Blog Post

reCAPTCHA for comment spam prevention

One of the most popular and very effective methods to combat spam is to use some form of captcha protection. But, captchas can lead to poor user experience. reCAPTCHA by Google is a quite different captcha trying to minimize user interaction.

Before you go on with this post, check out the previous parts in this series about the comment spam:


reCAPTCHA is a new version of captcha developed by Google, and it is also known as ‘No Captcha reCAPTCHA’. It works quite differently from other captcha systems, and in most cases, it required only to click on the checkbox. Once in a while, reCaptcha requires you to solve some visual (or audio) puzzle – select images according to the keyword or by type. Here is the example of how it works, and you can click on the image to visit Google home page to learn more.

reCAPTCHA example
reCAPTCHA example, visit Google page for detailed information

Test setup

To test how effective reCAPTCHA is, I have used data gathered on Dev4Press blog between March 23, 2016, and March 29, 2016, as a control period where no antispam method is used. This is the same data used as the control for previous Honeypot effectiveness test. reCAPTCHA is used between April 13, 2016, and April 19, 2016.

First week: no reCAPTCHA

First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.

Date Spam
3/23/2016 2530
3/24/2016 2364
3/25/2016 2150
3/26/2016 2176
3/27/2016 2461
3/28/2016 2140
3/29/2016 2111
Total 15,932.00
Average 2,276.00


reCAPTCHA Settings
reCAPTCHA Settings

reCAPTCHA is added using GD Security Toolbox Pro plugin. It allows you to set language and style for the reCAPTCHA (color, size…), and you can select where the reCAPTCHA should be integrated. The plugin can integrate reCAPTCHA into WordPress login, registration, lost password, comments, and signup forms. Also, it directly supports third party plugins: WooCommerce, BuddyPress and bbPress.

You can set up conditions for banning visitors that fail the reCAPTCHA test. This will ensure that some users might legitimately fail the reCAPTCHA test, and if the same IP generates too many failures, the plugin will ban the IP address.

For some forms, plugin allow some extra settings: you can set to not display reCAPTCHA for users with approved comments, or if the user is logged in.

Second week: reCAPTCHA in use

When the time has come to use reCAPTCHA, it was set on login and comment forms. So, it will work in two ways: it will stop potential bots from logging in (and it was established earlier that most spam on Dev4Press comes from registered users accounts used by bots), and if someone tries to post without being logged in, reCAPTCHA on comment form will be used. Most legitimate users are not even affected, if they had a comment, they will not see reCAPTCHA at all.

Date Spam
4/13/2016 0
4/14/2016 1
4/15/2016 1
4/16/2016 0
4/17/2016 1
4/18/2016 0
4/19/2016 2
Total 5
Average 0.71

As you can see, this is 99.97% difference, from almost 16,000 to only 5, with only one reCAPTCHA tweak used, and that is an amazing achievement, reCAPTCHA has completely stopped spam! During this week, the plugin has blocked total of 254 IP addresses for failed reCAPTCHA, and most of these (201) were marked as known spam bots by Honeypot Project (GD Security Toolbox Pro can get various information about each IP).

Here is the chart for both weeks:

Spam without and with reCAPTCHA
Spam without and with reCAPTCHA


Google reCAPTCHA is easy to use, and it is not creating the bad user experience. It fits in forms well, and it doesn’t require too much interaction from users. And, as you can see, it is very, very effective. Also, this proves that reCAPTCHA like this is too hard (almost impossible) for spam bots to solve.

GD Security Toolbox Pro allows you to select which forms you want to protect with reCAPTCHA, and that will give you extra control over the spam bots that attempt to register, login or post on your website. Automatic banning will ensure that spam bots will be prevented from coming back with the same IP.

Please wait...
GD Security Toolbox Pro
Proactive protection and security hardening

A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

1 thought on “reCAPTCHA for comment spam prevention”

  1. Wow! That’s a huge difference. ReCaptcha will always be on then

    Please wait...

Leave a Comment

Grammarly - Number 1 Writing App
WP Rocket - Make WordPress Load Fast in a Few Clicks