Why we removed the built-in Google reCAPTCHA integration

Published on by

Version 4.9.2, released last week, removes the built-in Google reCAPTCHA integration that we added back in version 4.5.0 in 2019. If you were already using it, it remains enabled for you — but it is no longer available for new installations.

Here’s why we made this call.

reCAPTCHA v3 created more problems than it solved

When we added reCAPTCHA v3, the appeal was that it worked invisibly. No checkbox to click, no puzzles to solve — Google would silently score each form submission in the background and block anything that looked like a bot.

In practice, we found that v3 blocked a frustrating number of legitimate sign-ups, particularly for users accessing your site from a VPN or with privacy extensions enabled. Because the scoring is opaque and entirely in Google’s hands, there was nothing we could do when it got it wrong.

We also heard from users who were uncomfortable with what reCAPTCHA v3 actually does: it runs on every page, tracks visitor behaviour across the session, and sends that data to Google. For sites with a privacy-conscious audience — or sites trying to comply with GDPR without a lengthy cookie notice — this was a real problem.

What to use instead

The honest answer is that for most sites, the built-in honeypot field and double opt-in together handle the vast majority of spam sign-ups without any third-party involvement.

Double opt-in in particular is the most effective tool available: a bot can submit a form, but it can’t click a confirmation link in an email inbox. Enabling it in your form’s settings is the single highest-impact change you can make if spam is a problem.

For cases where you need a more active CAPTCHA, the Prosopo integration works well and is GDPR-compliant by design. There is also the older Captcha add-on plugin, which uses a different provider.

You can find more options in our knowledge base article on blocking spam sign-ups.

Summary

Removing a feature is never something we do lightly, but in this case the reCAPTCHA integration was causing more confusion and privacy concerns than it was solving. The alternatives work better and put you in more control.

If you have questions about handling spam on your sign-up forms, get in touch — we’re happy to help.