ReCAPTCHA 101: Is It the Best Way to Block Bots?

Bots now make up more than 43% of all internet traffic. It’s a growing problem — there are now almost twice as many bad bots as good bots. That’s why site administrators use programs like reCAPTCHA to block bots from accessing their websites, apps, and APIs.

Bots aren’t a new problem. Back in 1950, Alan Turing created the Turing Test: a game designed to test a program’s ability to pass as a human. Since then, developers have built programs that pass the Turing Test with ease, giving rise to the bots we see today — sophisticated, aggressive programs that are difficult to detect, and even harder to block.

For a long time, reCAPTCHA has been one of the most popular anti-bot solutions. It’s free, familiar, and offers reasonable protection against malicious bots.

But it’s getting easier for bots to evade reCAPTCHA. In one study, 62% of users were identified as bots, despite the use of reCAPTCHA. So, is this still the best way to protect against bots?

What is reCAPTCHA and why is it used?

ReCAPTCHA is a website plugin designed to distinguish between human users and bots. It uses algorithms, behavioral analysis, and human input to determine whether a user is human or not.

ReCAPTCHA has been around since 2005. It evolved from CAPTCHA, which stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. CAPTCHA generated text that could be read by humans, but not optical character recognition (OCR) programs like computers or bots.

ReCAPTCHA is now far more sophisticated than the original CAPTCHA system, and even early incarnations of reCAPTCHA itself.

The evolution of reCAPTCHA

ReCAPTCHA v1

Google acquired CAPTCHA in 2009, and quickly set about improving it. ReCAPTCHA v1 used similar processes to CAPTCHA, but in a more sophisticated way. Scanned words from digital documents were analyzed by multiple OCR programs and categorized as either:

• Suspicious words — words decoded differently by more than one OCR, or
• Control words — words considered clear to most human users

Further tests established which words could safely be decoded by humans, but not bots. Multiple words were then displayed to users on sites using reCAPTCHA to prevent bots entering the site. Humans were required to enter the words to pass the test.

Lines and other marks were added later to make the task more complex for bots, while keeping it relatively simple for humans.

ReCAPTCHA v2

ReCAPTCHA v2 was released in 2014. Despite being eight years old, reCAPTCHA v2 is still used by many websites. ReCAPTCHA v2 challenges are recognizable to most internet users:

ReCAPTCHA v2 verifies human users with simple puzzles that are designed to improve user experience compared with CAPTCHA and reCAPTCHA v1. It requires suspicious or unknown users to select specific images (or complete an equivalent audio challenge) to prove they’re human.

No CAPTCHA ReCAPTCHA

No CAPTCHA versions of reCAPTCHA use behavioral analysis to further simplify puzzles, having minimal impact on user experience.

No CAPTCHA reCAPTCHA consists of a single checkbox that users must select to prove they’re human:

This checkbox isn’t automatically shown to all users. ReCAPTCHA analyses user behavior and determines users’ individual risk factors. Low risk users can bypass the full reCAPTCHA challenge with the checkbox. Higher risk users will be shown full reCAPTCHA v2 challenges.

ReCAPTCHA v3

Established in 2018, reCAPTCHA v3 advances the behavioral analysis first used in no CAPTCHA reCAPTCHA. It uses a scoring system to verify user requests, so site administrators can take appropriate action based on user scores.

ReCAPTCHA v3 works behind the scenes; most real users won’t see reCAPTCHA challenges. Site admins must set and control score parameters to challenge suspicious users with reCAPTCHA forms.

ReCAPTCHA Enterprise

ReCAPTCHA Enterprise was released in 2020. Unlike previous versions, Enterprise allows you to set reCAPTCHA protection across your whole website, rather than individual webpages. This is useful if you have a large site (although if this is the case, reCAPTCHA is probably insufficient to protect you against bots).

You can also use reCAPTCHA Enterprise to protect mobile apps. Like v3, there’s little to no user interaction with a reCAPTCHA challenge, so it improves user experience compared with v2.

Do you need reCAPTCHA for your site?

Many site administrators choose to use reCAPTCHA because it’s free (up to a million requests per month, at least) and already widely used. Most internet users are familiar with reCAPTCHA challenges — they understand how it works and what it’s for.

As a result, reCAPTCHA — especially later versions — can offer good protection for smaller sites with relatively low visitor numbers. It can indicate whether your site is being targeted by bots, and show whether your site visitors are bots or humans.

But reCAPTCHA is an inadequate solution for some sites, especially:

• Large websites with high traffic volumes
• Sites that are consistently targeted by bot attacks
• Sites that store personally identifiable information and payment details
• Administrators that want protection for their entire website or API, not just individual webpages.

Sophisticated malicious bots can seriously damage these sites — so it’s essential to have the best possible bot protection in place.

Is reCAPTCHA a good way to protect your site against bots?

According to Google, “reCAPTCHA has been at the forefront of bot mitigation for over a decade.” But bots have become far more sophisticated in recent years — and reCAPTCHA can’t keep up with the speed and complexity of these advancements.

ReCAPTCHA can detect certain bots, but it’s not the best way to prevent them from attacking your site. As well as being ineffective against sophisticated bots, it can result in:

• Low protection for full sites — reCAPTCHA v2 and v3 must be deployed across every individual webpage you want to protect, which is time-consuming and laborious
• Poor user experience — reCAPTCHA challenges are increasingly annoying for users that value fast, uninterrupted browsing
• Difficult deployment — later versions of reCAPTCHA require technical configurations that must be manually monitored and updated, using up valuable staff time
• Negative site performance — adding code to multiple pages causes site slowdown, and reCAPTCHA challenges can cut conversions by up to 40%
• User privacy concerns — reCAPTCHA relies on tracking cookies, causing major clients like Cloudflare to quit reCAPTCHA over privacy concerns
• Poor accessibility — reCAPTCHA isn’t supported for the deafblind community, so can exclude certain users and compromise your accessibility efforts.

How to protect your website from bad bots

ReCAPTCHA can tell you if you’re experiencing high volumes of bot traffic. And we can’t deny it’s affordable. But on its own, it’s not the most efficient or effective way to protect against bots.

Dedicated bot management systems are more expensive than reCAPTCHA — but they also offer far better protection.

At Netacea, we offer clients the option to use reCAPTCHA to measure the effectiveness of our bot mitigation software. Our solution can identify and refer suspicious site visitors to reCAPTCHA challenges — and many of our customers see a 100% CAPTCHA incomplete rate, proving the accuracy of our bot detection engine.

With Netacea’s bot management system, you’ll also get:

• Accurate bot detection and automatic blocking — our machine learning engine understands, detects, and blocks even the most advanced and sophisticated bots
• Optimal site performance — we deploy our software server-side, so there’s no site slowdown or downtime, and your entire site is protected
• Range of deployment options — we’ll help you implement Netacea across your environment, so your staff won’t need to spend time on configurations and setup
• User experience improvements — our false positive rate is an industry-low of 0.001%, so real users won’t be impacted. Our bot detection engine is so accurate that it only alerts staff when there’s a genuine problem, minimizing alert overload
• Maintain accessibility — there’s no impact on real users, so your accessibility won’t be compromised.

If you’re looking for a better way to protect against bot traffic, Netacea’s bot management system is a proven solution.