Skip to content

Plugin review: hCaptcha for Forms and More

hCaptcha plugin icon
hCaptcha icon

Executive summary: You probably don’t need this plugin to use hCaptcha in WordPress unless you’re using Contact Form 7, but if you do need it, this is the plugin you need.

If you have anything on your site that lets non-logged-in users to enter information, spambots will try to use it to spam you and your site visitors. Your usual points of exposure for this are comment forms at the bottom of posts and pages, and contact forms contributed by plugins such as Contact Form 7 and WPForms.

Many sites use Google’s reCAPTCHA tool to block these bots. I dislike reCAPTCHA because, like everything from Google, it’s part of a privacy-invading GIANT DATA HOOVER collecting information about your website visitors for resale. Instead, please use hCaptcha, which respects privacy.

hCaptcha’s user interface is very similar to reCAPTCHA. When you check the box, chances are you’ll be asked to identify which pictures contain a boat or whatever.

hCaptcha example screenshot

How to register to use hCaptcha

To use this tool, register on the hCaptcha website. You have to list the sites on which you want to block spam. Each site has a randomly generated “site key” which you’ll need to enter in the WordPress dashboard configuration screens at appropriate points, depending where you need the hCaptcha to appear. Your hCaptcha account also has a “secret key” which you can find on your hCaptcha account settings screen. It also needs to be entered in the WordPress settings screens.

Do you need the plugin?

The plugin hCaptcha for WordPress by hCaptcha is the official and recommended implementation for WordPress. It works automatically to control comment spam, and also works in conjunction with my favorite contact form plugins listed above (as well as many others).

However, some form plugins have the built-in ability to use hCaptcha. So depending, you may not need the plugin. The bottom line is this:

  • If you want to use hCaptcha to block comment spam, you need the plugin.
  • To use hCaptcha with Contact Form 7, you need the plugin.
  • To use hCaptcha with WPForms or WPForms Lite, you do not need the plugin because WPForms already has hCaptcha built in.
    • However, to exempt logged-in users from answering hCaptcha on a WPForms form, you do need the plugin.

Comment Spam and hCaptcha

I don’t always allow comments on websites (configure this under Settings > Discussion in your WordPress dashboard). If you do allow comments, I recommend Antispam Bee for spam control. It’s pretty near perfect at blocking spam without making the comment author do extra work, and respects visitor privacy. Only in the unlikely case Antispam Bee isn’t doing the job for you, do you need a CAPTCHA. In that case, I would use this plugin instead of (not in addition to) Antispam Bee.

To configure the plugin, once it’s installed, go to Settings > hCaptcha and enter the site key and secret key you got from the hCaptcha website. Scroll down to view other options, and check the box “Enable hCaptcha on Comment Form”. You probably also should check “Turn off when logged in” so you don’t have to answer a challenge when you enter a comment. Save your changes.

Don’t forget to deactivate Antispam Bee.

Contact Form Spam and hCaptcha

As mentioned above, WPForms has hCaptcha capability built in. If using WPForms Pro or WPForms Lite, you can enter the site key and secret key in the WPForms > Settings > CAPTCHA screen of your WordPress dashboard. You also must edit each form to tell it to use a CAPTCHA (in the Add Fields screen).

The WPForms built-in implementation lacks the ability to skip the challenge for logged-in users. If you want that, you’ll have to use the hCaptcha plugin instead of the built-in WPForms CAPTCHA settings. Install and configure the hCaptcha plugin as described above, then in the Settings > hCaptcha screen, check “Turn off when logged in” and either “Enable hCaptcha on WPForms Lite” or “Enable hCaptcha on WPForms Pro” (depending which you use). This will apply to all forms — you don’t have to edit each form to enable CAPTCHA.

NOTE: If you were already using the built-in CAPTCHA function of WPForms and you now want to use the hCaptcha plugin instead, edit each form and disable the CAPTCHA on that form. Otherwise you may get two hCaptchas. I’m guessing.

If you use Contact Form 7 plugin, I generally prefer to use a quiz question rather than a CAPTCHA style spam blocker. But if you want hCaptcha with Contact Form 7, configure it as described above and check the box in Settings > hCaptcha to enable it.

The same applies to any other forms plugin I haven’t explicitly mentioned here. See whether it supports hCaptcha already. Also check whether the hCaptcha plugin has a checkbox for it. If you have a choice, decide whether the hCaptcha plugin’s implementation is enough better to install it even if you don’t totally need it.


Leave a Reply

Your email address will not be published. Required fields are marked *