If your website features Google reCAPTCHA on its forms, as a preventative to spam and bot attacks, these changes may affect you.
Google has recently announced that all Google reCAPTCHA keys will need to be migrated to a Google Cloud project by the end of 2025, bringing a number of updates with it.
Important Changes to Google reCAPTCHA
In this article, we will provide you with a clear understanding of Google’s reCAPTCHA and what these upcoming changes mean for you as the owner of a website that is using it.
What is Google reCAPTCHA
reCAPTCHA’s purpose is to protect your website from spam and attacks from bots. It is a popular security tool by Google that helps to prevent spam, fraud, and abuse on-site.
It typically does this on login pages, forms, and other entry points via challenges for site visitors to prove that they are human, such as a picture quiz (select all images containing a bicycle, for example). The more modern ‘invisible’ recapcha version 3 blocks spam entries by evaluating the entries in the background before deciding whether to show a quiz, making it more frictionless for users.
While other alternatives exist, Google’s reCAPTCHA is generally seen as the primary choice in securing your website due to its ease of integration and strong capabilities to be able to sufficiently assess what traffic is legitimate and what is harmful and should be blocked.
What should I expect in 2025?
The upcoming changes relate to reCAPTCHA keys. These ‘keys’ are essentially the validators generated in the background in order for your website to be able to use the tool.
Below is a synopsis of the changes to them and what you should expect.
Mandatory migration
By the end of 2025, all reCAPTCHA users must transfer their keys to a Google Cloud project. At a certain point in the year, Google will be automatically rolling out this migration, though before this time, website owners can move their keys manually before the change.
A new pricing model
The most notable change is that potential costs will be introduced, though at this moment in time it has been indicated by Google that costs will only be incurred if reCAPTCHA is triggered more than 10,000 in any given month on a website and will be minimal.
For an estimate as to what the monthly cost may be per reCAPTCHA assessment on your website, you can use this pricing calculator that has been provided by Google.
No interruption expected
Before and during the migration period, no interruption is expected for your website’s reCAPTCHA setup, and it should continue to work as expected.
That said, we would recommend websites migrate as soon as the option becomes available for optimal security or seek out an alternative viable option. We discuss this further at the end of this article.
Do I need to do anything ahead of the migration?
If you wish to get ahead of the curve, you can manually migrate from reCAPTCHA Classic by following these instructions, or reach out to our web team with this request.
After migration, you will have access to enterprise-grade dashboarding, monitoring, reporting, logging, auditing and access control as part of the tools new features.
What options are available to me?
Vitamin continues to monitor these and upcoming changes, and will work with current and previous clients towards a workable solution throughout the course of the year.
At present, we have identified the following options to address the change for our clients:
Reinstall Google reCAPTCHA
You can reinstall Google reCAPTCHA, using your own Google account or the one pertaining to your business, with your billing details.Please note that by retaining Google reCAPTCHA for your website, you will need a Gmail or Google-hosted email account. If you require our help for this, we may need access to your Gmail account to set this up on your behalf.
hCaptcha
hCaptcha instantly detects and deters human and automated threats. It is compatible with all major form builders and offers both free and premium plans. If you don’t have one already, you’ll need to sign up for a free account and share the login details with us. If you do not have a Google account, we consider this to be the next best option for your website.
Cloudflare Turnstile
Another alternative that performs the same role as previous entries is Cloudflare Turnstile, which offers a free plan to perform the
same function of confirming real website visitors, and blocking unwanted bots without slowing down website experiences for real users.
However, your website must be running through Cloudflare. If it is, then this is a workable solution, as it is also compatible with form builders including WordPress, Gravity Forms and Contact Form 7 and is sufficient for most websites’ needs.
The easiest way to find out if your website is running through Cloudfare, is to check if your websites domain name nameservers are pointing through Cloudflare addresses. If you are unsure about this, we will be able to check this for you as a Vitamin client.
Standardised protection
While not optimal for security best practice, it is also possible to perform a standardised bot protection on your website with basic math functions and general questions (e.g. ‘what colour is grass?’) through a selection of simple WordPress plugins.
This is better than no protection, but is not likely to protect your website to the same level as the previously outlined options would. Depending on the form plugin you use, we can set up one of the many free options on your WordPress website such as Akismet.
Continue without CAPTCHAs
If you do not wish to have any kind of spam, fraud and abuse protection on your website following the Google reCAPTCHA migration, this is possible, however we do not advise taking this approach, as it exposes your website to significantly increased vulnerabilities.
Does Vitamin offer support for the Google reCAPTCHA migration?
Yes. Throughout the year we will be working with our currently retained clients to support in migrating your reCAPTCHA keys to Google Cloud project on their own Google accounts or alternative solutions as listed above.
We can also offer this service to previous clients upon request. Please do get in touch with us to discuss, and we would be happy to provide a quote for our support for the migration.
We will require that current and past clients host their own reCAPTCHA keys to their accounts, or to secure another viable alternative by the deadline, as we will be unable to continue hosting them to our own accounts after the end-of-2025 deadline.
Ahead of the deadline, we will be removing all Google reCAPTCHA keys from our own Google account, which may put your forms at risk of becoming inoperable unless you migrate them to your own Google account or opt for an alternative to Google reCAPTCHA. To ensure your forms continue operating as normal, please get in touch.