evit

@amcz Yes, it does add a load and the badge should be OFF by default. Additionally it doesn’t stop spammers very well because of the lack of a challenge like v3 had. Google itself seems to hint at the fact that V2 and V3 have very different uses. See https://developers.google.com/recaptcha/docs/faq Perhaps v3 isn’t appropriate for contact forms after all.

The cybercriminals that spam us don’t use a single computer but a network of compromised hosts and proxies to hide their activity. I’m sure that Google v3’s recaptcha ‘learning’ is less effective because it must assess vast volumes of data of dynamic data. Most WordPress users think these ‘hackers’ are actually people and don’t understand this is all applications that are running 24/7 hacking WordPress. I’m not saying it will never work but it seems to be letting through some garbage that v2 never did (because of the challenge). I think when Google says ‘frictionless’ they mean more spam. =P

I hope the plugin author will allow users to choose v2.

See
https://www.ads-software.com/support/topic/google-now-allows-hiding-the-recapthca-v3-badge/

The docs say that the field is ignored so either way you’ll get spam. This is more of a Google ReCAPTCHA v3 failure than a failure in CF7 IMHO.

Google’s ReCAPTCHA site didn’t do a good job explaining what this new version really meant. From their site FAQ it states: https://developers.google.com/recaptcha/docs/faq

Should I use reCAPTCHA v2 or v3?
reCAPTCHA v2 is not going away! We will continue to fully support and improve security and usability for v2.

reCAPTCHA v3 is intended for power users, site owners that want more data about their traffic, and for use cases in which it is not appropriate to show a challenge to the user.

For example, a registration page might still use reCAPTCHA v2 for a higher-friction challenge, whereas more common actions like sign-in, searches, comments, or voting might use reCAPTCHA v3.

Now it is clear that v3 isn’t really appropriate for the contact form because of the way most malicious actors are using HUGE networks of constantly changing IPs (botnets). It might be a proper solution in other use cases but not this. The time it takes for Google reCAPTCHA v3 to identify spammers might be infinite as it hasn’t stopped a single one in 3 days for any of my clients.

Additionally Google wanted to put this stup1d badge on EVERY page, which they have now allowed us to hide if we integrate a statement on the page itself or in out Terms of Service/Privacy policy.

I hope future updates of the plugin offer the choice for reCAPTCHA v3 vs v2 so we can go back to v2.

• This reply was modified 5 years, 11 months ago by evit.