Reduce the amount of spam you receive from your website using reCAPTCHA

18 Dec 2024, by Slade Baylis

For most businesses, your website doesn’t only function as the online face of your organisation - allowing visitors to see who you are and what you offer - it’s also used to generate leads and allow your customers to contact you. To that end, in the earlier days of the internet, it used to be standard for businesses to directly list their email addresses on their website. This allowed anyone who came to your website to know what email address they should send an email to if they wanted to reach you.

Nowadays however, in almost all cases, email addresses are no longer included in plain-text on websites.  One of the main reasons for this omission is due to “malicious scrapers” - which are bots that scour the internet for email addresses to send spam to.  These bots look to find email addresses on websites all over the internet, compile them into lists, then sell those lists.  Sometimes they’re sold to marketing organisations who are looking for new clientele, but other times they’re sold to people with more nefarious intent, such as cybercriminal organisations looking for new victims.

Due to this concern, most businesses now choose to implement contact forms on their websites instead.  This means that if visitors wish to contact the owner of the website, they can instead now fill out a contact form that’s on the website.  Whilst this avoids the problem of having your email address in plain-text on your website, it unfortunately has a weakness in that – without additional technologies to prevent it - malicious actors are still able to abuse them and send you spam. That’s why in this article we’ll be covering one of the primary ways used to protect these contact forms, namely that of Google's reCAPTCHA. 

What are contact forms?

In order to explain what a “contact form” is, first we’ll have to explain what website forms are.  Whilst one of the primary functions of a website is to display information to visitors, one of the other key functions is to allow visitors to interact with and send data to the website.  At the most basic level, website forms are a method of enabling users to send data to a server - they are digital interfaces that allow users to enter and submit data on a web page.

These forms are usually made up of several different elements, such as:

• Text Inputs: These allow users to input a single line of text into a website.
• Text Areas:  These allow users to input multiple lines of text into a website at a time.
• Select Elements:  These allow users to select an option from a drop-down list of predetermined options.
• Radio Buttons:  These display a list of mutually exclusive options that a user can select from.
• Checkboxes:  These display a list of non-mutually exclusive options that a user can select from.

Whether it is a credit card form that you need to fill out to complete a purchase online, or the window that appears to allow you to post a message on social media, most people have come into contact with website forms even if they weren’t aware of them at the time.

“Contact forms” specifically though are a type of form that organisations choose to include on their website to allow their visitors to contact them.  Once submitted, the information entered into these forms is usually then stored within the website itself, as well as sent through as an email to the website owner – with confirmation emails usually also sent to the visitor to confirm that their message was successfully received.

One of the main advantages to this approach - in addition to preventing your email address from needing to be listed on your website and the potential spam issues that this can create – is that it allows people to reach you easily from your website, rather than having to make contact with you from their own email address.  However, this lack for a requirement for sending from an email address, opens up the potential for abuse.

Why do you need to protect your forms?

Contact forms have the advantage of ease-of-use because they bypass the need for the sender to use their own email address to contact you.  They allow for visitors on your website to more easily make contact with you through the convenience of these contact forms.   But unfortunately, they still come with the drawback that malicious actors can abuse these contact forms to send you spam.  Not only that, but as malicious actors can enter fake non-existent email addresses into these contact forms - you unfortunately don’t have the option to block spammers based on their email address, as could be done so previously.

If it was just a single person manually abusing the form to send you spam, that could potentially be tolerable, as they would only be able to send you so many spam messages within a day.  However, the unfortunate reality is that submitting these forms is able to be automated, allowing even a single individual to send you thousands upon thousands of messages per day.  That’s why additional protection is required to detect and prevent these types of submissions, one such being Google's reCAPTCHA.

How does reCAPTCHA work?

For protecting online forms, reCAPTCHA is known as the most widely-used and reliable way of protecting them from abuse from “bots” (shortened name for “robots”) due to the previously mentioned automated methods of abusing online forms. 

This protection is also something that you are likely already familiar with, as most people have come into contact with it whilst performing normal actions online.  In its earlier iterations this protection would ask you to look at two images of blurry or otherwise distorted text, asking you to enter the words that were displayed. The idea is that Google was aware of what the words actually were, and that whilst bots wouldn’t be able to tell what the words were, humans would be easily able to differentiate between them.

However, as this protection grew in sophistication, so too did the methods used to try and bypass them.  Automated methods of solving these types of  “challenges” – which is the term used to describe these bot-detecting methods – became much better, so Google adjusted and made their challenges more complex to compensate.  Instead of presenting distorted words for users to decipher, they instead presented users with photos and asked users to choose images that matched a text prompt.

However, with developments on the AI (Artificial Intelligence) front, even these forms of protection, which would have previously been thought impossible to break, are now breakable.  Due to this, another shift has occurred, which is to instead look at how a visitor interacts with a website and the form during their visit, looking for signs that the user might not be an actual person. 

Bots usually tend to exhibit very un-human like behaviour, such as loading a page and then immediately submitting a completed form moments later – unlike a human, who would load a page, perhaps browses the page for a while, and then fills out a form sequentially before submitting it.  It’s this sort of  “fingerprint” that the latest versions of reCAPTCHA looks at for determining the probability that a user is legitimate. 

One other change in the newer version of reCAPTCHA – called reCAPTCHA v3 – is that instead of either blocking or allowing a request to go through, it instead provides the website with a probability of how likely it is that the request is legitimate.  After analysing the visitor’s behaviour, Google provides the website with a score between 0.0 and 1.0 - with 0.0 being that the request “is very likely a bot” and 1.0 being the request is “very likely a good interaction”. 

By providing the website with a score instead, website administrators are then able to set their own thresholds about when requests should be rejected.  This allows administrators to change their own website’s sensitivity, should they find reCAPTCHA is not catching enough spam, or alternatively, if it’s falsely catching legitimate users.

How to sign-up for reCAPTCHA v3

If you would like to use reCAPTCHA to protect your online forms, the good news is that it’s relatively simple to set up and it’s free!

The first steps are to:

• Sign up for a reCAPTCHA v3 account - https://www.google.com/recaptcha/about/
• Then you will want to “Register a new site” for your domain - https://www.google.com/recaptcha/admin/create

This will give you a private key and a public key for use to configure your website to use reCAPTCHA – it’s important for you to save these settings somewhere securely.

How to set up reCAPTCHA on your WordPress form plugin

For most WordPress plugins, configuring reCAPTCHA is also very straightforward.  Below we’ll include the instructions on how to get it set up on several of the more common WordPress contact form plugins that are available.

Gravity Forms

1. Open your WordPress Dashboard
2. Install the Gravity Forms reCAPTCHA v3 Add-On plugin
3. Click on Forms > Settings > reCAPTCHA
4. Under the Google reCAPTCHA v3 section, enter your Site Key and Secret Key from earlier 
5. Set your desired score threshold, with the default setting being 0.5

https://www.gravityforms.com/blog/add-recaptcha-to-your-forms/

Contact Form 7

1. Open your WordPress Dashboard
2. Click on Contact > Integration
3. Under the reCAPTCHA section, click the Setup Integration button
4. Enter your Site Key and Secret Key from earlier 

https://contactform7.com/recaptcha/

WP Forms

1. Open your WordPress Dashboard
2. Click on WPForms > Settings
3. Click on the CAPTCHA tab
4. Select reCAPTCHA v3 as the type
5. Enter your Site Key and Secret Key from earlier 
6. Set your desired Score Threshold and Fail Messages

https://wpforms.com/docs/how-to-set-up-and-use-recaptcha-in-wpforms/

What if you’re not using WordPress?

If you’re not on a commonly-used CMS (Content Management System) such as WordPress, but instead have a custom website, you may need to engage with a web developer in order to get this configured.

Google has provided documentation for developers on how to integrate with their reCAPTCHA service, which is available here.

Have any questions about how to implement reCAPTCHA?

If you have any questions about reCAPTCHA or would like help getting it configured, let us know!  We’re happy to help and provide assistance getting this configured on your website.

You can reach us by phone on 1300 769 972 (Option #1) or via email at sales@micron21.com.