A successful business is not only a business people buy from, it is a business people can trust. One of the factors that can undermine that trust is security.
It's precisely relevant for Magento since attackers work restlessly to use any Magento security vulnerabilities. Thus, no measures taken to improve security are redundant.
Magento 2 reCAPTCHA is a great built-in feature you can use to create a safe environment for your customers and admin users. Besides, the platform offers Google reCAPTCHA integration for an additional security layer.
In this guide, you'll learn how to set up both Magento and Google reCAPTCHA for your store and make it a much safer place.
We've got a lot to cover, so let's get started!
What is CAPTCHA?
CAPTCHA is a challenge-response authentication and a security measure that consists of a randomly generated sequence of numbers and letters in a distorted image, which you have to type into the text box.
It is a simple test that stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" and, correspondingly, helps to define whether it is a human browsing a website, or a robot.
CAPTCHA is utilised by a lot of websites, and Magento is not an exception. So, you can add Magento CAPTCHA to different pages of your website and the admin panel sign-in.
In addition to the native CAPTCHA solution, Magento also offers the Google reCAPTCHA integration. Thus, before moving on, we need to understand the difference between the two.
Magento 2 CAPTCHA vs Magento 2 Google reCAPTCHA
Many might say there is no significant difference between standard Magento CAPTCHA and Google reCAPTCHA. But it's not entirely so.
They serve the same function — to identify a human being rather than a bot browsing your website.
However, while standard Magento CAPTCHA provides only letter and number images for the test, Google reCAPTCHA has multiple display methods and options to ensure extra security.
Besides, Google reCAPTCHA allows you to track the traffic in your Google reCAPTCHA account. It is a great benefit since you'd know where the traffic comes from in case of any suspicious activity.
Both Magento CAPTCHA and Google reCAPTCHA contribute to the store's security. It is only the implementation that differs.
Thus, it's up to you which workflow you prefer and deem more fitting in your specific case.
Why Do You Need CAPTCHA in Magento?
Malicious parties work hard to undermine Magento security. From multiple robots trying to get access to your admin panel, to them spamming you with comments and registering fake accounts.
The list can only go on.
By implementing Magento reCAPTCHA, you can prevent spamming attacks and secure your website from malicious bots.
Certainly, this is not a universal solution for all security issues. However, it's a decent starting point to keep your store operation undisturbed.
How to Configure Magento 2 CAPTCHA?
You can configure the native Magento 2 reCAPTCHA for the admin panel login page and the storefront forms.
The configuration steps quite similar. Yet there are some aspects we'd like to bring to your attention.
Configure Magento CAPTCHA for admin panel
Adding CAPTCHA for Magento admin login and reset password pages is one of the first steps to improve Magento 2 admin panel security. To do that:
1. Go to Stores > Configuration > Advanced > Admin > CAPTCHA and Enable CAPTCHA in Admin with the correponding option.
2. Choose the Font you want to use for the Magento 2 admin CAPTCHA.
Note: if you want to upload your own font, it must be defined in the config.xml file of the CAPTCHA module (app/code/Magento/Captcha/etc) in the same directory as your Magento installation.
3. Select the Forms where the CAPTCHA should be enabled and set the Displaying mode. You have the following options:
- Always — will require CAPTCHA during every login.
- After number of attempts to login — applied only to the login form and appears after a certain number of unsuccessful login attempts.
4. Set the Number of Unsuccessful Attempts to Login that will trigger the appearance of the Magento CAPTCHA.
5. Define the CAPTCHA Timeout (minutes) after which the CAPTCHA expires and the admin is required to reload the page.
6. Set the Number of Symbols in the CAPTCHA.
Note: you can use up to 8 symbols and a range of symbols like 4-8 so that the number varies for each CAPTCHA.
7. Specify the Symbols Used in CAPTCHA that include upper and lower case letters (a-z/A-Z) together with the numbers (0-9). They will be randomly used in the CAPTCHA.
Note: I, i,1 symbols are hard to distinguish, so, correspondingly, are not defined in the default set of symbols.
8. Enable the Case Sensitive option so that the admin users will be required to enter the symbols in upper and lower case as specified in the CAPTCHA.
Don't forget to save the settings once you finish and check CAPTCHA on the sign-in and reset password pages, as per your configuration.
Configure Magento CAPTCHA for Storefront
Basically, the configuration of CAPTCHA for the Magento storefront doesn't differ from the admin CAPTCHA settings that much. It's just that for a storefront you can configure different types of forms, like:
- Applying the coupon code
- Checkout/placing order
- Create user
- Login
- Forgot password
- Contact us
- Change password
- Share wishlist form
So, just navigate to Stores > Configuration > Customers > Customer Configuration > CAPTCHA, and configure the same settings we mentioned above. The only different option here is Forms, where you need to choose what forms to display the CAPTCHA on.
Most often, CAPTCHA is used on the contact us page, change password, login, and create customer forms. But you are free to choose the forms you need in your specific case.
Don't forget to save the settings and check how the Magento 2 reCAPTCHA works on the storefront. Depending on where you enable it, customers will have to submit the CAPTCHA to continue browsing through your website.
How to Configure Magento 2 Google reCAPTCHA?
As mentioned above, Magento CAPTCHA offers a combination of letters and numbers that users have to enter before submitting the form. Since Google reCAPTCHA is a more advanced solution, it comes in three different versions:
- reCAPTCHA v2 (“I am not a robot”) — requires a user to tick the "I am not a robot" checkbox for verification.
- reCAPTCHA v2 Invisible — verifies users automatically with no user interaction required, but may ask to select specific images for verification.
- reCAPTCHA v3 Invisible — determines the user by rating user interactions by a certain algorithm.
Magento allows you to set up each of them with a separate Google reCAPTCHA configuration. However, each requires you to generate the reCAPTCHA keys. That's what we'll do next.
Generate Google reCAPTCHA key
Important: decide what type of reCAPTCHA to use before generating the keys, since separate keys are required for each reCAPTCHA type. Otherwise, it will block the reCAPTCHA from working.
To generate the Google reCAPTCHA key, navigate to the Google reCAPTCHA page. Once there:
1. Label your domain for internal reference and select the reCAPTCHA type.
2. Set your Domain in the corresponding field or specify them in each line if you have several.
3. Select your Google Cloud project in the Google Cloud Platform field. If you don't have one yet, Google will create it automatically and enable the necessary APIs for you.
Then just hit Submit to receive the reCAPTCHA keys and move to Magento.
Set up Google reCAPTCHA for the admin panel
Once you have the Google reCAPTCHA keys, go to Magento admin to start the setup. We'll review the reCAPTCHA v3 Invisible settings and add it to the admin sign-in and reset password pages in thsi example.
1. Go to Stores > Configuration > Security > Google reCAPTCHA Admin Panel.
2. Unfold the reCAPTCHA v3 Invisible section and fill out the presented fields:
- Enter your Google API Website and Secret Keys you've just generated.
- Set the Minimum Score Threshold to define the user interaction as a potential risk. By default, it is set to 0.5. However, 1.0 is considered a typical user interaction, and 0.0 is most likely a bot.
- Select the Invisible Badge Position for the Google reCAPTCHA box.
- Choose the Theme to style the reCAPTCHA box accordingly.
- Specify the Language Code to define the language used for the Google reCAPTCHA message text.
3. Move on to the next section and enter the reCAPTCHA Failure Messages that appear if the user validation fails. You can set both reCAPTCHA Validation and Technical Failure Messages.
4. Select the corresponding Google reCAPTCHA type for Login and Forgot Password in the Admin Panel section. It is used for the sign-in page and password reset requests, respectively.
Once again, you have to generate separate Google reCAPTCHA keys for each reCAPTCHA type. You can't use the same keys for reCAPTCHA v3 Invisible and reCAPTCHA v2 ("I am not a robot").
Once you finish, Google reCAPTCHA v3 Invisible will look like this in the admin panel:
Set up Magento 2 Google reCAPTCHA for the storefront
Magento 2 Google reCAPTCHA storefront settings are the same as for the admin panel. So, you need to navigate to Stores > Configuration > Security > Google reCAPTCHA Storefront, and set the invisible badge position, theme, language code, and failure messages, etc.
However, you have a new Storefront section here. This is where you can define what storefront pages to enable the reCAPTCHA for.
Once you save the settings, Google reCAPTCHA will appear on the storefront pages as per your settings.
With the Magento and Google reCAPTCHA, you eliminate the chances of malicious attacks and protect your store from spam. Even though you may get the occasional , the general Magento 2 CAPTCHA settings are fairly straightforward.
Though Magento experts always come up with new security algorithms to make the platform as safe as it can be, you shouldn't ignore other Magento security tips. It's better to avoid the risks altogether than deal with bitter consequences later.
