Google reCAPTCHA is probably the most popular anti spam service in the world. But there are several strong arguments for considering a move away from reCAPTCHA over to an alternative anti spam solution. Here are the facts that made me leave reCAPTCHA (and the three best alternatives).
Join +3 960 subscribers!
Why Google reCAPTCHA could be a problem for your WordPress website
It’s easy to see why Google reCAPTCHA is a popular anti spam service: It’s free, most WordPress plugins and themes offer simple integration and Google is a fairly trusted developer. I myself have been an advocate in several Google reCAPTCHA v3 tutorials.
But external factors like increased integrity awareness, GDPR and the importance of page speed makes many web developers question if reCAPTCHA is a good choice – or even a feasible choice. Here are three reasons why I have abandoned Google reCAPTCHA and why you maybe should consider moving to another anti spam service.
1. Google reCAPTCHA might not be GDPR compliant
In January 2022, a German court ruled that Google Fonts is not in compliance with GDPR (the General Data Protection Regulation in EU). The reason is that Google collects IP data from the visitors when the fonts are called from the Google server. The website owner got away with a €100 fine, but the court warned that the next fine could be much higher. In order to be GDPR compliant, you need to self-host your Google fonts.
So there is a lot at stake. The official EU website on GDPR fines states:
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
But what does Google fonts has to do with reCAPTCHA? The thing is that the Google reCAPTCHA script forces the visitor to load the Google Font Roboto via Google’s servers at fonts.gstatic.com. As you can see in the waterfall screenshots below, Google actually makes two separate external calls for the Roboto font. And there is not way to remove this call since it’s an external script. This goes for both reCAPTCHA V2 (puzzle recaptcha) and reCAPTCHA V3 (invisible recaptcha).
I’m not a lawyer and I will not give legal advice. But I can say this with certainty: If requesting fonts from the Google server violates GDPR, then Google reCAPTCHA is not GDPR compliant since it requests fonts from the Google server without offering an option.
2. Google reCAPTCHA is bad for your pagespeed
It’s ironic that Google has pushed pagespeed as a crucial SEO ranking factor at the same time as they add unnecessary bloat to websites using their reCAPTCHA anti spam service. In the chapter above, you can see that two (unnecessary) fonts are loaded for every visitor. The combined size of the fonts is 30 kb which equals a small image.
But this is not the only calls that have to be processed by your visitors. Using the Chrome Inspector tool or a service like GTMetrix reveals several reCAPTCHA related calls:
The reCAPTCHA script calls recaptcha__en.js, styles__ltr.css and logo_48.png and morerom the Google server.
When taking a closer look at a Divi website using Google reCAPTCHA v3 protection for Divi forms, I can track down 10 reCAPTCHA related calls + 2 font calls which adds up to a total of 12 calls (11 of them are external) with a combined file size of 406 kb. This equals the size of a full screen image with a pretty high resolution. This could have a negative effect on your pagespeed and thus be bad for the SEO and user experience of your website.
3. Google reCAPTCHA adds clutter to your website layout
Yes, I’m referring to the annoying reCAPTCHA v3 badge. When you add reCAPTCHA v3 to your website, a badge will automatically appear in the bottom right corner. The badge contains a blue and grey reCAPTCHA logo + links to Google’s Privacy policy and Terms of use.
The default reCAPTCHA V3 badge could overlap other elements and contrast in color and design.
This badge has a tendency to overlap other design elements or simply add unwanted contrast to your design style and add an unwanted distraction for your visitors. And Google does not offer a single design setting from their end. Sure, you can use custom CSS to move the badge to the left side or move the badge up a few pixels but it still adds clutter.
To be fair, I should mention that you are allowed to hide the reCAPTCHA badge – but, and there is a but – then you must “include the reCAPTCHA branding visibly in the user flow”. And the external calls are still loaded in the background if you hide the badge with CSS.
You are allowed to hide the reCAPTCHA badge – if you add the branding manually. Screenshot from the Google reCAPTCHA FAQ.
Summary: Pros and cons of Google reCAPTCHA anti spam service
Let me be clear: I really like Google and I use many of their services (Chrome, Analytics, Fonts, Drive, Gmail etc.) on a daily basis. But being one of the biggest corporations in the world, that used to live by the motto “don’t be evil”, we should expect more from them. If they want to maintain the position as the most popular anti spam service, they need clear all doubts about GDPR compliance, remove unnecessary bloat and add basic design settings.
The choice is yours. Here are the pros and cons of Google reCAPTCHA summarized:
Advantages of reCAPTCHA
- There is no fee for licensing – it’s a free anti spam service
- It’s supported by most major WordPress form plugins and themes (like Divi)
- You can analyze spam analytics data in the reCAPTCHA dashboard
- Google has huge amounts of data to pinpoint both human spammers and spam bots
Disadvantages of reCAPTCHA
- It might not be GDPR compliant
- It tracks your users behavior and data which could be used by Google
- It adds bloat to your website which could reduce your pagespeed and hurt your SEO
- It adds design elements that might conflict with elements and the layout of your website.
3 Alternative Anti Spam Services to Google reCAPTCHA
There are good anti spam alternatives to reCAPTCHA that will not share unauthorized user data, load extensive resources or mess with your web design. Here are my three favorite anti spam services for WordPress (and yes, it contains affiliate links):
1. WP Armour – Honeypot Anti Spam
My rating: ⭐⭐⭐⭐⭐
The honey pot technique is as simple as it is clever: It adds a hidden field that only spam bots can see to your forms. When the spam bot uses the hidden field, the form submission is blocked by the plugin. Just activate the plugin and the invisible protection is added automatically no setup is required.
The free version if WP Armor is compatible with many of the major WordPress forms like the Divi Contact Form, WP Comments, WP Registration, Gravity Form 7 (non-ajax and single page forms) as well as BBPress forums, Elementor Forms and Gravity Forms and more.
The paid version WP Armour Extended adds 2-level spam check, IP blocking and spam logs. It adds support for WooCommerce Checkout and Registration, Ninja Forms, Gravity Forms (Ajax-based forms and multi-step forms), BuddyPress, Easy Digital Downloads and more.
The pricing ranges from the single site lifetime license for $19.99 to the unlimited lifetime license for $99.99 (but you might find a discount coupon here, wink wink).
2. CleanTalk Spam Protect
My rating: ⭐⭐⭐⭐⭐
If you are looking for a more powerful anti spam service that doesn’t cost much, CleanTalk is an excellent choice.
While it has a free WordPress plugin, you need to register and pay for the service (after the free 7 days trial period). The license starts at $12/year (yes, per year) for one website or $20/month for unlimited website so it’s a fair price. You can also check out some CleanTalk discounts here.
The feature list is simply too long to sum up in this post, but I recommend that you explore their impressive list of spam protection features.
3. The good old Divi Form Spam Protection
My rating: ⭐⭐⭐
Are you on a slim budget and hesitant to add more plugins to your Divi website? The default Divi spam protection is a simple method to reduce spam. It will add a basic mathematical task (X+Y=Z) that the visitor needs to solve before submitting a form.
Yes, it might be a bit annoying for your visitors and no, it might not stop all spam messages, but for a small website with an even smaller budget, it might just be good enough.
That’s all for today!
I hope that you enjoyed this post. Do you agree or disagree? Please let me know your opinion in the commets below.
Subscribe to DiviMundo on YouTube and join our Facebook group for more crisp content on WordPress and web design.
👉 Related post: Divi form plugin comparison – which is better?
👉 Free course: Create a website from scratch with Divi
Wow, now this is a good post. Sweet and concise, filled to the brim with pertaining information. Will use this as a reference about reCaptcha for future use
Thanks Paul! I’m glad to hear that it was right up your alley. 🤜🤛
I use wpghost security for me as the best choice
Thanks for sharing! I’ll check out wpghost for sure.
Hi Victor – I’ve not read your review as yet but I would never consider reCaptcha now. Firstly, from a user-experience – it’s downright annoying. Secondly, the method assumes the user can respond accurately to whatever it asks you to do. CleanTalk all the way for me – effective, cheap and doesn’t interrupt anyone’s experience of your website. Now to read your review properly!!
Thanks for sharing Sandy! Yes, CleanTalk is really awesome against spam. 🦾
Hi Victor.
As I faced exactly those problems which you descibe in your blog, I have developed a plugin to solve them all via a proof-of-work concept, which we know from mining crypto-coins.
Up to now it blocks 100 percent spam and 0 percent real requests, without the side-effects that you descibe for google’s recaptcha.
Now I distribute it over the WordPress’s plugin-directory. Therefore it would help me and it would be a great pleasure to me if you could give me feedback to the plugin and if you probably could mention it.
The slug name is cf7-recaptcha-mine. (Hope this is not to much advertisement, I didn’t found an email adress.)
If you have feedback, questions or if you want to exchange views it would be apleasure to me.
Cheers from Germany, Matthias
Thanks for sharing Matthias! I’m not a CF7 user myself but I know that it’s a popular form plugin. I’ll check it out!
Now I have added a
GDPR-compliant ReCaptcha for all forms and logins
with exactly that name 🙂
Cool, I always appreciate a clear and concise name for a plugin! 🙂 Does it support the native Divi Contact Form?
As I originally developed it for my own page, based on Divi:
Yes 🙂
Awesome!
A German regional court made a ruling that has exactly zero meaning outside of the trial. So ONLY the two parties of the trial are affected by this, but the world runs crazy. Do you know, that the same court made a ruling that DOI-Emails are considered as spam, some time ago? That court is the second lowest instance in Germany. That ruling has created a wave of fraudsters trying to get money from companies that are using Google Fonts. Those who paid might also think that they can become a heir to a Nigerian Emperor by answering an email and sending some money through Western Union. Some sued those fraudsters and ALL of them won, as the courts ruled that the use Google Fonts is not illegal. But now you have the next subject and are trying to make reCaptcha the next option for fraudsters. Imho, if you have issues with data going to US companies, stop using the internet, as each of your devices sends data. Be it Apple who collects data all the time. Just receive a call and you will know if that person is an Apple user as well. Microsoft collects data about each email that is sent from or to Outlook or Office365, as well as Google does with the Gmail service. if you use WhatsApp on your phone, Meta receives access to all of your contacts, regardless if those contacts agreed and by the way, there is a German court ruling (also from a low level court) calling this illegal. So if you use an iPhone for business and have WhatsApp installed on it, use a MS O365 email account and regularly buy at Wish, alle the data of your phone is in the USA and China and according to the GDPR, you are breaking the law.
The whataboutism argument about WhatsApp is far fetched, to say the least. In one case, the user downloads an app, registers an account and consents to the privacy policy that states how the user data is processed. The users can request their data and ask to forgotten. In the second case, the user enters a random website without having any chance to reject or consent to (or even knowing about) using Google fonts and sharing their data with Google.
But you are right about the conspirators having fooled the entire world. WordPress, that powers more than 40% of all sites on the internet, will take actions based on these Nigerians myths in the upcoming 6.2 release. Maybe you can reach out to them and reveal the truth?