We’re adding hCaptcha and Cloudflare’s Turnstile to iThemes Security Pro alongside the existing Google reCAPTCHA option. (Turnstile is available for Kadence in its CAPTCHA plugin now too.) Why are we doing this, and why should you use a CAPTCHA? Which one should you use out of all the options? How do they differ? What’s unique about Turnstile, an invisible noCAPTCHA system?
Read on to learn how these tools increase your site’s security and improve the overall user experience.
What is a CAPTCHA?
The purpose of any CAPTCHA system is to identify real human site visitors as opposed to computer programs. That’s why CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” CAPTCHAs were first developed to identify bots that imitated human activity for nefarious purposes on the early web. Today, bots are used more than ever to spam forms, test stolen passwords, and bring down websites with Distributed Denial of Service (DDoS) attacks. Fortunately, once it’s identified, bot traffic can be blocked.
Most CAPTCHA systems use a combination of visual and auditory challenges that users must complete to prove that they are human. This can include tasks such as identifying objects in images, solving puzzles, or listening to audio recordings and typing in what you hear. When you are solving these puzzles, you are also training Machine Learning systems to get better at identifying humans.
What is hCaptcha?
Developed and trademarked by Intuition Machines, hCaptcha is an open-source, drop-in replacement for the proprietary reCAPTCHA system Google acquired in 2009. Today many people are replacing reCAPTCHA with hCaptcha because it’s faster and more secure. It also can be a source of revenue for site owners or a charity of their choice. The hCaptcha service offers financial incentives for website owners to earn rewards while blocking bots and other forms of abuse.
In hCaptcha passive mode, only 0.1% or fewer users are actively challenged to prove they are human by performing a certain action. In hCaptcha’s invisible mode, there are never any direct, visible challenges.
Why is hCaptcha better than reCAPTCHA?
Compared to reCAPTCHA, hCaptcha offers a wider range of customization options. You can configure it to operate without presenting active challenges to users. hCaptcha offers accessibility options like audio challenges for visually impaired people, and it works with different languages. Additionally, hCaptcha uses a decentralized architecture, which makes it more difficult for hackers to target and disrupt the service.
The most important difference between hCaptcha and reCAPTCHA is their approach to data privacy and security. hCaptcha uses end-to-end encryption to protect your data and ensures that it is never shared or sold to third parties without your consent. In contrast, reCAPTCHA has been criticized for sharing user data with Google. Of course, Google uses that data for targeted advertising and other purposes.
Like reCAPTCHA, hCaptcha trains its Machine Learning systems with your site visitors’ interactions. People solving CAPTCHA puzzles has real value for this reason. Unlike Google, however, hCaptcha will pay you for the use of your site visitors as trainers for its machine learning tools. Or, you can support the charities of your choice with these earnings.
If you, as a website owner, value data privacy, hCaptcha is a better choice than reCAPTCHA. Using hCaptcha won’t subject your site visitors to tracking for targeted marketing. If you want to earn money as your visitors solve CAPTCHA challenges, hCaptcha is the superior choice. If you want to customize the CAPTCHA challenges displayed to your users, hCaptcha offers the most options.
What is Turnstile?
Cloudflare quit using Google’s reCAPTCHA in 2020 and adopted hCaptcha. They cited cost and privacy concerns as their motivation, but Cloudflare also indicated they were working on a “noCAPTCHA” alternative to do away with the inconvenience of CAPTCHAs altogether.
Cloudflare Turnstile is what they came up with as an invisible “noCAPTCHA” solution similar to hCaptcha’s passive and invisible modes.
Turnstile allows website owners to verify human users without using a traditional CAPTCHA technique where a puzzle must be solved, or a box must be checked.
Much like a mechanical turnstile — a gate that controls access to a stadium or transit system by only letting one authorized person pass through at a time — Cloudflare Turnstile regulates the flow of requests to your site without slowing people down.
Cloudflare’s Turnstile service is free of charge, and it’s combined with other features like analytics, DDoS protection, Firewall, and SSL that it provides to the websites that use it.
Why is Turnstile’s “noCAPTCHA” system superior to other CAPTCHAs?
One of the main advantages of using Cloudflare Turnstile over using a CAPTCHA is that it provides the most seamless user experience for legitimate human visitors. Traditional CAPTCHA challenges are difficult for some people to complete, particularly those with visual and/or auditory impairments.
If you’re like me, you hate CAPTCHAs that make you stop and think. Having to strain to hear or visually interpret a challenge is very irritating! This makes Turnstile a breath of fresh air. It doesn’t present you with anything more complicated than a checkbox, but even that isn’t necessary.
Passkeys and Private Access Tokens
If we have to identify photos and solve other puzzles to prove our humanity several times a day, it quickly becomes a tedious chore. That’s not how you want your visitors and customers to feel, especially at checkout in your online store! By using Turnstile, you can protect yourself from carding attacks without adding barriers to your sales funnel.
Turnstile works with Apple to use Private Access Tokens. If you use a macOS or iOS device, Turnstile will recognize you without making you complete a CAPTCHA or give away personal data. Apple verified you when you logged into your device, and that’s good enough for Turnstile.
Accuracy at Detecting — and Not Bothering — Humans
Another advantage of using Turnstile is that it can more accurately identify real human visitors. Some bots can bypass CAPTCHAs by using image recognition or other methods, but Turnstile’s approach can be more difficult for bots to bypass. Turnstile uses unique Machine Learning techniques to check for signs of human interaction with the page. Like a person checking IDs for age verification at the door of a bar or club, Turnstile exercises discretion. It won’t challenge you if you’re not obviously a bot and appear human. It’s able to recognize common traits of visitors who have passed a challenge before. If you share those traits, it won’t challenge you.
Protection for Your Privacy
Turnstile looks at browser session data (headers, user agents, and other traits) to silently validate human users. Because of that, Turnstile never needs to look for cookies or use them to collect or store any data. Cloudflare points out their revenue does not come from ads and targeted marketing, which would incentivize them to use Turnstile for tracking and advertising. Cloudflare makes money from people paying to use their security services and protect their privacy, so they feel they have every incentive to do just that. They also point out they have a long record of supporting privacy and have earned trust for that reason.
In sum, Cloudflare Turnstile provides a more seamless and user-friendly experience for legitimate human visitors than any traditional CAPTCHA. At the same time, it’s highly effective at blocking bots and other automated traffic. It provides more accurate identification of real human visitors and additional analytics to understand your traffic. And if you’re using it with passkeys or magic links turned on in your iThemes Security settings, you and your users get top-notch security without any frustrating slowdowns.
Why we’re adding hCaptcha and Turnstile to iThemes Security Pro
iThemes Security Pro is all about making your WordPress site a hard target for hackers and a good experience for you and your site’s users, so it was a no-brainer to add hCaptcha and Turnstile as new CAPTCHA options. Just offering reCAPTCHA (as we still do) was not enough. Turnstile and hCaptcha offer big security benefits and an improved user experience if you enable one of them. To do that, install or update iThemes Security Pro, and activate hCaptcha or Turnstile under Security > Features > Lockouts. Follow the directions there for getting hCaptcha or Turnstile API keys and adding them to your settings.
As an iThemes Security Pro user, you can also choose to activate passkeys and passwordless logins. If you do that and use Turnstile or hCaptcha, your site will be incredibly secure and friction-free for you and your users. No need to enter a password and no need to answer a CAPTCHA challenge! This is a wonderful step forward and the future for online security.
After setting up your new CAPTCHA, consider activating Passkeys and Passwordless Login under Security > Features > Login Security. Your site will be easier to access than ever — but not for people and bots who shouldn’t be there.
Removal of Grade Report
In iThemes Security Pro 7.3, we are removing the Website Security Grade Report. Because providing an aggregate grading system added another layer of assessment that didn’t necessarily provide value when assessing the true security profile of your website, we determined it provided little value to users. We instead encourage you to look at specific elements that affect your site’s security, such as vulnerable plugins, outdated themes, or weak passwords, specifically so that you can take action to secure your site better. In removing this grade reporting system, we hope to reduce the number of metrics that you need to review in making decisions that make your site more secure.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.