If your WordPress site is getting fake user registrations, spam comments, or bot login attempts, you don’t need a complex setup to reduce most of it. A solid first move is adding Google reCAPTCHA to the forms bots abuse the most:
- Watch the tutorial video
- Why you’re getting spam registrations and spam comments
- What you need before starting
- Step 1: Install the plugin
- Step 2: Create Google reCAPTCHA keys
- Step 3: Add keys to the plugin
- Step 4: Enable reCAPTCHA on Login, Registration, and Comments
- Step 5: Test it properly (don’t skip)
- Common problems and quick fixes
- reCAPTCHA not showing
- “Invalid key type” / “Keys don’t work”
- Still getting some spam
- Login
- Registration
- Comments
In this guide, you’ll set it up using the Advanced Google reCAPTCHA plugin and block a big chunk of automated spam.
Watch the tutorial video
Why you’re getting spam registrations and spam comments
Most of the time it’s not a real person. It’s automated scripts (bots) that:
- Create fake accounts to spam later
- Post comment spam for backlinks
- Hammer your login page with password guesses (brute-force attempts)
reCAPTCHA helps by forcing bots to fail and letting real users pass.
What you need before starting
- Admin access to your WordPress dashboard
- A Google account (to create reCAPTCHA keys)
- 5–10 minutes
Tip: If you want the simplest setup, use reCAPTCHA v2 (I’m not a robot checkbox). It’s beginner-friendly and easy to confirm visually.
Step 1: Install the plugin
- Go to WordPress Dashboard → Plugins → Add New
- Search for: Advanced Google reCAPTCHA
- Click Install → Activate
Step 2: Create Google reCAPTCHA keys
You need two keys:
- Site Key
- Secret Key
In the Google reCAPTCHA admin panel:
- Create a new reCAPTCHA site
- Choose your version (v2 checkbox is easiest)
- Add your domain (example:
yourdomain.com) - Copy the Site Key and Secret Key
Important: If your site uses www, make sure your domain setup matches how people actually access your website.
Step 3: Add keys to the plugin
- Go to WordPress Dashboard → Settings → Advanced Google reCAPTCHA
- Select the same reCAPTCHA version you created
- Paste:
- Site Key
- Secret Key
- Save Changes
If your keys don’t work, 90% of the time it’s because the plugin version setting doesn’t match the key type you created.
Step 4: Enable reCAPTCHA on Login, Registration, and Comments
Inside the plugin settings, look for the section like Forms, Where to Show, or Enable for.
Enable reCAPTCHA on:
- ✅ Login form
- ✅ Registration form
- ✅ Comment form
Save again.
Step 5: Test it properly (don’t skip)
Testing while logged in can lie to you.
Do this instead:
- Open an Incognito / Private window
- Visit:
- Login:
/wp-login.php - Registration page (if enabled on your site)
- Any blog post comment form
- Login:
- Confirm reCAPTCHA shows and works
Common problems and quick fixes
reCAPTCHA not showing
Try these in order:
- Clear cache (plugin cache + server cache + browser cache)
- Temporarily disable minify/optimization features
- Switch off conflicting plugins one-by-one (especially performance/security plugins)
- Check the page for JavaScript errors (browser console)
“Invalid key type” / “Keys don’t work”
- You created v2 keys but selected v3 in the plugin (or vice versa)
- Your domain in Google reCAPTCHA doesn’t match your real domain
Still getting some spam
That’s normal—no solution is perfect.
To tighten security further:
- Enable limit login attempts
- Use strong passwords + 2FA for admins
- Keep plugins/themes updated
reCAPTCHA is a spam filter, not a full security system.