If you have any web forms in your Magento 2 store to collect information from the customers you are probably very aware of spam. Spammers use web forms to try and promote their own businesses and sites and they use them for more malicious purposes as well.

In order to protect your Magento 2 web forms, you need to make it difficult or impossible for an automated tool to fill in or submit the form while keeping it as easy as possible for your customers to fill out the form. The most effective ways to protect your web forms is to use a CAPTCHA.

What is CAPTCHA?

A CAPTCHA, which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart", is a type of challenge-response test used in computing to determine whether or not the user is human.

There are three different types of CAPTCHA : Regular CAPTCHA, Simple math CAPTCHA and No CAPTCHA reCAPTCHA

• Regular CAPTCHA - the user has to type a few letters that are displayed on the screen to complete the form submission
• Simple math CAPTCHA - a very easy arithmetic test e.g. "what is 2 + 7?"
• No CAPTCHA reCAPTCHA - an improved form of CAPTCHA developed by Google that simply requires your user to click on a check box which means it is extremely user-friendly. reCAPTCHA provide an advanced security, low friction, effortless interaction for users.

CAPTCHA in Magento 2

CAPTCHA can be used in Magento 2 admin (sign in and forgot password page) and storefront (customer account login, register, forget password, checkout and contact us page)

Admin CAPTCHA

For an extra level of security, you can add a CAPTCHA to the admin sign in and forgot password page to protect back office password of your store where orders, catalog, content, and configurations are managed.

To configure an Admin CAPTCHA:

• On the Admin panel, click Stores. In the Settings section, select Configuration.
• Select Admin under Advanced in the panel on the left
• Open the CAPTCHA section, and continue with following:

• In the Enable CAPTCHA in Admin field, select “Yes” to enable CAPTCHA in Admin
• In the Font field, select the name of the Font to be used for the CAPTCHA symbols. The default is LinLibertine.

• In the Forms field, select one of the following forms where CAPTCHA is to be used

  • Admin Login
  • Admin Forgot Password

• In the Displaying Mode, choose one of the following

  • Always
  • After number of attempts to login

• In the Number of Unsuccessful Attempts to Login field, enter the number of unsucessful attempts to login before captcha appears. If you enter Zero, the Captcha will be always available

• In the CAPTCHA Timeout (minutes) field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page to generate a new CAPTCHA.

• In the Number of Symbols field, enter the range number of symbols that CAPTCHA will be changed in, for example: 3-7. The maximum number of symbols is eight.

• In the Symbols Used in CAPTCHA field, specify the symbols that can be used in the CAPTCHA. Set only letters (a-z and A-Z), or number (0-9) to enter into box. No spaces or other characters are allowed and the similar symbols is not used in the default.

• In the Case Sensitive field, select Yes if you require that the user enter the upper-and lowercase characters exactly as shown

• When complete, click Save Config

By default if you enable Admin Login CAPTCHA and don’t change its settings, it will appear after 3 unsuccessful attempts to login.

Storefront CAPTCHA

Customers can be required to enter a CAPTCHA each time they log in to their accounts, or after several unsuccessful attempts to log in.

To configure a Storefront CAPTCHA:

• On the Admin panel, click Stores. In the Settings section, select Configuration.
• Select Customer Configuration under Customers in the panel on the left
• Open the CAPTCHA section, and continue with following:

• In the Enable CAPTCHA on Frontend field, select “Yes” to enable CAPTCHA on Frontend
• In the Font field, select the name of the Font to be used for the CAPTCHA symbols. The default is LinLibertine.

• In the Forms field, select the forms where CAPTCHA is to be used

  • Create User
  • Login
  • Forgot Password
  • Checkout as Guest
  • Register during Checkout
  • Contact Us
  • Change password

• In the Displaying Mode, choose one of the following

  • Always
  • After number of attempts to login

• In the Number of Unsuccessful Attempts to Login field, enter the number of unsucessful attempts to login before captcha appears. If you enter Zero, the Captcha will be always available

• In the CAPTCHA Timeout (minutes) field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page to generate a new CAPTCHA.

• In the Number of Symbols field, enter the range number of symbols that CAPTCHA will be changed in, for example: 3-7. The maximum number of symbols is eight.

• In the Symbols Used in CAPTCHA field, specify the symbols that can be used in the CAPTCHA. Set only letters (a-z and A-Z), or number (0-9) to enter into box. No spaces or other characters are allowed and the similar symbors is not used in the default.

• In the Case Sensitive field, select Yes if you require that the user enter the upper-and lowercase characters exactly as shown

• When complete, click Save Config

You can reload the CAPTCHA as many times as is necessary.The CAPTCHA is fully configurable and can be set appear every time, or only after a number of failed login attempts.

The default Magento 2 CAPTCHA is not really user-friendly. Therefore the reCAPTCHA extension for Magento 2 was developed by Ulmodto helps a significant number of users attest they are human without having to solve a CAPTCHA. Instead with just a single click they’ll confirm they are not a robot

The extension currently supports reCAPTCHA to:

• Contact page form
• Product Review form
• Customer Registration Form
• Product Send to friend form
• Login Form
• Forgot Password Form
• Newsletter Subcription Form

More details here