracting customers who cannot perform actions until the CAPTCHA is verified. It can affect the store's usability and reduce conversion rates in some cases. Therefore, reCAPTCHA is not the only solution you should use for maximum convenience and security. Apply additional security measures, such as Honeypot. This approach records the behavior of certain actions for verification.