Security WordPress

Integrate a Challenge Response Test in WordPress to prevent SPAM

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of computing test which is used to determine whether a particular user is a human or a web bot. A CAPTCHA can greatly help you in preventing/reducing comment spam, as all your site visitors have to take a human verification test every time they try to post a comment in your blog. If you’d like to implement CAPTCHA in your WordPress installation, then the best plugin for accomplishing this task is Conditional CAPTCHA.

The plugin allows you to serve a challenge-response test to your blog visitors using one of the following mentioned modes:

  • Basic mode: Under this mode, a CAPTCHA will be served to ALL your site visitors who are not logged in to your site and are trying to post a comment. After implementing a challenge-response test, spam bots may find it quite difficult to post their junk as they might not be able to solve the test. Keep in mind that the plugin won’t show the test to those commentators who have solved a CAPTCHA previously or have a previously approved comment in your blog.
  • Akismet enhanced mode: If you are using Akismet plugin for filtering comment spam in your blog, then Conditional CAPTCHA can work in conjunction with it and will serve a CAPTCHA only to those users which Akismet identifies as possible spammers. These users can either be web bots or legitimate human visitors who are trying to post/promote their hyperlinks in your site.

Once you have installed and activated the plugin, you can access its settings page by going to Plugins >> Conditional CAPTCHA in your dashboard. On the settings page you will be able to see/set following things:


  • Plugin mode: If Akismet is already installed and functioning for your blog, then the plugin will automatically choose Akismet Enhanced Mode for itself and will only serve a CAPTCHA to those users whose comment has been marked as spam by Akismet. If you are not using Akismet, then the plugin will enable itself in Basic mode.
  • CAPTCHA Method: The plugin supports 2 types of CAPTCHA system viz. simple text based CAPTCHA and reCAPTCHA. Among both of them, it’s suggested that you should choose reCAPTCHA for your blog, as it can be considered more advanced in terms of functionality. Keep in mind that if you opt for reCAPTCHA, then you are also required to obtain public as well as private keys for it (Check note at the bottom).
  • Comment Handling: If a user, who has been identified as a possible spammer, passes the challenge-response test, then you are required to select what to do with his comment? For this select from Leave the comment in the SPAM queue, Queue the comment for moderation and Approve the comment under When a CAPTCHA is completed correctly as per your requirements. You are also required to select what happens to a comment if a user fails the test. For this select from Leave the comment in the spam queue, Trash the comment and Delete the comment permanently under When a CAPTCHA is not completed correctly as per your requirements. Keep in mind that these behavior of the plugin only applies if a CAPTCHA has been served to your site’s visitor by the plugin. Rest of the time the Discussion settings of WordPress is followed by the plugin.
  • CAPTCHA Page style: The author of the plugin has styled the CAPTCHA box in such an efficient way, that it will fit and look good in almost all WordPress themes. But if you’d like to style your CAPTCHA page and box as per your own needs, then you can modify its style using the CAPTCHA page style After making the desired changes, if you want to revert to the default style any time, then all you need to do is to simply empty the box and click on Update Settings button present at the bottom of the page.
  • CAPTCHA prompt: Whenever the plugin asks a possible spammer to solve a challenge response test, it will show him a message which says: Sorry, but I think you might be a SPAM bot. Please complete the CAPTCHA below to prove that you are a human. If you want to modify this text, then you can modify it using CAPTCHA prompt text If any time in future you’d like to revert to the default message, then all you need to do is to empty the box and click on Update Settings button present at the bottom of the settings page. Keep in mind that HTML, PHP, JavaScript or any type of code won’t work if inserted in the text box.
  • CAPTCHA Preview: The plugin also allows you to preview your CAPTCHA page and box depending on the settings you have opted for it. Click on Show preview of CAPTCHA page button and the plugin will show you a preview in a new tab/window.
  • Akismet Behavior: This option is only displayed if Akismet is enabled and functioning in your blog. Select whether you’d like to prevent Akismet from checking comments for logged in users and whether you’d like to prevent Akismet from storing comment histories as per your requirements. Keep in mind that logged in users are not limited to administrators, authors, editors etc. of your blog, if you have opened registration in your blog and your website visitors are also logged in to your installation, then they will also be counted as logged in users and Akismet won’t check their comments for possible spam.

Once everything is set click on Update Settings button and Conditional CAPTCHA will start working for your blog. You will also be able to see its stats on the main page of your dashboard:

conditional captcha

Note: Follow these steps in order to get a public as well as a private key for reCAPTCHA.

1. Go to and click on Get reCAPTCHA button present at the top of the page:

google recaptcha

2. On the immediate next page, click on Sign up now red button and you are required to log in using your existing Google account. Once the login is successful you will be redirected to a page where you need to enter your domain name which you want to use with reCAPTCHA:

sign up now

enter domain

Keep the box in front of Enable this key on all domains (global key) unchecked, as this option can be considered useful only if you want to use a single key with multiple domains/sub-domains OR you are a reseller, OEM etc. and want to use a single key with a large number of domains of your customers. Keep in mind that if you opt to use a global key, then you are required to use a descriptive domain name like

Click on Create button and the next page will show you your unique alpha-numeric public as well as private keys:


Public key is always serve to your website visitors and is generally used in a JavaScript code, while private key is used to establish a connection between your web server and Google’s reCAPTCHA server. So it is highly suggested that you should always keep your private key a secret.