Table of contents
What is CAPTCHA in Magento 2?Key differencesHow to enable Magento 2 CAPTCHAHow to configure Google reCAPTCHAWhen to use reCAPTCHA v2 vs v3How to disable CAPTCHAFAQHow to get started
Get the industry’s most secure Magento hosting◦ 100% network uptime
◦ Comprehensive security
◦ 24/7 support
Explore options

Magento GuideSecurity → CAPTCHA

Magento 2 CAPTCHA: Step by step setup guide

Magento stores are constantly targeted by spam bots, fake registrations, and brute-force login attacks. CAPTCHA acts as a digital gatekeeper, making sure real people (not scripts) are interacting with your forms and login pages.

In this guide, we’ll show you how to enable both built-in Magento CAPTCHA and Google’s reCAPTCHA (v2 and v3). Each step is beginner-friendly, and you’ll finish with a safer, more secure storefront.

Host Magento at full throttle.

Get secure, reliable Magento hosting so you can scale faster.

Magento hosting

What is CAPTCHA in Magento 2?

CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” In Magento, it’s a security layer that protects login forms, registration pages, and contact forms from spam and automated bots.

There are two main types available:

  • Native Magento CAPTCHA is a simple image-based verification. It shows distorted characters and asks users to type them in.
  • Google reCAPTCHA is more advanced. It detects bots using AI and offers invisible or checkbox-based challenges depending on the version.

Magento supports both CAPTCHA types and lets you apply them to specific forms. For example:

  • Admin panel login
  • Customer login or registration
  • Forgot password form
  • Contact Us page
  • Newsletter signup

Choosing between native CAPTCHA and Google reCAPTCHA depends on how much security you need and how seamless you want the customer experience to be.

Native CAPTCHA vs Google reCAPTCHA: key differences

Magento’s built-in CAPTCHA is fast and simple to enable. It doesn’t require any external accounts or setup. However, it’s limited in how well it can detect smarter bots.

Google reCAPTCHA offers stronger protection with a better user experience, but it does require an API key from Google’s reCAPTCHA service.

FeatureNative CAPTCHAGoogle reCAPTCHA
Setup difficultyEasy (no external setup)Moderate (requires API keys)
User experienceTyping distorted textCheckbox or invisible
Security strengthBasicAdvanced, AI-based
CustomizationLimitedTheme, position, language
Mobile friendlyNoYes

For most Magento stores, Google reCAPTCHA is the better long-term choice—especially if you’re dealing with fake registrations or contact form spam.

How to enable Magento 2 CAPTCHA (admin panel login or frontend)

Magento’s native CAPTCHA can be enabled from your Admin panel without installing anything.

Step 1: Log into your Magento Admin Panel

Start by accessing your backend admin panel. You’ll need admin privileges to change these settings.

  1. Go to your Magento backend (usually at yourdomain.com/admin)
  2. Log in with your admin username and password

Step 2: Open the CAPTCHA configuration page

Once logged in:

  1. In the left sidebar, go to Stores > Configuration
  2. Under the Advanced tab, select Admin
  3. Scroll down and click to expand the CAPTCHA section

Step 3: Enable CAPTCHA for the desired forms

Magento lets you enable CAPTCHA for several types of forms. You’ll see drop-downs labeled like:

  • Enable CAPTCHA on Frontend – set this to “Yes” to enable CAPTCHA for customer-facing forms
  • Forms – select which forms you want to protect. Common options are:
    • Create User (registration)
    • Login
    • Forgot Password
    • Checkout as Guest
    • Admin Login

Step 4: Configure the CAPTCHA behavior

You’ll be able to fine-tune how CAPTCHA works:

  • Font size – adjusts the size of the CAPTCHA image text
  • Number of symbols – how many characters appear in the CAPTCHA
  • Timeout (seconds) – how long the CAPTCHA is valid before it expires
  • Number of unsuccessful attempts before showing CAPTCHA – you can make it appear only after failed logins
  • Case sensitive – decide whether upper/lowercase matters

Tip: Use a timeout of at least 60 seconds and set 3+ failed attempts before triggering CAPTCHA to keep the user experience smooth.

Step 5: Save and flush cache

  1. Click Save Config in the top-right corner
  2. Go to System > Cache Management
  3. Select Flush Magento Cache

Your changes are now live.

How to configure Google reCAPTCHA in Magento 2

Google reCAPTCHA provides smarter, more flexible protection. You’ll need a Google account to get started.

Step 1: Get your API keys from Google

  • Visit the Google reCAPTCHA Admin Console
  • Log in with your Google account
  • Fill in your details:
    • Label: Just a name for your reference (like “My Magento Store”)
    • reCAPTCHA type:
      • v2 Checkbox: “I’m not a robot” box
      • v2 Invisible: No visible challenge unless suspicious
      • v3: Completely invisible, works in the background
    • Domains: Add your site URL (no https://)
    • Accept terms and submit
  • Google will give you two keys:
    • Site Key
  • Secret Key

Keep these handy: we’ll use them in the next step.

Step 2: Open reCAPTCHA settings in Magento

  1. In the Magento Admin, go to Stores > Configuration
  2. Under Security, click on Google reCAPTCHA Admin Panel

You’ll see sections for:

  1. reCAPTCHA v2 (Admin Panel)
  2. reCAPTCHA v2 (Frontend)
  3. reCAPTCHA v3 (Frontend)

Choose the type you registered with Google.

Step 3: Enter your site and secret keys

Paste the keys you got from Google into the matching fields.

  • Google API Site Key
  • Google API Secret Key

Make sure you enter them in both the frontend and admin panel sections if you’re using reCAPTCHA on both.

Step 4: Choose where to enable reCAPTCHA

Enable it on the forms where you want protection:

  • Admin login
  • Customer login
  • Create account
  • Forgot password
  • Contact form
  • Newsletter subscription

Just check the boxes next to each form.

Step 5: Customize reCAPTCHA settings

For reCAPTCHA v2:

  • Choose Theme (light or dark)
  • Choose Badge Position (bottom right, bottom left, inline)
  • Set Language Code if needed (e.g., “en” for English)

For reCAPTCHA v3:

  • Set a Minimum Score Threshold (recommended: 0.5)
  • Enable reCAPTCHA badge display if required

Step 6: Save and flush cache

Click Save Config, then go to System > Cache Management and flush the Magento cache.

Your reCAPTCHA is now active. Test your forms to make sure everything looks and works as expected.

When to use reCAPTCHA v2 vs v3 in Magento

Both reCAPTCHA versions work well in Magento, but they serve different purposes.

Use reCAPTCHA v2 if:

  • You want visible user interaction (like a checkbox)
  • Your store gets frequent bot activity
  • You want to block form submissions more aggressively

Use reCAPTCHA v3 if:

  • You want a smoother, invisible user experience
  • You trust Google’s AI to score traffic effectively
  • You don’t want CAPTCHA to interrupt conversions
VersionProsCons
v2Visual, easy to understandSlight friction for users
v3Seamless and hiddenCan occasionally misjudge real users

In most cases, v3 is better for customer-facing forms, while v2 offers more obvious deterrence.

How to disable CAPTCHA in Magento 2

Turning off CAPTCHA is useful for testing, troubleshooting, or staging environments.

To disable native CAPTCHA:

  1. Go to Stores > Configuration > Advanced > Admin > CAPTCHA
  2. Set Enable CAPTCHA on Frontend/Admin to “No”
  3. Save config
  4. Go to System > Cache Management and flush cache

To disable Google reCAPTCHA:

  1. Go to Stores > Configuration > Security > Google reCAPTCHA
  2. Uncheck all enabled forms
  3. Save config
  4. Flush cache

Make sure you re-enable CAPTCHA when your site goes live again.

Magento 2 CAPTCHA FAQ

Log into your admin panel, go to Stores > Configuration > Advanced > Admin > CAPTCHA, enable it, and select the forms you want to protect. For Google reCAPTCHA, visit Stores > Configuration > Security > Google reCAPTCHA and enter your Google keys.

reCAPTCHA v3 offers a better user experience since it works invisibly in the background. But v2 may offer stronger bot deterrence due to its visual challenge. Use v2 if you’re facing spam or login abuse.

Set Enable CAPTCHA to “No” under Admin > CAPTCHA, or uncheck forms in the Google reCAPTCHA settings. Always flush your cache afterward.

You don’t insert it manually. CAPTCHA is automatically added by Magento when enabled in the configuration settings. You simply choose where it appears.

Next steps for Magento 2 security extensions

Adding CAPTCHA to your Magento 2 site strengthens security without hurting user experience—especially when using Google reCAPTCHA v3.

If you’re just getting started, set up reCAPTCHA on your login, registration, and contact forms. That covers most of the common attack points.

Liquid Web offers the raw infrastructure power you need with mission-critical features that keep your store running smoothly. Most importantly, our in-house Magento experts are standing by to help with both hosting and Magento application roadblocks.

Click through below to explore all of our Magento hosting options, or chat with an expert right now to get answers and advice.

Ready to get started?

Get the fastest, most secure Magento hosting on the market

Magento hosting

Additional resources

What is Magento Ecommerce? →

A complete beginner’s guide to the Magento Ecommerce platform

Magento 2 security extensions: Top 7 free and paid →

Explore top Magento 2 security extensions to protect your store from threats like malware, spam, and unauthorized access.

Best Magento ERP extensions →

Our top 10 compared so you can decide which is best for your business