A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used on websites to distinguish humans from automated bots. The term was coined in 2003 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford at Carnegie Mellon University. Modern CAPTCHAs include Google reCAPTCHA v2 (image grids), reCAPTCHA v3 (invisible scoring), hCaptcha and Cloudflare Turnstile, while privacy-friendly alternatives include honeypot fields and time-based form analysis.
How does a CAPTCHA work?
A CAPTCHA presents a task that is easy for humans but hard for software: identifying distorted text, selecting images that contain a traffic light, or — in modern invisible CAPTCHAs — analysing mouse movement, cookies, browser fingerprint and IP reputation in the background. The server only accepts the form submission if the CAPTCHA token validates against the provider's API.
Which CAPTCHA types exist in 2026?
- Text CAPTCHA — distorted letters; largely obsolete, broken by OCR since ~2014.
- Image CAPTCHA (reCAPTCHA v2) — "select all squares with buses", launched 2014.
- Checkbox CAPTCHA — "I'm not a robot", part of reCAPTCHA v2 since 2014.
- Invisible / score-based (reCAPTCHA v3) — runs in the background, returns a score 0.0–1.0; launched October 2018.
- hCaptcha — privacy-oriented alternative launched 2018, used by Cloudflare 2020–2023.
- Cloudflare Turnstile — invisible, no labelling work, GA September 2023.
- Math / question CAPTCHA — simple arithmetic ("2 + 3 = ?"), common in WordPress plugins.
- Slider / puzzle CAPTCHA — drag a puzzle piece into place.
Why use a CAPTCHA on a WordPress site?
- Spam protection on contact forms, comments and registration (Akismet alone is not enough for newer bots).
- Brute-force defence on
wp-login.phpand WooCommerce login. - Credential stuffing mitigation against leaked passwords.
- Scraper deterrence for price lists, directories and lead-gen forms.
What are the downsides of CAPTCHAs?
- Accessibility: visual challenges block screen-reader users; WCAG 2.2 requires an audio or non-visual alternative.
- Privacy: Google reCAPTCHA loads scripts from
google.comon every page and collects IP, cookies and browser data. German DPAs have ruled this requires explicit consent under GDPR. - Conversion drop: Stanford / Baymard studies estimate 3.2–29 % form abandonment caused by CAPTCHAs.
- Performance: reCAPTCHA adds ~200 KB of JavaScript per page.
- Solvable by AI: since 2023 GPT-4-class models solve most image CAPTCHAs in seconds.
What are privacy-friendly alternatives to CAPTCHA?
- Honeypot field — a hidden input that humans never fill; bots do.
- Time-based check — reject forms submitted in under 2–3 seconds.
- Cloudflare Turnstile — no labelling, no cookies, GDPR-friendlier than reCAPTCHA.
- Friendly Captcha — proof-of-work in the browser, hosted in the EU.
- Rate limiting — block IPs after N attempts per minute.
What InspectWP checks
InspectWP detects Google reCAPTCHA, hCaptcha and Cloudflare Turnstile via the loaded scripts and reports them under GDPR (Google scripts) and security. It also flags missing brute-force protection on wp-login.php.