Google reCAPTCHA

Google reCAPTCHA ensures that a human being, rather than a computer (or “bot”), is interacting with your website. Unlike the standard Magento CAPTCHA, Google reCAPTCHA provides enhanced security with a selection of different display options and methods. Additional website traffic information is available in the dashboard of your Google reCAPTCHA account.

Google reCAPTCHA is configured separately for the Magento Admin and storefront.

  • For the Admin, Google reCAPTCHA can be used on the Sign In page and when a user requests a password reset. If the standard Magento CAPTCHA is also enabled, Google reCAPTCHA can be used at the same time without any problem.

  • For the storefront, Google reCAPTCHA can be used to sign in to a customer account, send a message from the Contact Us page, and in numerous other storefront locations.

    Google reCAPTCHA - customer login Customer Login with reCAPTCHA v2

Google reCAPTCHA can be implemented in several ways:

  • reCAPTCHA v3 Invisible — Uses an algorithm to rate user interactions and determines the likelihood that the user is human based on a score.

  • reCAPTCHA v2 Invisible — Performs background verification without user interaction. Users and customers are automatically verified, but might be required to select specific images to complete a challenge.

  • reCAPTCHA v2 (“I am not a robot”) — Validates requests with the “I’m not a robot” checkbox.

Before Google reCAPTCHA can be configured, ensure that your PHP.ini file includes the following setting: allow_url_fopen = 1. This may require developer assistance. See Required PHP Settings.

Step 1: Generate Google reCAPTCHA keys

Google reCAPTCHA requires a pair of API keys to enable. You can get these keys free of charge through the reCAPTCHA site. Before generating the keys, you must know the type of reCAPTCHA that you want to use.

  1. Open the Google reCAPTCHA page and log in to your account.

  2. For Label, enter a name to identify the keys for internal reference.

    You need one set of keys for each reCAPTCHA type that is used in your Magento installation. For example: Magento v2 Invisible

  3. For reCAPTCHA type, choose the method that you want to use.

    • reCAPTCHA v3 Invisible
    • reCAPTCHA v2 Invisible
    • reCAPTCHA v2 (“I am not a robot”)
  4. For Domain, enter your store’s domain. For example: mystore.com

    If you have multiple stores with different domains, enter each domain on a separate line.

    • Add your Magento instance domain and any subdomains.
    • You can add localhost, other local VM domains, and staging domains as needed for testing.
  5. Select the checkbox to Accept the reCAPTCHA Terms of Service.

  6. (Optional) Select the Send alerts to owners checkbox to send notification if Google detects issues or suspicious traffic.

    Google reCAPTCHA - site registration Google reCAPTCHA Site Registration

  7. Click SUBMIT to complete registration and receive keys.

    Google reCAPTCHA Keys Google reCAPTCHA Keys

    Important! Not all keys are applicable for all types of reCAPTCHA, and misapplying them could lead to unexpected behavior. For example, Google reCAPTCHA keys generated for reCAPTCHA v2 “I’m not a robot” will not work with reCAPTCHA v2 Invisible and could block functionality where reCAPTCHA is enabled.

Step 2: Configure Google reCAPTCHA Admin Panel

  1. Sign in to the Admin of your Magento store.

  2. On the Admin sidebar, go to Stores > Settings > Configuration.

  3. In the upper-right corner, set Store View to Default Config.

  4. In the left panel, expand Security and click Google reCAPTCHA Admin Panel.

  5. To use reCAPTCHA v2 (“I am not a robot”), expand the reCAPTCHA v2 (“I am not a robot”) section and do the following:

    • For Google API Website Key, enter the website key that was created for this reCAPTCHA type when you registered your Google reCAPTCHA account.

    • For Google API Secret Key, enter the secret key that is associated with your Google reCAPTCHA account.

    • For Size, choose the size of the Google reCAPTCHA box that you want to appear. Options: Normal (default) / Compact

    • For Theme, choose the theme that you want to use to style the Google reCAPTCHA box. Options: Light Theme (default) / Dark Theme

    • For Language Code, enter the two-character code to specify the language used for Google reCAPTCHA text and messaging.

    • For reCAPTCHA Validation Failure Message, enter the message to appear if validation fails. Default: You cannot proceed with such operation, your reCAPTCHA reputation is too low.

    reCAPTCHA v2 (“I am not a robot”)

  6. To use reCAPTCHA v2 Invisible, expand the reCAPTCHA v2 Invisible section and do the following:

    • For Google API Website Key, enter the website key that was created for this reCAPTCHA type when you registered your Google reCAPTCHA account.

    • For Google API Secret Key, enter the secret key that is associated with your Google reCAPTCHA account.

    • For Invisible Badge Position, choose the badge position to be used on each page. Options: Inline / Bottom Right / Bottom Left

    • For Theme, choose the theme to be used to style the Google reCAPTCHA box. Options: Light Theme (default) / Dark Theme

    • For Language Code, enter a two-character code that specifies the language that is used for Google reCAPTCHA text and messaging.

    • For reCAPTCHA Validation Failure Message, enter the message to appear if validation fails. Default: You cannot proceed with such operation, your reCAPTCHA reputation is too low.

    reCAPTCHA v2 Invisible

  7. To use reCAPTCHA v3 Invisible, expand the reCAPTCHA v3 Invisible section and do the following:

    • For Google API Website Key, enter the website key that was created for this reCAPTCHA type when you registered your Google reCAPTCHA account.

    • For Google API Secret Key, enter the secret key that is associated with your Google reCAPTCHA account.

    • Enter the Minimum Score Threshold to identify when a user intraction is flagged as a potential risk; where 1.0 is a typical user interaction, and 0.0 is likely a bot. Default: 0.5

    • For Invisible Badge Position, choose the position to be used on each page. Options: Inline / Bottom Right / Bottom Left

    • For Theme, choose the theme to be used to style the Google reCAPTCHA box. Options: Light Theme (default) / Dark Theme

    • For Language Code, enter a two-character code that specifies the language that is used for Google reCAPTCHA text and messaging.

    • For reCAPTCHA Validation Failure Message, enter the message to appear if validation fails. Default: You cannot proceed with such operation, your reCAPTCHA reputation is too low.

    reCAPTCHA v3 Invisible

  8. Expand the Admin Panel section.

  9. Clear the Use system value checkbox for each field that you want to configure. Then, configure the following fields as needed.

    • Set Enable for Login to the reCAPTCHA type that you want to use for the Admin Sign In page.

    • Set Enable for Forgot Password to the reCAPTCHA type that you want to use for password reset requests.

Admin Panel

Step 3: Configure Google reCAPTCHA Storefront

  1. In the left panel under Security, choose Google reCAPTCHA Storefront.

  2. Complete the section for each reCAPTCHA type that you want to use in the storefront. See the previous instructions for information about each option.

  3. Expand the Storefront section.

  4. Clear the Use system value checkbox for each storefront location that you want to enable.

  5. Set each storefront location field to the type of reCAPTCHA that you have configured to use.

    • Enable for Customer Login
    • Enable for Forgot Password
    • Enable for Create New Customer Account
    • Enable for Contact Us
    • Enable for Product Review
    • Enable for Newsletter Subscription
    • Enable for Send To Friend
    • Enable for PayPal PayflowPro payment form
  6. When complete, click Save Config.

  7. In the message at the top of the workspace, click Cache Management and refresh each invalid cache.