reCAPTCHA is a service provided by Google that aims to block abusive, automated traffic. Paid Memberships Pro allows you to easily integrate this service on your membership checkout process. This post covers when and why to use reCAPTCHA, how to create your reCAPTCHA account and configure it for your membership site.


When and why to use reCAPTCHA

By default, Paid Memberships Pro uses a “honey pot” technique to catch most automated spammers. This method relies on a hidden form field that valid visitors cannot see, but an automated “bot” visitor will attempt to populate, thereby throwing an error on checkout form submission.

For this reason, we generally recommend that site owners only activate reCAPTCHA for free levels if they are seeing a problem with spam signups. Your paid levels require a credit card (or successful PayPal checkout), so there is less opportunity for spammers to get in — they aren’t going to spend real money spamming your site.

Recently, we’ve seen a different kind of user who WILL use credit cards to create invalid accounts on your site: people testing stolen credit cards. These attackers are using your membership checkout form as a “credit card validator” to test different names, addresses, card numbers, zip codes, and CVV numbers. Once they find the right combo that is successful on your site, they can then use that validated card to make purchases elsewhere.

If this is happening to you, you may want to activate reCAPTCHA for all memberships.


Payment Gateway Fraud Detection

Your payment gateway has built in fraud detection that will monitor repeated attempts with similar data. But no fraud detection process is 100% perfect and some charges will get through. Sure the cash that comes into your account looks nice, but these charges are inevitably going to be refunded or, if you don’t catch them in time, charged back. See this post on chargebacks for more information.

If you are using Authorize.net as your payment gateway, inquire about the free Advanced Fraud Detection Suite, which enables you to set up “rules” for types of transactions that appear fraudulent.

Additionally, Stripe allows you to customize the default fraud detection via custom risk evaluation rules configured in your Stripe account.


Is this happening to me?

The easiest way to confirm if your membership checkout form is being used for fraudulent checkout attempts is via your payment gateway’s “charges” dashboard. For example, if you are using Stripe, your “Payments” dashboard shows all attempted charges. If you see a large number of charges labeled “failed” you may be at risk. We’d advise turning on reCAPTCHA for all memberships in this case.


How reCAPTCHA works (for my members)

The Membership Checkout page will include a new section that looks like the image below:

If the user is logged in to a Google service, such as Gmail or Drive, they will simply need to check the box labeled “I’m not a robot”. Google’s reCAPTCHA service will validate them and this is (most often) the only step needed.

Anyone that the service identifies as “suspicious” will have to solve a visual puzzle to get through. These range from “pick all the pictures with a number in them” or “select all the images of a cat”. Here’s the “test” I got when getting a screenshot of the process for this post. If you fail the first test, you’ll be given another test. At most, I’ve had to complete two screens of image identification before successful validation.

Humans will be able to solve the puzzle, but a bot will not.


Sign up for reCAPTCHA. Get your API Keys.

  1. Click here to sign Up for reCAPTCHA.
  2. Under “Register a new site”, enter your site’s name as the label. This is only used to identify the site in your reCAPTCHA dashboard.
  3. Select “reCAPTCHA 2” for the setting Choose the type of reCAPTCHA. Jason is looking into adding support for the Invisible reCAPTCHA.
  4. Under “Domains”, list the domain name of your membership site. You may want to include both the “www” and “non-www” domains (i.e. domain.com and www.domain.com).
  5. Agree to the terms, and, optionally, opt-in to receive reports.

After submitting the form, you will be redirected to view the Keys for this reCAPTCHA site. Under the heading “Adding reCAPTCHA to your site”, toggle to display the “Keys”. The keys you will need for Paid Memberships Pro are the Site Key and the Secret Key. You do not need to do anything with the “client-site” or “Server side” integration.


Configure Paid Memberships Pro to use reCAPTCHA

  1. Navigate to Memberships > Advanced Settings in your WordPress admin.
  2. Under “Use reCAPTCHA?” select either to use for free memberships only or for all memberships.
  3. Enter your Site Key in the reCAPTCHA Public Key field.
  4. Enter your Secret Key in the reCAPTCHA Private Key field.
  5. Save the Settings.


Now test it!

We always recommend running a test membership checkout after making changes to your Paid Memberships Pro settings (even if you only test a free membership level signup or use a discount code to make your paid level free). reCAPTCHA does rely on JavaScript as well as successfully copied/pasted keys in order to work. This FAQ published by Google identifies common errors or issues if you are not able to successfully validate using reCAPTCHA.


Closing Thoughts

If you think your membership checkout has been used as a “credit card validator” but an attacker, you should actively locate any successful charges and process a refund immediately. This will save you from the chargeback fee imposed by your payment gateway when the rightful card owner identifies the fraudulent charge.

In our case, the charges all used the same email domain, so I simply did a search in our Members List (and All Users list) for that “@domain.com” to isolate the members. See this post on how to process a refund for more help.


Comments (4)

Author’s gravatar

We moved away from the Google reCAPTCHA when we found the WordPress plugin called WP spam shield. Mainly because it automatically blocks bot spam without annoying your customers with a catch. You might want to look at it but I haven’t tested it with PM Pro yet though but don’t see why it would work.

Reply
Author’s gravatar

I’m starting to see a few (one every few days) [deleted] users from PayPal attempts at checkout. Are these an indication of a fraud attempt?

Reply
Author’s gravatar

I wouldn’t worry about this unless it became a huge weight in your database. [deleted] means that they filled out your checkout form, clicked to go to PayPal, then never returned.

Reply

Leave a Reply