Prevent spam with a CAPTCHA

In this article I explain what a CAPTCHA is, how it helps prevent spam or abuse of your web form, what variants there are, how to install a CAPTCHA and whether there are other options to protect your forms.

Are you experiencing spam through any of your web forms? With your website, you’re actually aiming for conversion. A visitor can contact, order a product, download something in exchange for leaving information. Nothing is more annoying than receiving forms filled out by spammers. This can be prevented by placing a CAPTCHA (pronounced kèptja). The idea behind this is that computers have more trouble with “general” answers. Specific questions such as: what color is a tomato are easily answered by computers as a result of machine learning (this is pattern recognition).

What is a CAPTCHA?

A CAPTCHA(Completely Automated Public Turingtest to tell Computersand Humans Apart) is a test used to see if the visitor to your website is an automated bot or a real person. It is a test that is easy for a human to perform, but just difficult for a computer to accomplish.

Automated bots can be used to create many accounts to eventually launch a DDos attack through your website in the worst case scenario. Should you have a service on your website that allows messages to be sent, this way spam could also be sent through your website/platform. This is probably something you want to avoid at all costs because at that point you (your IP address) will be seen as distributing spam and will be blacklisted. To get rid of this again, you need to make sure that sending the spam through your website has stopped. Then, through your hosting provider, you can request to be removed from the blacklist.

What kind of CAPTCHAs are there?

There are several known variants, some of which are used a bit more than others and some of which evoke more frustration than others. Despite the fact that the solutions should be simple, it turns out that in some cases visitors cannot “solve” the CAPTCHA. Below is an overview of commonly used CAPTCHAs:

Captcha examples

  1. the textual CAPTCHA: a string of letters presented as an image must be retyped. With the development in artificial intelligence and machine learning, raw strings of letters are quickly resolved by bots and thus not very secure.
  2. Following that, the distorted letter sequence was created, where the letters (and numbers + punctuation marks) are distorted. Most famous (and dreaded) are the distorted letter sequences, where you can mistake a tilted ‘x’ for a ‘+’ or the distinction between the capital ‘I’ and the small ‘l’ is not recognizable. Due to the extreme distortion, the characters are sometimes so poorly recognizable that the solution cannot be given.
  3. The math CAPTCHA: this involves solving a simple sum. For example, 4+3. Sometimes, on the contrary, the answer must be entered again in written-out (answer = “seven”) digits to outsmart machines.
  4. The image CAPTCHA: this requires website visitors to describe what they see in the image.
  5. The picture puzzle CAPTCHA: In this, a picture is divided into pieces and you have to click on the pieces that show a road sign, human being or, for example, shop window.
  6. The audio CAPTCHA: That which you hear or the solution to the question must be entered as the solution.
  7. The gamification CAPTCHA: An image must be shifted in a “playful way” or, for example, points connected.
  8. The Google reCAPTCHA v3 is an “invisible” solution with its own advantages and disadvantages. This variant is also called nonCAPTCHA or ghostCAPTCHA.

After successfully resolving this test, the visitor is logged in or the form can be submitted.

Rules for CAPTCHAs

The Web Content Accessibility Guidelines (WCAG) of the Web Accessibility Initiative (WAI), list the following as minimum requirements for a properly accessible CAPTCHA:

  • Visual CAPTCHAs should have a textual explanation of what is expected.
  • Equivalent alternatives should be available that take into account different types of constraints.

In addition, the following requirements related to an accessible Internet also apply:

  • You should have the ability to re-solve a CAPTCHA after an incorrect entry.
  • For the visually impaired, there should be an option via audio or text recognition to solve the CAPTCHA.

Google reCAPTCHA

Google has offered the (re)CAPTCHA for some time (example 8 from the image above). This is a free service that allows you to secure your forms. This service is a technological feat that some may have reservations about. Google’s CAPTCHA v1 asked if you could describe what was in the image. We were asked to click certain parts on the split image (example 5 from the image above). In doing so, we all provided Google with additional information. This first version was not considered user-friendly by everyone.

In version two (example 8 from the image above that was christened reCAPTCHA), we were asked to merely check a checkbox to indicate that we are not a robot. With this, Google analyzes our behavior as humans by analyzing click behavior. As soon as Google observes strange behavior, a visual test is still served out. Setting the check mark is basically the only obstacle.


reCAPTCHA v3 goes a step further and analyzes your “fingerprint” in terms of mouse and click behavior and therefore knows whether you are a human or machine. The advantage to this form is that you no longer have to click on a picture, answer or check a box. You only see a notification that the form is protected with reCAPTCHA.

It does seem now that Google Chrome is serving up fewer tests. This might lead to the conclusion that Google (through the Chrome browser) is constantly tracking your click behavior on your computer. Find out more in BNR radio’s podcast“CAPTCHA frustrations. Whether that’s bad? We’ve all already made Google intelligent enough to use reCAPTCHA v3 which reduces the number of “tests” served out. And the frustration is a lot less.

The battle against spam is continuous at Google. Bill Gates predicted in a 2004 BBC interview that e-mail spam would become a thing of the past in two years, which unfortunately did not happen. And that could immediately be a reason to choose Google’s service in particular and continue to use the most up-to-date service.

How do you install a CAPTCHA?

You can place a CAPTCHA of your choosing above the submit button of your web form. Depending on your website’s CMS and chosen template, you can use the built-in CAPTCHA service or opt for an external plugin. A search on CAPTCHAs on or will give you a list of WordPress plugins or Joomla!extensions. There is also a listing of Anti-Spam plugins on WP Lounge.

Prefer no CAPTCHA?

Don’t want to deter your visitors with a CAPTCHA or have other concerns? You can also ask visitors to validate their email address before they can proceed. This is also known as Human Intervention. This takes a little more time and an extra operation, but then you are not dependent on big guys like Google. And for the visitor to receive the confirmation e-mail quickly is then a must. Otherwise, chances are they will drop out after all. In addition to this method, web developers are also working with, for example, the “Honey pot” method, checking the fill-in time (robots fill in many times faster than humans) and signing in via social media accounts.

The ideal method?

All in all, each form for stopping spam has its advantages and disadvantages. Whether we will ever find a user-friendly way that everyone can live with and we will be 100% rid of spam? I wonder. Until then, we will have to use one of the aforementioned solutions to protect ourselves.

Want to know more?

Want to know more about preventing spam in e-mail? Then check out our support articles on SQR.NL’s Antispam and Antivirus service. Or read the blog Your email delivered, but for real.

Good luck with choosing the right solution for your website visitors and avoiding spam in your mailbox!

Hungry for news?

Subscribe to the Hosting.NL newsletter and stay informed. Your data will be used to send news, technical updates, and support articles.

Entered data is only used to send our newsletters