Installation
↑ Back to top- Download the .zip file from your WooCommerce account
- Head to: WordPress Admin > Plugins > Add New > Upload Plugin ad use the downloaded .zip package
- Click on Install Now and Activate
If you need further help about this section, please check the related WooCommerce article.
Setup
↑ Back to topGoing to WordPress Admin > WooCommerce > Settings there will be a new tab named Invisible reCAPTCHA.
Click on it to reach the pulgin settings page.
You will be asked to:
- select which security system to use (honey-pot, Google reCaptcha v2 or v3)
- choose where to use the security system on your website
Additionally there are few parameters to set in order to get started, let’s check them one by one:
Google reCaptcha Keys
Google requires you to insert specific keys created for your website domain.
Please click on the Get your keys link underneath the related field to reach the Google page (or click this link).
Pay attention to which reCaptcha version you want to use and create keys accordingly.
reCaptcha v3 User Score
While reCaptcha v2 will always prompt the user to solve the puzzle, v3 works in a totally passive way by assigning a score to the user.
A potential bot will have a low score (near zero) while a trusted user an high one (near 100).
Is essential to set a target value to consider “safe” for the anti-spam system. The suggested value is 40.
Hide reCAPTCHA validation badge?
In every page where the reCaptcha system is used, an interactive badge is automatically appended. It contains links to Google privacy and terms policies. While not suggested by Google, is possible to hide it by checking the related option.
Apply system only to guest checkouts?
It’s possible to use the anti-spam protection only to checkouts performed by guests.
Checking the related field, you assume logged customers as safe
Always enqueue scripts?
Technical matter: by default the plugin enqueues its javascript code (~3KB) only in pages where the anti-spam system is used.
This might conflict with ajax-loaded contents (eg. forms loaded asynchronously).
Check the related option to always enqueue it. Website performances won’t be basically affected and there won’t be compatibility issues.
Anti Brute-force Attack
↑ Back to top
In the lower part of the “Main Settings” there is a section managing the anti brute-force attacks system. It targets the same forms involved in the anti-spam system and essentially tracks how many times a visitor interacts with them, submitting data to the server.
Reaching the defined threshold, it will be prevented from submitting those forms for a specific amount of time. It iss a very important complementary system to reduce the risk of server outages due to bots.
NB: logged WordPress users will not be tracked by this system
Refused Interactions Log
↑ Back to top
In the WordPress Admin > WooCommerce > Settings > Invisible reCAPTCHA tab there is also a subsection named “Refusal Log”. This plugin section is useful to better understand how bots might be interacting with your website.
Each time a bot fails an anti-spam check a log is created with its data.
For example to know involved IP addresses and website pages could be useful to setup specific server firewall rules.
NB: please note is not possible to track failed reCAPTCHA v2 puzzles
