Download Protection

reCAPTCHA Lock

3 min read Updated Apr 2, 2026

Overview

reCAPTCHA lock protects downloads from bots and automated abuse by requiring human verification. Using Google’s reCAPTCHA service, it distinguishes humans from bots while providing a seamless experience for legitimate users.

Prerequisites

Quick Start

Getting reCAPTCHA Keys

Step 1: Register Site

  • Go to Google Cloud Console
  • Sign in with Google account
  • Create a project and Enable reCAPTCHA Enterprise Api

Step 2: Configure

Field Value
Label Your site name
reCAPTCHA Type reCAPTCHA Enterprise
Domains yourdomain.com / localhost

Read more about step-by-step configure process.

Step 3: Get Keys

After registering, you’ll receive:

  • Site Key
  • Api Key
  • Project ID

Copy both keys and ID.

Step 4: Enter in WPDM

  • Go to Downloads > Settings > reCAPTCHA Enterprise Settings
  • Enter Project ID
  • Enter Site Key
  • Enter Secret Key
  • Save settings

reCAPTCHA Enterprise Lock

I’m not a robot checkbox:

┌─────────────────────────────────────┐
│                                     │
│  ┌─────────────────────────────┐    │
│  │ ☐ I'm not a robot           │    │
│  │   [reCAPTCHA logo]          │    │
│  └─────────────────────────────┘    │
│                                     │
│   [Download]                        │
│                                     │
└─────────────────────────────────────┘

Pros:

  • Clear and familiar user interaction
  • High accuracy with adaptive risk analysis
  • Enterprise grade bot detection (ML-based)
  • Works well as a fallback for high risk actions

Cons:

  • Adds a visible step to the user flow
  • May trigger challenges for legitimate users
  • Slight friction in UX

Enabling reCAPTCHA Lock

Per Package

  • Edit a package
  • Find Lock Options panel
  • Enable reCAPTCHA Lock
  • Save package

All Packages

If you want to apply the reCAPTCHA lock to all packages at once, you can use the WPDM Default Values add-on.

Steps:

  • Go to Downloads → Settings → Default Values
  • Navigate to Default Lock Options
  • Enable reCAPTCHA for all packages under the lock settings
☑ Enable CAPTCHA for all packages

This will automatically apply reCAPTCHA protection to all existing and new packages without configuring each one individually.

User Experience

  • User clicks download
  • Background risk analysis is triggered
  • If low risk: Download starts immediately
  • If suspicious: Challenge popup appears
  • On success: Download proceeds

Combining with Other Locks

reCAPTCHA + Email

Collect email with bot protection:

Locks:
☑ Email Lock
☑ reCAPTCHA Lock

User completes both before download.

reCAPTCHA + Password

Password entry with bot protection:

Locks:
☑ Password Lock
☑ reCAPTCHA Lock

Prevents brute-force password attempts.

Troubleshooting

Invalid Site Key

Causes:

  • Typo in reCAPTCHA credentials
  • Key from different Google account
  • Domain mismatch

Solutions:

  • Copy key directly from reCAPTCHA Enterprise
  • Verify domain is registered
  • Regenerate keys if needed

reCAPTCHA Not Appearing

Causes:

  • JavaScript error
  • Keys not configured
  • Missing server side verification
  • Lock not enabled

Solutions:

  • Check browser console
  • Verify keys are correct and entered
  • Confirm lock is enabled for package

Always Showing Challenge

Causes:

  • VPN/proxy detected
  • Browser fingerprint suspicious
  • Testing from same IP repeatedly

Solutions:

  • Normal behavior for suspicious traffic
  • Different IPs for testing
  • Use test keys for development

Test Keys for Development

Google provides test keys that always pass:

Key Type Value
Site Key 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Secret Key 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

Note: Only use for development. Switch to real keys for production.

Privacy Considerations

Data Collection

Google reCAPTCHA collects:

  • IP address
  • Browser information
  • Mouse movements
  • Time on page

Privacy Policy

Update your privacy policy to mention:

  • Use of Google reCAPTCHA
  • Data shared with Google
  • Purpose of verification

GDPR Compliance

For EU users:

  • Disclose reCAPTCHA in cookie policy
  • Consider consent before loading
  • Provide alternative if required

Related Documentation

Applies to: WordPress Download Manager 7.x