Skip to main content
View Categories

Toolkit: reCAPTCHA v3

4 min read

reCAPTCHA v3 quietly screens your contact and inquiry forms for bots, so the leads that reach your inbox are real people, not spam.


What it does #

If you run forms on your site, you have almost certainly seen the cost of leaving them open: fake inquiries, junk submissions, and a flood of automated spam that buries the real guests trying to reach you. Sorting the genuine messages from the noise wastes your time, and a missed real inquiry can mean a missed booking.

reCAPTCHA v3 uses Google’s invisible bot detection to score each form submission and block the ones that look automated. When a guest fills out one of your forms, the module quietly asks Google how human the visitor looks. Google returns a score from 0.0 (very likely a bot) to 1.0 (very likely a person). Your site checks that score on its own server before the form is allowed through. If the score falls below the level you set, the submission is blocked and the visitor sees a short message asking them to try again.

A concrete example: a bot rapidly fills out your “Request availability” form a hundred times overnight. Google scores those attempts near zero, your site rejects every one, and your inbox stays clean. A real guest filling out the same form the next morning scores high and goes straight through, with nothing extra to click.

Here is what each side experiences:

  • Your guests see nothing. There is no puzzle, no checkbox, and no “select all the traffic lights” step. The check runs in the background while they fill out the form normally.
  • You get fewer spam submissions and cleaner form notifications, with a small Google badge that appears in the corner of your pages (which you can hide, see below).
  • Blocked submissions show the visitor a short, friendly message you can word yourself, so a rare false block does not leave a real guest stuck with no explanation.

One important limit, stated plainly: this module protects Gravity Forms only. Forms built with other tools are not covered.


How to turn it on #

1. Switch on the module #

In the HomeRunner Toolkit Hub, switch on reCAPTCHA v3.

2. Get your key pair from Google #

reCAPTCHA needs two keys from Google before it can work: a Site Key and a Secret Key. Sign in to the Google reCAPTCHA admin console, register your site as a reCAPTCHA v3 site, and add your domain. Google then gives you the two keys. The same key pair can hold many domains, so if you run several sites you can register them all on one key and reuse it across your fleet rather than creating a new pair for each site.

3. Enter the keys in the Hub #

Back in the reCAPTCHA v3 settings, paste your Site Key into the Site Key field and your Secret Key into the Secret Key field, then save. The secret key is stored on your site only and is never shared. The module does not start protecting forms until both keys are present.

4. Choose which forms to protect #

By default, Protect all forms is on, which applies reCAPTCHA v3 to every Gravity Form on your site. If you would rather protect only certain forms, turn Protect all forms off and check the specific forms you want from the list.

5. (Optional) Hide the badge and show the required notice #

reCAPTCHA adds a small badge to the corner of your pages. Google allows you to hide that badge only if you show the required attribution notice somewhere on the page instead. To do this, turn on Hide reCAPTCHA badge, then place the [hr_recaptcha_disclaimer] shortcode where you want the notice to appear, typically in your footer just above the copyright line. The notice comes with sensible default wording (a line crediting reCAPTCHA with links to Google’s Privacy Policy and Terms of Service), and you can edit that wording in the settings.


Settings #

SettingWhat it controls
Site KeyYour public reCAPTCHA v3 site key from Google. Register your domain on this key in the Google reCAPTCHA admin console. Empty by default.
Secret KeyYour private reCAPTCHA v3 secret key from Google. Stored on your site only and never shared. Empty by default.
Score ThresholdThe cutoff a submission must beat to be allowed through. Submissions scoring below it are blocked. 0.0 means very likely a bot, 1.0 means very likely human. Default is 0.5, which matches Google’s recommendation.
Hide reCAPTCHA badgeHides the small reCAPTCHA badge in the page corner. Google permits this only when you also show the attribution notice (see the disclaimer shortcode). On by default.
Protect all formsApplies reCAPTCHA v3 to every Gravity Form on the site. On by default. Turn it off to pick specific forms instead.
Forms to protectShown only when Protect all forms is off. Lets you check the individual Gravity Forms you want covered.
Attribution notice (shortcode output)The wording the [hr_recaptcha_disclaimer] shortcode displays. Links and paragraphs are allowed. Defaults to the standard reCAPTCHA notice with links to Google’s Privacy Policy and Terms of Service.
Failure messageThe message shown to a visitor whose submission is blocked. Defaults to “We could not verify that you are human. Please try again.”

Tips #

  • For a tour of the other modules you can switch on in the same place, see the Toolkit Overview.
  • If submissions are not being checked, the two most common causes are simple: your Site Key and Secret Key are not both entered in the Hub (the module stays off until they are), or Gravity Forms is not installed on the site (this module only protects Gravity Forms). Confirm both before digging deeper.
  • If real guests are occasionally getting blocked, your Score Threshold may be set too high. Lower it a step at a time toward Google’s default of 0.5 and watch whether genuine submissions start coming through again.
  • Compliance reminder: if you turn on Hide reCAPTCHA badge, you must also place the [hr_recaptcha_disclaimer] shortcode on your pages. Hiding the badge without showing that notice is against Google’s terms.