Since I use chatgpt paid and fed it logs, code, screenshots and a whole raft of information, I asked it to produce the following guide based on the issues I faced.
I’ve put this here incase it benefits anyone else.
——– CHATGPT OUTPUT———–
WordPress Download Manager + reCAPTCHA Enterprise “Captcha Verification Failed” – FIX
I’m posting this because I just went through an unreasonably painful few hours getting reCAPTCHA Enterprise working with WordPress Download Manager, and I don’t want anyone else to have to reverse engineer this like I did.
If you’re seeing “Captcha Verification Failed!” even though the checkbox appears and ticks correctly, this post is for you.
This is not a simple misconfiguration. It’s a design mismatch between Google Cloud and how WPDM verifies captchas.
What’s actually going wrong
WordPress Download Manager verifies reCAPTCHA server side.
reCAPTCHA Enterprise uses an API key, not a secret key like older versions.
If your API key is restricted to HTTP referrers, Google will silently block the server request and WPDM will fail. The plugin does not tell you why. It just says “Captcha Verification Failed”.
The checkbox still works. The download still fails.
That’s the trap.
What you need before starting
Access to Google Cloud Console
Access to WordPress admin
Optional but very helpful is server access like Virtualmin or SSH
You do not need to modify WPDM core files to fix this.
Step 1: Google Cloud project
Go to Google Cloud Console.
Create a new project or select an existing one.
Copy the Project ID exactly.
Not the project name. The ID.
Step 2: Enable reCAPTCHA Enterprise API
Go to APIs & Services.
Open Library.
Search for reCAPTCHA Enterprise API.
Enable it.
If this is not enabled, nothing else matters.
Step 3: Create a reCAPTCHA Enterprise site key
Go to Security then reCAPTCHA Enterprise.
Create a new key.
Choose Web.
Enable Challenge mode if you want a checkbox.
Add your domain, for example http://www.example.com.
Save the key.
Copy the Site Key.
Step 4: Create the API key (this is the critical part)
Go to APIs & Services then Credentials.
Create a new API key.
Now edit that key.
Set Application restrictions to None.
Do NOT use HTTP referrers.
This will break WPDM every time.
You may restrict the API to reCAPTCHA Enterprise API only if you want.
Save the key.
Google may take several minutes to apply the change. That delay is real.
Step 5: Configure WordPress Download Manager
In WordPress admin, open WPDM settings.
Enter the following:
Google Cloud Project ID
reCAPTCHA Enterprise Site Key
reCAPTCHA Enterprise API Key
Save settings.
Clear any caching if you use Cloudflare or a caching plugin.
Step 6: If it still fails, check logs
Enable WordPress debugging in wp-config.php.
Set WP_DEBUG to true.
Set WP_DEBUG_LOG to true.
Set WP_DEBUG_DISPLAY to false.
Logs will appear in wp-content/debug.log.
However, Google API errors may still not appear here.
Step 7: The error you are looking for
If you intercept the server request to Google, the real error looks like this:
“Requests from this referer are blocked”
If you see that, your API key is restricted incorrectly.
Once the restriction is removed, Google responds with HTTP 200 and:
tokenProperties.valid = true
risk score around 0.9
At that point, it works.
Step 8: Test again
Reload the download page.
Tick the reCAPTCHA checkbox.
Start the download.
If everything is configured correctly, the download will now work normally.
No WPDM code changes required.
Why this problem is so common
reCAPTCHA Enterprise behaves differently from v2 and v3.
API keys feel like browser keys but WPDM uses them server side.
Google’s real error is hidden unless logged.
WPDM shows a generic failure message with no detail.
It’s a perfect storm.
Final advice
If you want to secure the API key later, restrict it by server IP, not HTTP referrer.
Do not re enable referrer restrictions unless you want this to break again.
One sentence summary
WPDM verifies reCAPTCHA Enterprise from the server.
API keys restricted by HTTP referrer will always fail.
Hope this saves someone else a very long evening.
.
