Who doesn’t know CAPTCHA? It started with distorted text that made you question whether you are really human and slowly then shifted to picking out blurry traffic lights or simply checking a box that says ‘I’m not a robot.’ Since it was invented, CAPTCHA, and its more advanced version – reCAPTCHA – have been a cornerstone of website security, keeping bots and hackers from spamming form fields, login pages, and comment sections.
However, advancements in machine learning and AI have made these bots better and faster at bypassing CAPTCHA. In fact, a recent study found that bots could solve distorted-text CAPTCHA tests correctly just barely shy of 100% of the time in under a second, and even image-based reCAPTCHAs with an 85% success rate. These findings raise an important question: if CAPTCHA is no longer enough to stop bots, what should businesses be doing instead?
In this blog, we’ll explore what CAPTCHA and reCAPTCHA are, why they are becoming less effective, and what alternate strategies businesses can adopt to protect their web forms.
Why should you care about web form security?
Many small business owners have a basic website with a simple contact form or email signup form. We often talk to such businesses that assume hackers have nothing to gain from targeting them. While these attacks on your web form can appear random, especially if you have a basic website or niche business, a form is a potential entry point for hackers. Attacks on vulnerable forms can lead to bigger wins for hackers – which is why web form security should be a priority, no matter the size of your business or website.
Here are some reasons why hackers create bots to spam web forms.
Spamming and phishing
Bots flood contact forms with junk messages, scams, or phishing links to spread malicious content. If your employees accidentally click on these links, it could compromise your business’ data or systems.
Some bots may also insert backlinks to manipulate a website’s search engine rankings.
Credential stuffing and account takeover
Login forms are a goldmine. Bots may test stolen usernames and passwords from data breaches against your site to see if any work. Even if you are small, your users may reuse credentials across bigger platforms, making your form valuable to attackers.
Fake account creation
Bots can abuse signup forms to create thousands of fake accounts. These accounts are then used for spamming or fraud.
Data harvesting
Forms often reveal useful data points like email addresses and phone numbers. Bots scrape this information to build databases for spam or phishing.
What is CAPTCHA and reCAPTCHA?
CAPTCHA is an acronym that stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” The test was designed by researchers at Carnegie Mellon, including computer scientist and now co-founder of Duolingo, Luis von Ahn. CAPTCHA was developed for Yahoo! to stop bots from creating fake email accounts and spam. Users were presented with distorted text that they had to type correctly into a box to gain access to a website or web account. The idea was that bots could not decipher these distorted letters the way humans could.
Eventually, von Ahn helped design reCAPTCHA to identify bots but also help digitize archived newspapers and books. In 2009, reCAPTCHA was sold to Google. If you’re interested in the backstory of CAPTCHA and enjoy listening to podcasts – check out this episode of ‘How I Built This with Guy Raz’ to hear von Ahn describe the fascinating story behind this big idea.
reCAPTCHA v2 is by far the most common and widely used version of the test. It includes the well-known ‘I’m not a robot’ checkbox. The test places a _GRECAPTCHA cookie on the user’s browser and does a risk analysis of the user’s interactions to determine if the user is a human or a bot. If that doesn’t help, it presents the user with an additional image recognition CAPTCHA challenge.
Why is CAPTCHA no longer enough for web form security?
You would not be alone in wondering: Are CAPTCHAs still effective?
The test was built on the premise that bots cannot read distorted text or recognize image patterns the way humans can. However, as machine learning and AI continue to make advancements, bots are starting to catch up. Modern AI models trained on massive datasets can now crack text or image-based CAPTCHAs in seconds and with near-perfect accuracy, undermining their role as a reliable security measure.
Some hackers are also using advanced AI agents and LLMs to mimic human-like activity such as mouse movements, typing rhythms, or delays between clicks. Many CAPTCHAs rely on detecting ‘non-human’ patterns, but sophisticated bots can blend in and escape these behavioral checks.
Even without advanced AI, hackers can easily outsource CAPTCHA solving to human labor farms or low-cost online services for fractions of a cent per challenge. This means attackers don’t even need to beat CAPTCHA with tech, they can bypass it at scale.
What can you do to strengthen web form security?
CAPTCHAs are not all bad. For many very basic websites, a basic CAPTCHA or reCAPTCHA can be enough to stop low-effort spam bots. But as bots get smarter, relying on CAPTCHA alone leaves your forms exposed. The best approach is layered defense: combine CAPTCHA with other user-friendly techniques that raise the cost of automated abuse without frustrating real visitors.
Here are some practical ways to strengthen your forms:
Add a honeypot field
A honeypot is a hidden form field added to your page. Human visitors never see it because it’s hidden with CSS or JavaScript, so they won’t fill it in. Bots, on the other hand, will often scan the HTML and try to complete every input field. If the hidden field is filled, it’s a clear sign that a bot is submitting the form, so the submission can be blocked.
Block suspicious IP addresses
Use server rules or your hosting provider’s firewall to block any IPs that send too many submissions in a short time.
Similarly, if you know your business only serves customers in specific regions, you can configure your firewall to block IP addresses from countries where you don’t expect legitimate traffic.
Hide your form behind a shortcode
A shortcode generates your form dynamically at page load instead of leaving the form code permanently visible in the HTML. Most bots crawl websites looking for static form tags or direct form URLs to attack repeatedly. When a form is behind a shortcode, it isn’t present in the raw HTML until the page is rendered for a human visitor. This means bots can’t easily find or submit the form automatically.
Want an Easier Solution to Secure Your Web Forms? We Can Help.
Layered security is the best defense against bots, but putting it in place – setting up honeypots, managing shortcodes, and monitoring suspicious traffic – can be a lot for any business owner. Through our monthly WordPress Maintenance Plan, our expert team can help with security monitoring and updates, so your web forms stay secure.
Related articles
Cybersecurity Q&A Series: How Secure Is Microsoft Copilot?
Learn the key security differences between Microsoft Copilot and licensed Microsoft 365 Copilot, including best practices for safe use.
5 eCommerce Marketing Pain Points That Mean You’ve Outgrown Your Platform
5 eCommerce marketing pain points that often point to platform limitations, not your strategy! Learn more and see if Shopify is the right fit.
Email Security: How Protecting Your Domain Improves Deliverability & Brand Reputation
Learn why securing your domain against email fraud is essential to building a stronger brand and check your domain’s current security status!