How to use the WordPress captcha to protect your website
Marc Wagner
March 11, 2025
Hello, thank you, we are pleased that you are using our captcha protection. Our captcha is versatile and allows you to effectively protect your website.
Supported plug-ins, themes and WordPress functions #
We are constantly developing our plug-in. If your theme, your plug-in or a WordPress function is not yet supported, you are welcome to contact us. We will check whether integration is possible and will be happy to add it.
The following plug-ins, themes and WordPress functions are currently supported:
- WordPress Login
- WordPress registration
- WooCommerce Login
- WooCommerce registration
- Avada Forms
- Contact Form 7
- Elementor Forms
Download and installation #
You can easily install and activate our WordPress Captcha plugin via the plugin manager of your WordPress website. You can find the download directly on WordPress Plugins.
You can also simply install and activate the plug-in via your WordPress website.
After installation, you will find the link to the settings directly on the left-hand side in the menu under Forge12 Spam Protection.
How to set up captcha protection on your website #
Open the plug-in settings by clicking on the Forge12 Spam Protection menu item in the navigation bar of your WordPress backend.
From here you can add Captcha protection to the individual modules of your website.
Note: The navigation may look different for you. Depending on which plug-ins and themes you use. Settings for plug-ins and themes that are not available are hidden.
The captcha system is deactivated by default. You must therefore activate each module manually.
WordPress captcha for login & registration #
Switch to the WordPress tab in the captcha settings.
The options for WordPress login and WordPress registration are now available to you there. You can activate the captcha protection by confirming the checkboxes “Enable Spam Protection for WordPress Login” and “Enable Spam Protection for WordPress Registration”.
The protection method indicates which captcha you would like to use. Select your desired method here. An explanation of the individual captcha systems can be found below.
The Fieldname field gives you the option to rename the captcha field. To increase the effectiveness of the captcha, you should assign your own name. You may not enter any special characters or spaces here. It is best to use only numbers and letters.
Example WordPress login
The following image shows an example of how to activate captcha protection for the WordPress login. An image captcha is used for this. We have renamed the field to “apartment” to disguise it.
Example WordPress registration
The following image shows an example of how to activate captcha protection for WordPress registration. An arithmetic captcha is used for this. We have renamed the field to “firstname” to disguise it.
As soon as you have activated the two methods and saved the whole thing, the captcha will be displayed.
WooCommerce Captcha for login and registration #
You can also activate captcha protection for the WooCommerce login and registration. To do this, go to the WooCommerce tab in the settings.
The options for WooCommerce login and WooCommerce registration are now available to you there. You can activate the captcha protection by confirming the checkboxes “Enable Spam Protection for WooCommerce Login” and “Enable Spam Protection for WooCommerce Registration”.
The protection method indicates which captcha you would like to use. Select your desired method here. An explanation of the individual captcha systems can be found below.
The Fieldname field gives you the option to rename the captcha field. To increase the effectiveness of the captcha, you should assign your own name. You may not enter any special characters or spaces here. It is best to use only numbers and letters.
Example WooCommerce login
The following image shows an example of how to activate captcha protection for the WooCommerce login. A honeypot captcha is used for this. We have retained the default name for the field.
Example WooCommerce registration
The following image shows an example of how to activate captcha protection for WooCommerce registration. An image captcha is used for this. We have renamed the field to “tagebau” to disguise it.
As soon as you have activated the two methods and saved the whole thing, the captcha will be displayed on the WooCommerce login and registration page.
WordPress Captcha for comments #
You can also activate captcha protection for WordPress comments. To do this, go to the Comments tab in the settings.
The options for the comments are now available to you there. You can activate captcha protection by confirming the “Enable captcha protection” checkboxes.
The protection method indicates which captcha you would like to use. Select your desired method here. An explanation of the individual captcha systems can be found below.
The Fieldname field gives you the option to rename the captcha field. To increase the effectiveness of the captcha, you should assign your own name. You may not enter any special characters or spaces here. It is best to use only numbers and letters.
Activate extended protection
If you still receive spam messages despite Captcha protection, you should activate time-based protection. We explain how this works here.
Captcha for Contact Form 7, Avada Forms and Elementor #
You can also activate captcha protection for Contact Form 7 forms, Elementor Pro forms and Avada Forms forms. To do this, go to the Contact Form 7, Elementor or Avada Forms tab in the settings (depending on which form system you are using).
The options for the forms are now available to you there. You can activate the captcha protection by confirming the checkboxes “Enable Spam Protection for Avada Forms” or “Enable Spam Protection for Contact Form 7”.
The protection method indicates which captcha you would like to use. Select your desired method here. An explanation of the individual captcha systems can be found below.
The Fieldname field gives you the option to rename the captcha field. To increase the effectiveness of the captcha, you should assign your own name. You may not enter any special characters or spaces here. It is best to use only numbers and letters.
Activate extended protection
If you still receive spam messages despite Captcha protection, you should activate time-based protection. We explain how this works here.
Multiple Submission Protection
The Multiple Submission Protection function ensures that your forms cannot be submitted multiple times in succession. It offers additional protection against brute force attacks against the website. Activate the function if you notice that someone is constantly trying to submit your forms with the same content.
IP Protection #
IP Protection allows you to block IP addresses for a period of time defined by you after multiple spam messages have been sent. We recommend only activating the options if you still receive spam messages despite all other measures.
IP Protection logs all failed captchas. As soon as the limit you have defined has been reached within the specified period, the IP is encrypted and blocked in the database for the period you have defined.
Attention: All captchas that you have activated in our plug-in will be evaluated. You should therefore only activate this option if you are sure of what you are doing :)
Activate IP protection by setting the checkbox next to “Enable IP Protection”.
Use the Max Retries field to specify how often a form must be classified as spam before the IP address is blocked. If you enter 3 here, the visitor may attempt to solve the image captcha 3 times until they are excluded from all forms.
The Period for IP address block field allows you to select the period of time for which an IP address is blocked. This is specified in seconds. If you want to block an IP address for one hour after it has reached the limit, you must enter 3600 here. If you want to block the IP address for one day, enter 86400 instead.
Use the Time interval for detection of subsequent attacks field to define the period in which the failed forms are recorded. This is specified in seconds. For example, if you want all failed forms from the last hour to be taken into account, enter 3600 here. The IP address will only be blocked if the Max Retries limit has been reached within these 3600 seconds.
Recommendation
Max Retries: 5
Period for IP address block: 86400
Time interval for detection of subsequent attacks: 600
You should achieve good results with the settings from above. Of course, you can always adjust the values to suit your needs.
Extended protection with filters (Filter Rules) #
In addition to captcha protection, you can activate various filters. These check the fields of the form and if a filter is activated, the form is marked as spam.
URL Filter
The URL filter allows you to specify whether and if so, how many links may be submitted in a form.
You can also enter an individual message that will be displayed to your visitors when the filter has been activated.
Recommendation
Activate filter
Limiter: 1
Error message: Leave as default
As a rule, you never need more than one, maximum two URLs per form. It is best to take a look at your forms and count the maximum number of links that you request in your forms. Then set the filter and the limiter.
BB Code Filter
The BB Code Filter prevents the sending of messages that contain BB code ([url][/url]…). So far we have not come across any site that uses BB code, but many bots that try to insert URLs. Only the BB code for URLs is checked. Other BB code specifications are still allowed through.
Recommendation
Activate filter
Blacklist
You can use the blacklist to block any words and parts of words. Simply add one word per line. If you want to block “mother”, enter “mother” in a new line.
The “Enable/Disable greedy filter” checkbox specifies whether you only want to mark whole words or also partial occurrences as spam.
Only activate the “Greedy” filter if you are creating your own list. If you are working with the imported list from our server, you should deactivate the “Greedy” filter.
Example: You put the word “com” on the blacklist and activate the “Greedy” filter. Now all substrings such as “Community”, “Computer”, “Composer” or “forge12.com” are also marked as spam.
Recommendation
Activate filter
Deactivate greedy filter
Load predefined blacklist (load from our server)
Activate Time Based Protection #
If you still receive spam messages despite Captcha protection, you should activate time-based protection. This checks how much time has passed between opening the page and sending the form.
Explanation: A bot does not scroll through the website, but searches explicitly for forms. Therefore, it usually only takes seconds from loading the page to sending the form.
You can activate the extended protection by clicking on “Enable to track the time from entering till submitting the form”.
Use the Time in milliseconds field to specify the minimum number of milliseconds that must have elapsed for the submission not to be classified as spam. Depending on the length of the form, you can freely select a value here. Recommended: 500 to 1000.
The Field name field gives you the option of naming the Time Based Protection field individually. You can leave the settings as they are.
Time-based protection is available for Contact Form 7, Avada Forms and comments.
Example of time-based protection for comments
The following image shows an example of how to activate time-based protection for comments. If the form is completed in less than half a second (500 ms), our system defines the message as spam. The form is therefore not sent.
Honeypot, Arithmetic and Image Captcha #
You can select one of the three Captcha methods for all areas. Depending on which one you choose, your visitors will have to perform different tasks.
Honeypot
The honeypot is an invisible field. The trick behind it is to get a bot to fill in the field. A normal visitor would not even see the field. So if the field is filled in, this is an indication that the form has been filled in by a bot. As the visitor does not have to do anything here, this is the most popular version of the captcha, but not the most secure. Choose this option if you want to make it easy for your visitors to send your forms.
Arithmetic — the “math” captcha
The arithmetic captcha asks your visitors a math problem. The form will only be sent if you are able to solve this arithmetic problem. The arithmetic task is generated randomly. However, these are simple tasks and not complex formulas. The captcha requires some effort from the visitor, but is more secure than the honeypot captcha.
Image Captcha — the image solution
The image captcha generates an image from a random combination of numbers and letters. The visitor must then enter this to submit the form. This solution has so far been the most effective against spam, as bots still find it difficult to read images.
Activate logs #
You have the option of activating the logs in the plug-in settings. As soon as you activate this, all forms are recorded. It is saved whether a form could be sent or whether it was marked as spam.
The logs are used to define the ideal settings for your forms. For example, if you receive a lot of spam, you can view the messages there and take the necessary measures. The same applies if you suddenly stop receiving messages and you don’t know which captcha mechanism is responsible.
Article from:
Marc Wagner
Hi Marc here. I’m the founder of Forge12 Interactive and have been passionate about building websites, online stores, applications and SaaS solutions for businesses for over 20 years. Before founding the company, I already worked in publicly listed companies and acquired all kinds of knowledge. Now I want to pass this knowledge on to my customers.
