Implementing CAPTCHA on a WordPress website is a security tool designed to help prevent automated abuse of WordPress login, registration, and comment forms. Solid Security Pro offers built-in support for several CAPTCHA providers, including Google reCAPTCHA (v2, v3, and Invisible), hCaptcha, and Cloudflare Turnstile. This feature is configurable and designed to integrate seamlessly with native WordPress forms and supported third-party plugins.
Supported CAPTCHA Providers #
Solid Security Pro supports the following CAPTCHA options:
Google reCAPTCHA
A widely used CAPTCHA solution offering multiple types: v2 (checkbox), v2 Invisible, and v3 (score-based). It analyzes user behavior to determine if the visitor is human, offering strong bot protection with minimal user interaction.
hCaptcha
A privacy-focused alternative solution to reCAPTCHA that offers a similar challenge-response test while emphasizing data protection.
Cloudflare Turnstile
A lightweight and user-friendly alternative that doesn’t require users to solve challenges. Cloudflare Turnstile validates users automatically and operates in the background.
Each provider offers different levels of user interaction and privacy compliance, making it easier for you to choose a solution that matches your site’s needs.
CAPTCHA Settings #
You can access and configure your CAPTCHA settings directly under the module’s after you toggle it ON (enable), via Security > Settings > Features > Firewall > CAPTCHA.
Provider #
This where you choose the CAPTCHA service to use:
- Cloudflare
- hCaptcha
API Keys #
Each provider requires a Site Key and a Secret Key that you must obtain from your CAPTCHA provider’s dashboard. The API Keys area includes links to each provider for easier access.
When Google is selected, you need to choose the appropriate Type (v2, v2 Invisible, or v3) to match the keys.
Protected Actions #
You can choose to enable CAPTCHA on specific site actions:
- Use on Login: Adds CAPTCHA to the WordPress login form.
- Use on New User Registration: Protects the registration form.
- Use on Reset Password: Helps prevent password reset abuse.
- Use on Comments: Blocks spam comment submissions.
Appearance #
This lets you control how CAPTCHA is displayed on the front end:
- Force Language: Allows the CAPTCHA widget to render in a specific language. Default is auto-detection based on browser settings.
- Use Dark Theme: Displays the CAPTCHA widget in a dark color scheme if supported.
- Enable GDPR Opt-In: Displays a consent checkbox to comply with privacy laws. When enabled, an additional setting appears:
- On Page Opt-in: Renders the CAPTCHA opt-in directly on the page for immediate user interaction.
Lockout #
This is where you can configure how Solid Security Pro responds to failed CAPTCHA attempts:
- Lockout Error Threshold: The number of failed CAPTCHA entries before a user is locked out.
- The default is “7” tries. Set to “0” to record errors without enforcing a lockout, which is useful for testing or debugging.
- Lockout Check Period: Specifies the time window during which failed attempts are counted toward a lockout.
Releasing CAPTCHA Lockouts #
If a legitimate user is locked out due to failed CAPTCHA attempt and the lockout is still active, the lockout can be cleared from either the Solid Security Dashboard Active Lockouts card or Solid Security Firewall IP Management.
Learn more about managing lockouts here: Releasing Lockouts in Solid Security.
CAPTCHA and Third-Party Plugin Integration #
Solid Security Pro automatically protects native WordPress forms. To integrate CAPTCHA protection into custom or third-party forms, developers can use the built-in functions provided by Solid Security Pro.
Developers can integrate Solid Security Pro’s CAPTCHA validation using the following process:
- Render the CAPTCHA on the front-end form using the appropriate hook or shortcode.
- Use the validation helper function in the form processing logic to verify CAPTCHA responses.
For detailed developer documentation, see: How Do I Integrate My Plugin with Solid Security Pro reCAPTCHA?
Best Practices #
- Enable CAPTCHA on all public forms to mitigate automated attacks.
- Monitor lockouts to identify potential abuse or misconfigurations.
- Use the GDPR opt-in when required by regional data protection laws.
- Test CAPTCHA behavior across browsers and devices to ensure accessibility.
Additional Resources #
By configuring CAPTCHA settings correctly in Solid Security Pro, you can significantly reduce bot-related threats and improve overall site security.
