Introduction
The official Gravity Forms reCAPTCHA Add-On adds Google’s reCAPTCHA v3 Enterprise and v3 Classic technology to your anti-spam toolbox.
Google has been defending millions of sites with reCAPTCHA for over a decade. reCAPTCHA uses advanced risk analysis techniques to detect fraud. With reCAPTCHA, you can protect your websites or mobile applications from spam and abuse, and detect other fraudulent activities, such as credential stuffing, account takeover (ATO), and automated account creation. reCAPTCHA offers enhanced detection with more granular scores, reason codes for risky events, mobile app SDKs, password leak detection, Multi-factor authentication (MFA), and the ability to tune your site-specific model to protect enterprise businesses.
Pre-Requisites
- This add-on requires Gravity Forms 2.5 or higher.
- Download and install the add-on.
- You will need reCAPTCHA Classic v3 keys generated by Google or a reCAPTCHA v3 Enterprise account.
- reCAPTCHA technology requires Javascript to be enabled in the user’s browser.
Setup
- Instructions for setup are covered in this article.
- The reCAPTCHA v2 settings previously provided in Gravity Forms core are consolidated into this settings area as well.
Note: to use the reCAPTCHA Add-On on your site, you will need to remove any CAPTCHA field you have added to the form, or disable reCAPTCHA v3 for a specific form in the Form Settings. Using a CAPTCHA field in the form and the reCAPTCHA Add-On simultaneously will prevent your form from being submitted. The form will show a blank CAPTCHA label, and when attempting to submit the form, the following validation error will be returned:
Behavior
With reCAPTCHA v3 Enterprise or reCAPTCHA v3 Classic correctly enabled on the site with valid keys, various actions are noted and sent to Google for them to try and identify possible spam or bot activity. This processing is done on Google’s servers, and the result is assigning a score to the activity. Both reCAPTCHA v3 versions return a score, where 1.0 is a good interaction and 0.0 is a bot.
Note that all well-formed entries are accepted when submitted, and the Google reCAPTCHA score that is generated with that interaction is stored with the entry. Gravity Forms will compare that score to the threshold established in your settings, and if the entry is less than or equal to that threshold, the entry will be sent to spam.
When using reCAPTCHA v3 Enterprise or reCAPTCHA v3 Classic, you no longer need to add a reCAPTCHA field to your form (that field applies to v2 implementations only). The reCAPTCHA v3 integration ensures that it is automatically enabled on all forms unless it is disabled in the form settings of an individual form.
Note that a reCAPTCHA v3 success token expires after a few minutes. Google imposed this limitation, which may affect users who take a while to complete their actions.
Reviewing Spam Entries
You can review entries that were marked as spam by following the directions provided in this article.
Note: When reCAPTCHA Score column shows the disconnected status, reCAPTCHA v3 Classic Site Key and Secret Key are not appropriately set or reCAPTCHA v3 Enterprise is disconnected. Refer to this article for more information about Setting up the reCAPTCHA Add-On.
Notes
- It does not affect older reCAPTCHA functionality previously provided in Gravity Forms. Both can exist on the same page if necessary.
- Works with multi-page forms.
- reCAPTCHA does not process submissions submitted from the form preview.
- Use of this Google service requires sending user behavior information from all your site pages to Google for evaluation. You should be familiar with the implications and review the applicable privacy policy and terms and conditions. Additionally, you must display those policies to your users, which is handled with the reCAPTCHA badge.