Skip to content

Adam Greenwell

CAPTCHA Protection

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) adds verification to your login page, ensuring that login attempts are made by humans, not automated bots.

Guard Dog supports four major CAPTCHA providers, each with different strengths and use cases.

Supported CAPTCHA Providers

Google reCAPTCHA v3 (Recommended for Most Sites)

How it works: Invisible verification that analyzes user behavior and assigns a risk score. No user interaction required.

Pros:

  • ✅ Invisible – no user interaction needed
  • ✅ Best user experience
  • ✅ Highly effective against bots
  • ✅ Free for most sites

Cons:

  • ❌ Uses Google tracking/cookies
  • ❌ Less privacy-friendly
  • ❌ Requires Google account

Best for: Sites prioritizing user experience over privacy

Get reCAPTCHA v3 Keys

Google reCAPTCHA v2

How it works: Traditional checkbox “I’m not a robot” with optional image challenges.

Pros:

  • ✅ Widely recognized
  • ✅ Effective protection
  • ✅ User sees verification is happening
  • ✅ Free for most sites

Cons:

  • ❌ Requires user interaction (checkbox click)
  • ❌ May show image challenges (annoying)
  • ❌ Uses Google tracking/cookies
  • ❌ Accessibility concerns

Best for: Sites where users expect traditional CAPTCHA

Get reCAPTCHA v2 Keys

hCaptcha (Recommended for Privacy)

How it works: Privacy-focused alternative with image challenges. No tracking across sites.

Pros:

  • ✅ Privacy-focused (no cross-site tracking)
  • ✅ Accessible challenges
  • ✅ GDPR compliant
  • ✅ Free for most sites
  • ✅ Sites can earn rewards

Cons:

  • ❌ Requires user interaction
  • ❌ May show challenging puzzles
  • ❌ Less widely recognized

Best for: Privacy-conscious sites, GDPR compliance

Get hCaptcha Keys

Cloudflare Turnstile (Recommended for Performance)

How it works: Modern, privacy-first alternative that’s usually invisible. Uses browser challenges instead of tracking.

Pros:

  • ✅ Privacy-first (no cookies/tracking)
  • ✅ Usually invisible
  • ✅ Fast and lightweight
  • ✅ Free
  • ✅ No Google dependency

Cons:

  • ❌ Newer service (less established)
  • ❌ Requires Cloudflare account
  • ❌ May occasionally show challenges

Best for: Modern sites wanting privacy + good UX

Get Turnstile Keys

Choosing the Right Provider

PriorityRecommended Provider
Best user experienceGoogle reCAPTCHA v3 or Cloudflare Turnstile
Privacy & GDPR compliancehCaptcha or Cloudflare Turnstile
Traditional verificationGoogle reCAPTCHA v2
Performance & speedCloudflare Turnstile
No Google serviceshCaptcha or Cloudflare Turnstile

Setting Up CAPTCHA

Step 1: Get Your API Keys

Each provider requires you to register your site and get two keys:

  1. Site Key (Public Key) – Used in your website’s HTML
  2. Secret Key (Private Key) – Used for server-side verification

Getting Google reCAPTCHA Keys

  1. Go to Google reCAPTCHA Admin
  2. Sign in with your Google account
  3. Fill out the registration form:
  • Label: Your site name (for your reference)
  • reCAPTCHA type: Choose v2 or v3
  • Domains: Enter your domain (e.g., example.com)
  1. Accept the terms of service
  2. Click Submit
  3. Copy both the Site Key and Secret Key

Getting hCaptcha Keys

  1. Go to hCaptcha
  2. Click Sign Up and create an account
  3. After login, go to SitesAdd Site
  4. Enter your domain and settings
  5. Copy both the Site Key and Secret Key from the site details

Getting Cloudflare Turnstile Keys

  1. Go to Cloudflare
  2. Sign in or create an account
  3. Navigate to Turnstile in the left sidebar
  4. Click Add Site
  5. Enter your domain and choose settings
  6. Copy both the Site Key and Secret Key

Step 2: Configure in Guard Dog

  1. Navigate to Guard Dog → CAPTCHA in your WordPress admin
  2. Select your CAPTCHA Provider from the dropdown
  3. Enter your Site Key
  4. Enter your Secret Key
  5. Configure display options (see below)
  6. Click Save Changes

Step 3: Test Your CAPTCHA

  1. Open a private/incognito browser window
  2. Navigate to your login page
  3. Verify the CAPTCHA appears (or works invisibly)
  4. Complete the login process
  5. Confirm successful login

Display Options

Theme (reCAPTCHA v2 and hCaptcha)

Controls the color scheme:

  • Light: White background (default, best for most sites)
  • Dark: Black background (for dark-themed login pages)

The theme should match your site’s login page design.

Size (reCAPTCHA v2)

Controls the checkbox size:

  • Normal: Standard size (default, recommended)
  • Compact: Smaller size (for mobile or tight spaces)

Score Threshold (reCAPTCHA v3 Only)

reCAPTCHA v3 assigns a risk score from 0.0 (likely bot) to 1.0 (likely human). You can set the minimum acceptable score:

  • 0.1-0.3: Very lenient (may allow some bots)
  • 0.4-0.5: Balanced (recommended for most sites)
  • 0.6-0.7: Strict (may block some humans)
  • 0.8-0.9: Very strict (may frustrate users)

Default: 0.5 – This is a good balance for most sites.

If you see legitimate users being blocked, lower the threshold. If you see bots getting through, raise it.

Custom Error Messages

You can customize the error message shown when CAPTCHA verification fails:

  1. Go to Guard Dog → CAPTCHA
  2. Find Custom Error Message
  3. Enter your message (or leave blank for default)
  4. Click Save Changes

Default message: “CAPTCHA verification failed. Please try again.”

Custom examples:

  • “Security verification failed. Please complete the verification and try again.”
  • “We couldn’t verify you’re human. Please try the verification again.”
  • “Verification unsuccessful. Refresh the page and try again.”

CAPTCHA Placement

Guard Dog automatically adds CAPTCHA to these pages:

  • Login page (/wp-login.php or your custom login URL)
  • Password reset page (lost password form)
  • Registration page (if registration is enabled)

The CAPTCHA appears above the submit button on each form.

Using CAPTCHA with Other Features

With Custom Login URL

CAPTCHA works seamlessly with custom login URLs. When you change your login URL, the CAPTCHA automatically appears on the new URL.

With Two-Factor Authentication

The flow when both are enabled:

  1. User enters username and password
  2. User completes CAPTCHA
  3. Login form is submitted
  4. 2FA code is requested
  5. User enters 2FA code
  6. User is logged in

Both protections work together – CAPTCHA stops bots, 2FA protects against stolen passwords.

With Login Attempt Limiting

CAPTCHA and login limiting complement each other:

  • CAPTCHA prevents automated attempts
  • Login limiting stops repeated manual attempts

If a bot bypasses CAPTCHA (unlikely), login limiting still provides protection.

Privacy & Data Usage

What Data is Sent to CAPTCHA Providers?

When a user accesses your login page with CAPTCHA enabled:

Google reCAPTCHA (v2 and v3):

  • User’s IP address
  • Mouse movements and timing data
  • Cookies for tracking across sites
  • Browser and device information

hCaptcha:

  • User’s IP address (for verification only)
  • Challenge responses
  • NO cross-site tracking
  • Minimal browser information

Cloudflare Turnstile:

  • Browser signals (non-interactive)
  • IP address (for verification)
  • NO tracking cookies
  • Minimal personal data

Privacy Policies

You should update your site’s privacy policy to mention CAPTCHA usage:

Example text:

This site uses [Provider Name] to prevent automated abuse. [Provider Name] may collect information about your visit, including your IP address and browser information. See Provider’s Privacy Policy for details.

Links to provider privacy policies:

Troubleshooting

CAPTCHA Not Appearing

Possible causes:

  1. JavaScript errors – Check browser console for errors
  2. Plugin conflict – Another plugin blocking JavaScript
  3. Theme conflict – Theme CSS hiding the CAPTCHA
  4. Ad blocker – Browser extension blocking CAPTCHA

Solutions:

  1. Check browser console (F12) for JavaScript errors
  2. Temporarily switch to a default WordPress theme
  3. Disable other plugins one by one to find conflicts
  4. Try a different browser or disable ad blockers
  5. Clear browser and site caches

CAPTCHA Verification Always Fails

Possible causes:

  1. Wrong Secret Key – Site Key and Secret Key don’t match
  2. Wrong provider – Keys from different provider than selected
  3. Domain mismatch – Site not registered with CAPTCHA provider
  4. Localhost testing – Some providers don’t work on localhost

Solutions:

  1. Verify you’re using the correct Site Key and Secret Key
  2. Ensure provider dropdown matches your key provider
  3. Add your domain to the provider’s allowed domains
  4. For local testing, add localhost to allowed domains
  5. Check for server firewall blocking provider API

reCAPTCHA v3 Blocking Legitimate Users

Symptoms: Real users can’t log in, see CAPTCHA error

Cause: Score threshold too strict

Solution:

  1. Go to Guard Dog → CAPTCHA
  2. Lower the Score Threshold to 0.3 or 0.4
  3. Save and test
  4. Gradually increase if needed

CAPTCHA Appearing in Wrong Location

Cause: Theme CSS conflicts

Solution:

  1. Add custom CSS to position the CAPTCHA
  2. Contact theme developer about compatibility
  3. Switch to a standard WordPress theme temporarily

Different CAPTCHA on Mobile

Cause: Some providers show different challenges on mobile devices

Solution: This is normal behavior. Test on actual mobile devices to ensure it works correctly.

Advanced Configuration

Testing CAPTCHA

You can test CAPTCHA without logging out:

Method 1: Incognito Window

  1. Open incognito/private browsing
  2. Go to your login page
  3. Complete CAPTCHA and log in

Method 2: Lost Password Form

  1. Go to login page
  2. Click “Lost your password?”
  3. CAPTCHA appears on this form too

Monitoring CAPTCHA Performance

Check your CAPTCHA provider’s dashboard:

Google reCAPTCHA:

hCaptcha:

  • Log in to hCaptcha dashboard
  • Check solve rates and analytics

Cloudflare Turnstile:

  • Log in to Cloudflare
  • View Turnstile analytics

Switching Providers

To change CAPTCHA providers:

  1. Get API keys from the new provider
  2. Go to Guard Dog → CAPTCHA
  3. Select new provider from dropdown
  4. Enter new Site Key and Secret Key
  5. Configure options for new provider
  6. Save changes
  7. Test immediately

No need to remove the old provider’s keys – they’re simply not used.

Best Practices

  1. Test thoroughly after enabling CAPTCHA
  2. Check mobile experience – CAPTCHA should work on phones/tablets
  3. Monitor false positives – Are legitimate users being blocked?
  4. Keep keys secure – Never share your Secret Key publicly
  5. Update privacy policy – Mention CAPTCHA data collection
  6. Start lenient – Use lower thresholds initially, tighten if needed
  7. Have a backup plan – Know how to disable CAPTCHA if issues arise

FAQ

Q: Do I need CAPTCHA if I have a custom login URL?
A: Yes. While a custom URL hides your login page, CAPTCHA provides additional protection if the URL is discovered.

Q: Which provider is most privacy-friendly?
A: Cloudflare Turnstile and hCaptcha are the most privacy-focused options.

Q: Will CAPTCHA slow down my site?
A: Minimal impact. CAPTCHA scripts load only on login/registration pages, not on regular site pages.

Q: Can I use my own CAPTCHA solution?
A: Currently, Guard Dog supports the four major providers listed. Custom CAPTCHA integration would require code modification.

Q: Does CAPTCHA work with WooCommerce login?
A: Yes, Guard Dog CAPTCHA works on WordPress core login forms which WooCommerce uses.

Q: Can I disable CAPTCHA for certain users?
A: Currently, CAPTCHA applies to all login attempts. IP whitelisting can be used to bypass CAPTCHA for specific IPs.

Q: Is CAPTCHA GDPR compliant?
A: hCaptcha and Cloudflare Turnstile are GDPR-friendly. Google reCAPTCHA may require consent banners in strict GDPR interpretations.

Q: Can users bypass CAPTCHA?
A: Sophisticated bots may occasionally bypass CAPTCHA. This is why Guard Dog includes multiple layers of protection (login limiting, 2FA, access control).