How to Implement Google reCAPTCHA v3 to protect you against Brute force

Nobody likes to pick out pictures that meet a description or understand the messy text before submitting a form on the web that’s one of the main reason why we don’t want a Captcha in our websites.

What is Brute force?

Wikipedia defines the Brute force in the simplest way – a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. 

brute force attack

After the Launch of Google reCAPTCHA v3, developers are upgrading their websites rapidly on reCAPTCHA v3 to provide visitors better user experience. Because reCAPTCHA v3 uses “score” instead of different challenges to differentiate between a human & a bot.

Let’s quickly have a look at the history of Google reCAPTCHA.

reCAPTCHA was originally developed at Carnegie Mellon University’s main Pittsburgh campus. It was acquired by Google in September 2009. reCAPTCHA v1 was well known for identifying distorted text. reCAPTCHA v2 was with little improvement & It only asked to click a box, but If It suspected you as a bot, It asked you to click on the endless image streams of “roads”, “cars” & “store-fronts”.

reCAPTCHA v3 improved the user experience even more. It will never irritate users by giving challenges. Instead, It will give a score based on user activities on the site. It will give a score between 0.0 & 1.0 to identify between a real user & a bot. An example of how It will calculate score can be your mouse movement.

What is “Actions”?

In reCAPTCHA v3, Google has introduced a new concept called “Actions”, a tag that you can use to define the key steps of your user journey and enable reCAPTCHA to run its risk analysis in context – Google says.

Google also recommends Adding on multiple pages to help reCAPTCHA to identify bots more accurately by identifying their actions on different pages of a site.


recaptcha on multiple pages

How to Implement

Let’s add reCaptcha v3 to our website.

First, we need to register here to get an API key.

Choose ‘Register a new website‘, & select ‘reCAPTCHA v3’.

Adding a domain is not mandatory but you can add your domains to making your private key useless for others.

check the box to agree with the ‘Terms of Services‘ &  click on ‘Register‘.

google recaptcha v3

On the next page, you’ll get your “Site Key” & “Secret Key” 

Client-Side integration

First of all, you need to add this line before closing </head> tag in your HTML page.

<script src=''></script>

don’t forget to replace your site key above.

Now add this code before closing </body> tag to generate the token

    grecaptcha.ready(function() {
        grecaptcha.execute('your-site-key-here', {action: 'action_name'})
            .then(function(token) {
            // Verify the token on the server.

you’ll also need to add your site key here.

Server-Side Integration

‘reCAPTCHA v3’ returns a score, we can take actions based on the score,

recaptcha v3 server side

Here are some recommendations from Google to take different actions on the different type of website.

recaptcha v3 google recommendations

Must Read

reCAPTCHA certainly makes password guessing harder, but not impossible. Hackers set up sites with goodies (games, downloads, etc.), which are captcha-protected, and will redirect your captcha there. Users trying to get their download will solve your captchas, enabling the hackers to use it to guess another password. Limited Loggin attempts or Account lockdown is more effective since only the owner of the e-mail can unlock the account. Keep in mind that these are terrible user experiences, so take these actions only in case of bad score returned by reCAPTCHA.

Please comment If you have any Question.

you might be Interested in:

– Signup Login page in PHP with Database MySQL Source Code

– Restful Web Services in PHP Example – PHP + MySQL with Source Code


Please enter your comment!
Please enter your name here