After installing and activating the Strong Testimonials: Captcha extension, going to your WordPress dashboard >Testimonials > Form > Settings > Form Spam Control will reveal Honeypot and Captcha options.
Honeypots
Honeypots are methods for trapping spambots and are both time-tested and widely used. May be used simultaneously for more protection. However, honeypots may not be compatible with WP-SpamShield, Ajax page loading, caching, or minification.
Before: Adds a new empty field that is invisible to humans. Spambots tend to fill in every field they find in the form. Empty field = human. Not empty = spambot.
After: Adds a new field as soon as the form is submitted. Spambots cannot run JavaScript, so the new field never gets added. New field = human. Missing = spambot.
Google Recaptcha
Add Google Recaptcha to your form by checking the enable Google reCAPTCHA option.
To start using reCAPTCHA, you must sign up for an API key pair for your site. The key pair consists of a site key and a secret key. The site key is used to invoke the reCAPTCHA service on your site. The secret key authorizes communication between your application backend and the reCAPTCHA server to verify the user’s response. The secret key needs to be kept safe for security purposes.
In your Google reCAPTCHA admin, choose the type of reCAPTCHA and then fill in your site domain. Click the Register button to get a new API key pair. Copy & Paste these API keys into your Settings:
You can then choose between 3 types of Google reCAPTCHA:
reCAPTCHA v2 (“I’m not a robot” Checkbox)
The “I’m not a robot” Checkbox requires the user to click a checkbox indicating the user is not a robot. This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether or not they are human.
Invisible reCAPTCHA badge
The invisible reCAPTCHA badge does not require the user to click on a checkbox; instead, it is invoked directly when the user clicks on an existing button on your site, in our case, the Submit testimonial button. Only the most suspicious traffic will be prompted to solve a captcha by default. To alter this behavior, edit your site security preference under advanced settings in your Google Recaptcha Admin.
reCAPTCHA v3
reCAPTCHA v3 allows you to verify if an interaction is legitimate without any user interaction. It is a pure JavaScript API returning a score (between 0 and 1). This score is based on interactions with your site: 1.0 is very likely a good interaction, and 0.0 is very likely a bot, giving you the ability to stop the testimonial form submission if the user doesn’t pass this score.
By default, the user needs to pass a score of 0.5 to submit the form, but this setting can be changed:
