Using the reCAPTCHA Add-On

Introduction

The official Gravity Forms reCAPTCHA Add-On brings Google’s reCAPTCHA v3 technology as an addition to your anti-spam toolbox.

V3 was introduced to try and capitalize on the evolving technology of spam and bot detection that Google had implemented, and to try and make the reCAPTCHA experience as frictionless as possible by not interrupting the user. As stated by Google, reCAPTCHA v3:

…return(s) a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site. 

Google Blog post, October 2018

Pre-Requisites

  • This add-on requires Gravity Forms 2.5 or higher. 
  • Download and install the add-on
  • You will need reCAPTCHA Legacy v3 keys generated by Google. (Entreprise keys are not supported)
  • reCAPTCHA technology requires Javascript to be enabled in the user’s browser. 

Setup

Instructions for setup are covered in this article.

The reCAPTCHA v2 settings previously provided in Gravity Forms core are consolidated into this settings area as well.

Note: to use the reCAPTCHA Add-On on your site, you will need to remove any CAPTCHA field you have added to the form, or disable reCAPTCHA v3 for a specific form in the Form Settings. Using a CAPTCHA field in the form and the reCAPTCHA Add-On simultaneously will prevent your form from being submitted. The form will show a blank CAPTCHA label, and when attempting to submit the form, the following validation error will be returned:

Image showing invalid reCAPTCHA

Behavior

With reCAPTCHA v3 correctly enabled on the site with valid keys, various actions are noted and sent to Google for them to try and identify possible spam or bot activity. This processing is done on Google’s servers, and the result is the assignment of a score to the activity. reCAPTCHA v3 returns a score, where 1.0 is very likely a good interaction, 0.0 is very likely a bot.

Note that all well-formed entries are accepted when submitted, and the Google reCAPTCHA score that is generated with that interaction is stored with the entry. Gravity Forms will compare that score to the threshold established in your settings, and if the entry is less than or equal to that threshold, the entry will be sent to spam.

When using reCAPTCHA v3, you no longer need to add a reCAPTCHA field to your form (that field applies to v2 implementations only). The v3 integration ensures that it is automatically enabled on all forms unless it is disabled in the form settings of an individual form.

Note that a reCAPTCHA v3 success token expires after a few minutes. This is a limitation imposed by Google, and may affect users who take a while to complete their action.

Reviewing Spam Entries

You can review entries that were marked as spam by following the directions provided in this article.

Note: When reCAPTCHA Score column shows the disconnected status, it means that reCAPTCHA v3 Site Key and Secret Key are not set properly. Refer to this article for more information about setting up Setting up the reCAPTCHA Add-On

reCaptcha score in the entries list
reCaptcha score in the entry detail

Notes

  • Does not affect older reCAPTCHA functionality as previously provided in Gravity Forms. Both can exist on the same page if necessary.
  • Works with multi-page forms.
  • reCAPTCHA does not process submissions submitted from the form preview.
  • Use of this Google service requires the sending of user behavior information from all your site pages to Google for evaluation. You should be familiar with the implications here, and review applicable privacy policy and terms and conditions. Additionally, you are required to display those policies to your users, which is handled with the reCAPTCHA badge.

More info