Download Protection

How to Configure reCAPTCHA Enterprise for WordPress Download Manager

6 min read Updated Apr 8, 2026

Protecting your downloads from bots and automated abuse is crucial for any website offering digital files. Google’s reCAPTCHA Enterprise provides advanced bot detection with risk-based scoring, giving you enterprise-grade protection for your WordPress Download Manager packages.

In this comprehensive guide, we’ll walk you through setting up reCAPTCHA Enterprise from scratch — from creating your Google Cloud project to testing the integration on your download pages.

What is reCAPTCHA Enterprise?

reCAPTCHA Enterprise is Google’s premium bot protection service that goes beyond the traditional “I’m not a robot” checkbox. Here’s how it differs from the free version:

Feature reCAPTCHA v2/v3 (Free) reCAPTCHA Enterprise
Risk Scoring Basic (v3 only) Advanced 0.0-1.0 scoring
Fraud Detection Standard ML-powered, adaptive
Action Tracking Limited Detailed per-action analytics
Support Community Google Cloud Support
Monthly Assessments Unlimited 1M free, then pay-as-you-go
Good News: reCAPTCHA Enterprise includes 1 million free assessments per month — more than enough for most websites!

Prerequisites

Before you begin, make sure you have:

  • WordPress Download Manager installed and activated
  • A Google account
  • Access to Google Cloud Console
  • Your website’s domain name

Step 1: Create a Google Cloud Project

First, you need to set up a Google Cloud project to manage your reCAPTCHA Enterprise keys.

  1. Go to the Google Cloud Console
  2. Click on the project dropdown at the top of the page
  3. Click New Project
  4. Enter a project name (e.g., My Website reCAPTCHA)
  5. Click Create

Wait a few moments for the project to be created, then make sure it’s selected in the project dropdown.

Step 2: Enable reCAPTCHA Enterprise API

  1. In your Google Cloud project, go to APIs & Services → Library
  2. Search for reCAPTCHA Enterprise API
  3. Click on it and then click Enable

Step 3: Create a reCAPTCHA Enterprise Site Key

  1. Navigate to Security → reCAPTCHA Enterprise in the Cloud Console sidebar
  2. Click Create Key
  3. Enter a display name (e.g., My Website Downloads)
  4. Select Website as the platform type
  5. Add your domain(s) in the Domain list section:
    • Add your main domain (e.g., example.com)
    • Add www.example.com if applicable
    • For testing, you can also add localhost
  6. Under Integration type, select Checkbox (recommended for downloads)
  7. Click Create Key
  8. Copy the Site Key that appears — you’ll need this for Download Manager
Note: Also copy the Project ID from the top of the page or from Project Settings. It looks like my-project-123456.

Step 4: Create an API Key for Server-Side Verification

The Site Key is used on the frontend, but you also need an API Key for server-side verification.

  1. Go to APIs & Services → Credentials
  2. Click + Create Credentials → API Key
  3. A new API key will be created — click Edit API Key to configure it
  4. Give it a name like “reCAPTCHA Enterprise API Key”
  5. Important: Under “API restrictions”, select Restrict key and choose only reCAPTCHA Enterprise API
  6. Click Save
  7. Copy the API Key — you’ll need this for Download Manager
Security Warning: Do NOT use HTTP referrer restrictions for this API key! The verification happens server-side (from your hosting server), not from the browser. If you want to restrict the key, use IP address restrictions with your server’s IP address instead.

Step 5: Configure reCAPTCHA Enterprise in Download Manager

Now that you have all three credentials (Project ID, Site Key, and API Key), let’s configure Download Manager.

  1. In your WordPress admin, go to Downloads → Settings
  2. Click on the Basic or General tab
  3. Scroll down to the reCAPTCHA Enterprise section
  4. Enter your credentials:
    • Google Cloud Project ID: Your project ID (e.g., my-project-123456)
    • reCAPTCHA Enterprise Site Key: The Site Key you copied earlier
    • reCAPTCHA Enterprise API Key: The API Key you created
  5. Optionally enable reCAPTCHA for:
    • Registration Form — Protect user registration
    • Login Form — Protect login attempts
  6. Click Save Settings

Step 6: Test Your Configuration

Download Manager includes a built-in testing tool to verify your reCAPTCHA Enterprise setup.

  1. In the same settings page, scroll to the Test Integration section
  2. You should see a reCAPTCHA checkbox widget appear
  3. Complete the CAPTCHA challenge
  4. Click the Verify Integration button

If everything is configured correctly, you’ll see a green success message with the risk score (usually 0.9 for legitimate users).

Video Tutorial

Troubleshooting Common Errors

If verification fails, here are common issues and solutions:

ErrorCauseSolution
SITE_MISMATCHDomain not in allowed listAdd your domain to the Site Key’s domain list in Google Cloud
PERMISSION_DENIEDAPI Key has HTTP referrer restrictionsRemove referrer restrictions or use IP restrictions instead
EXPIREDToken expired before verificationComplete the CAPTCHA and click verify within 2 minutes
INVALID_ARGUMENTProject ID or Site Key mismatchDouble-check all credentials in Google Cloud Console
UNAUTHENTICATEDInvalid API KeyGenerate a new API Key and update settings

Enable reCAPTCHA Lock on Downloads

Now you can protect individual packages with reCAPTCHA:

  1. Edit any package in Downloads → All Files
  2. Find the Lock Options metabox
  3. Check Enable Captcha Lock
  4. Update the package

Now when users try to download this package, they’ll see the reCAPTCHA challenge. After completing the CAPTCHA, users can proceed with the download.

Best Practices

  1. Don’t over-protect: Only enable reCAPTCHA on downloads that need protection. Too many CAPTCHAs can frustrate legitimate users.
  2. Combine with other locks: reCAPTCHA works great with email lock or password protection for layered security.
  3. Monitor your dashboard: Check the reCAPTCHA Enterprise dashboard in Google Cloud for insights on blocked threats and risk score distributions.
  4. Keep credentials secure: Never share your API Key publicly. It’s used for server-side verification only.
  5. Test after domain changes: If you change domains or add subdomains, update your Site Key’s domain list.

Monitoring & Analytics

reCAPTCHA Enterprise provides detailed analytics in the Google Cloud Console:

  1. Go to Security → reCAPTCHA Enterprise in Google Cloud
  2. Click on your Site Key
  3. View the Metrics tab for:
    • Total assessments over time
    • Score distribution (how many bots vs. humans)
    • Pass/fail rates
    • Geographic distribution of requests

Conclusion

reCAPTCHA Enterprise provides robust protection for your WordPress Download Manager files against automated abuse and bot attacks. With the detailed risk scoring and Google’s machine learning-powered detection, you can be confident that your downloads are reaching real users.

The setup process takes about 5-10 minutes, and the built-in testing tool makes it easy to verify everything is working correctly before going live.

Need Help?

If you encounter any issues with reCAPTCHA Enterprise configuration: