Documents / Sentinel Security / Features

reCAPTCHA Integration

Published: 2026.03.18 Updated: 2026.03.20 As of v1.5.29

reCAPTCHA Integration

reCAPTCHA is a bot detection service provided by Google. SentinelSecurity supports both reCAPTCHA v2 and v3 to prevent automated attacks on the login form.

Why reCAPTCHA Is Necessary

Brute-force protection blocks based on failure counts, but attackers can bypass these limits by rotating through multiple IP addresses. reCAPTCHA directly determines whether access comes from a bot or a human, providing an IP-independent defense layer.

Differences Between v2 and v3

FeaturereCAPTCHA v2reCAPTCHA v3
User InteractionRequires checkbox clickNo interaction required (invisible)
Detection MethodChallenge displayBehavioral score (0.0–1.0)
UXRequires user actionUser doesn't notice
Recommended UseForm submission confirmationLogin page protection
Recommendation◎ (Recommended)
v3 is recommended. It requires no additional user action, analyzing behavioral patterns in the background to identify bots.

Obtaining API Keys

  1. Visit the Google reCAPTCHA Admin Console
  2. Log in with your Google account
  3. Click + (Register a new site)
  4. Enter the following:
  • Label: Your site name (any name)
  • reCAPTCHA type: Select v3 (recommended)
  • Domains: Your site's domain name (e.g., example.com)
5. Click Submit
  1. Copy the displayed Site Key and Secret Key

Configuration

  1. Navigate to SentinelSecurityLogin SecurityreCAPTCHA
  2. Toggle the switch to Enabled
  3. Select v2 or v3 under Version
  4. Enter the Site Key and Secret Key
  5. For v3, set the Score Threshold (default: 0.5)
  6. Click Save

About the Score Threshold (v3)

v3 returns a score from 0.0 (likely a bot) to 1.0 (likely a human).

ThresholdStrictnessDescription
0.3LenientBlock only when bot probability is high
0.5Standard (recommended)Balanced detection
0.7StrictBroadly block suspicious access
0.9Very strictMay also block legitimate users
Recommended: 0.5 (default). Lower to 0.3 if false positives are frequent, or raise to 0.7 if security is a priority.

Supported Forms

reCAPTCHA works with the following login forms:

  • WordPress default login form
  • BuddyPress login form
  • bbPress login form
  • WP-Members login form

Using with CSP (Content Security Policy)

When using reCAPTCHA, the following domains must be allowed in the CSP header. SentinelSecurity automatically adds these to the CSP.

  • script-src: https://www.google.com/recaptcha/, https://www.gstatic.com/recaptcha/
  • frame-src: https://www.google.com/recaptcha/
  • connect-src: https://www.google.com/recaptcha/

Troubleshooting

reCAPTCHA Not Displayed

  • Verify that the Site Key and Secret Key are correct
  • Verify that the domain is properly registered in the reCAPTCHA Admin Console
  • If a cache plugin is caching JavaScript, clear the cache

Legitimate Users Being Blocked

  • For v3, try lowering the score threshold to 0.3
  • Browser extensions (such as ad blockers) may be interfering with reCAPTCHA