iThemes Security Pro Feature Spotlight – reCAPTCHA

In the Feature Spotlight posts, we highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.

Today we are going to cover reCAPTCHA, a powerful tool that will help you win your website’s battle against bad bots.

What is a Bot?

A bot is a piece of software that is programmed to perform a specific list of tasks. Developers create a set of instructions that a bot will follow automatically without the developer needing to tell them to get started. Bots will perform repetitive and mundane tasks way faster than we can.

Various bots are continually crawling your website. Some of these bots are good and provide you with a valuable service. Other bots have more nefarious motives. Let’s take a moment to talk about what a bot is and the different types of bots.

The Good Bots

Monitoring bots  – iThemes Sync Pro Uptime Monitoring uses a bot to monitor your website’s uptime. The bot checks your website every 5 minutes to verify that it is still online. If your website is down, the bot will send you an alert so you can get your site back online.

Audit bots  – The iThemes Sync Pro Site Audit uses a Google Lighthouse bot to check the quality of your webpages. Another excellent example of an audit bot is a broken linker checker that will crawl your website looking for links that send you to a location that doesn’t exist.

Feeder Bots  – An excellent example of a feeder bot is your podcast player. Your podcast player uses a bot to monitor the RSS feeds of the podcasts you subscribe to and alerts you when your favorite podcast releases a new episode.

Search Engine Bots – A Google web crawler is an example of a search engine bot. This type of bot will crawl your website looking for new or modified pages and creates an index of your website. Once Google or another search engine has an index of your website, they will be able to share your pages with the people using their search engine.

Security Bots – The iThemes Security Pro Site Scan uses a bot to compare the list of your installed plugins and themes against our vulnerability database. If you have a plugin or theme installed with a known vulnerability, the bot will automatically apply a patch if one is available.

The Bad Bots

Content Scraping Bots – These bots are programmed to download the contents of your website without your permission. The bot can duplicate the content to use on the attacker’s website to improve their SEO and steal your site traffic.

Spambots – Spambots are annoying. They will muck up your comments with promises of becoming a millionaire while working from home in the hopes of sending your visitors to malicious websites.

Brute Force Bots – Brute Force bots scour the internet looking for WordPress logins to attack. Once these bots land on a login page, they will try the simplest form of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful.

How to Block Bad Bots Without Blocking Good Bots: reCAPTCHA

Google reCAPTCHA helps keep bad bots from engaging in abusive activities on your website such as attempting to break into your website using compromised passwords, posting spam, or even scraping your content.

Legitimate users, however, will be able to login, make purchases, view pages, or create accounts. reCAPTCHA uses advanced risk analysis techniques to tell humans and bots apart.

reCAPTCHA uses advanced risk analysis techniques to tell humans and bots apart.

How to Use reCAPTCHA in iThemes Security Pro

To get started using Google reCAPTCHA, enable the option on the Lockouts tab of the Features menu. After enabling reCAPTCHA, click the settings cogwheel.

The next step is to select which version of reCAPTCHA you want to use and generate your keys from your Google admin.

Now enable reCAPTCHA on your WordPress user registration, reset password, login, and comments.

Finally, set the number of failed reCAPTCHAs need to trigger a lockout with the Lockout Error Threshold.

Understanding the Different reCAPTCHA Versions

iThemes Security Pro has three different versions of reCAPTCHA. Let’s take a moment to talk about how each of them protects your website from bad bots.

Version 2

The “I’m not a robot” reCAPTCHA checkbox requires users to click a checkbox indicating the user is not a robot. This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether or not they are human.

You’re probably already familiar with seeing this type of reCAPTCHA on sites you use. The challenge CAPTCHA will typically be something like selecting all of the images of a crosswalk from a grid of photos.

Invisible

The invisible reCAPTCHA badge does not require the user to click on a checkbox. Instead, it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call.

The reCAPTCHA badge displays on the bottom right-hand corner of every page using Invisible reCAPTCHA.

By default, only the most suspicious traffic will be prompted to solve a CAPTCHA.

Version 3 – Preferred Method

What’s great about reCAPTCHA version 3 is that it helps you detect abusive bot traffic on your website without any user interaction. Instead of showing a CAPTCHA challenge, reCAPTCHA v3 monitors the different requests made and returns a score.

The reCAPTCHA badge displays on the bottom right-hand corner of every page using reCAPTCHA v3.

The score ranges from 0.01 to 1. The higher the score returned by reCAPTCHA, the more confident it is that a human-made the request. The lower this score returned by reCAPTCHA, the more confident it is that a bot made the request.

iThemes Security Pro allows you to set a block threshold using the reCAPTCHA score. Google recommends using 0.5 as your default. Keep in mind that you could inadvertently lock out legitimate users if you set the threshold too high.

Let’s say you set the block threshold to 1, which means you want Google to block anything they aren’t 100% sure is human. Now one of your customers sends a login request to your website. And, this customer uses a password manager to autofill their passwords and reCAPTCHA gives their login request a score of 0.7.

So even though your customer didn’t use their keyboard to type in their credentials, Google is pretty sure your customer is human. But, your customer will still get locked out because you set a threshold of 1.

How to Integrate Your Plugin with iThemes Security reCAPTCHA

Integrating your plugin with iThemes Security is a simple process. Here’s how to display and validate the reCAPTCHA.

iThemes Security fires the itsec_recaptcha_api_ready hook when it is time for plugins to setup their Recaptcha integrations. At this point, iThemes Security has already verified that the site administrator has configured their access tokens. You can also check if the API is available by calling ITSEC_Recaptcha_API::is_available().

Check out our Help Center for detailed instructions on how to integrate your plugin with iThemes Security reCAPTCHA.

Wrapping Up

There are good bots and bad bots. reCAPTCHA blocks bad bots from your website without getting in the way of the good bots that provide value.