reCAPTCHA is a human verification system designed to combat spammers who try to exploit the use of forms on websites. Forms include contact forms, site search, subscription sign-up forms etc.
The reCAPTCHA verification process works by forcing users to solve simple challenges before allowing access to forms. The purpose of these tests is to determine whether the user is a human or a ‘bot’.
Spammers typically use bots to find websites either randomly, by Google search or having access to various harvested lists distributed between spammers. Each website is then searched by the bot to identify any pages containing forms. When the bot finds a page with a form/s, the bot will attempt to fill in data on that form by using specifically written code and words to perform malicious activities such as spreading malware and phishing attacks through emails sent via the forms.
These bots attempt to mimic a human visitor to your site and the reCAPTCHA presents a challenge that is easy for humans to solve, but difficult for bots and other malicious software. When the bot can’t solve the challenge on one page, it then moves on to the next page or another website. These challenges make reCAPTCHA an effective tool in protecting your site from spammers.
The technology was originally developed at Carnegie Mellon University’s as CAPTCHA and is an acronym for:
It was acquired by Google in 2009 and was renamed to reCAPTCHA.
To date, Google has been providing this service for free, and in return, they get to collect analytical data from your website. This data may not be worth much to you but to Google it’s probably worth millions. So, it could be seen as mutually-beneficial arrangement between you and Google – Google get your personal data for free and you get to use reCAPTCHA for free.
Earlier this year Google have indicated that they were going to start charging for the use of reCAPTCHA. But before ditching or replacing reCAPTCHA, we should consider that Google will most likely follow the same process it did with Google Maps and offer a free tier. This will be more than adequate for most small websites as it appears reCAPTCHA is free for 1,000 API calls per second or 1 million calls per month.
If your site was built by a 3rd party developer, you will no longer be able to use reCAPTCHA without an active Google account. Your developer most likely setup the API using their own Google credentials, as there was no need to activate it with a credit card.
With this arrangement your reCAPTCHA will stop working, unless your developer activates it with a credit card, in which case they will incur any usage costs for your site. Going forward, you could reach out to your developer and see if they are interested in arranging a billing agreement with you, so that you can continue using reCAPTCHA.
Alternatively, you can create or use an existing Google account and activate it by submitting your credit card information to Google. In this case you will need to create and setup new API details to re-establish reCAPTCHA. This requires configuration on both your Google account and on your website.
As mentioned, the free tier will, in most cases, not attract fees for small, low traffic websites. Although, it wouldn’t surprise me if, down the track, Google change this pricing model and become more aggressive with their billing structure and reduce the free tier, like we saw with their Google maps API.