Form Protection: Site Booster Module

The Ocean Site Booster's Form Protection module allows you to integrate industry-standard CAPTCHA services to verify that the person filling out your forms is a human, not a script.

To access the Form Protection module, navigate to the Security panel, select the Form Protection tab, and toggle to enable the Form Protection module.

Enable (or disable) any option you would like to use, then save changes   at the bottom of the module page.

Available Form Protection options include:

Recommended:

CAPTCHA Type

You can choose the service that best fits your site's aesthetic and privacy needs:

  • Google reCAPTCHA v2: The classic "I'm not a robot" checkbox. Very reliable and familiar to most users. Requires a Site Key and Secret Key from your Google Admin console.
  • Cloudflare Turnstile: A privacy-focused, user-friendly alternative. It often stays invisible to real users while still blocking bots. No "click the fire hydrants" puzzles required!
  • None: Disables CAPTCHA verification.

Google reCAPTCHA v2

To use this, you'll need to generate keys in your Google account.

  • Site Key: This is public and tells Google which site is asking for the verification.
  • Secret Key: Keep this private! It allows Site Booster to communicate securely with Google’s servers to verify the user's response.

Cloudflare Turnstile

Turnstile offers a more seamless experience and doesn't track users across the web.

  • Theme: Choose Light, Dark, or Auto to match your website’s design.
  • Render Method:
    • Explicit: Site Booster specifically triggers the CAPTCHA when the form loads.
    • Implicit: The widget is always rendered regardless of interaction.

CAPTCHA: Where to Get Your API Keys

To use Form Protection, you must register your website with your chosen service. Both offer free tiers that are perfect for most WordPress sites.

Google reCAPTCHA v2

  1. Access the Console: Go to the Google reCAPTCHA Admin Console.
  2. Register Your Site: Click the + or Create icon.
  3. Choose Your Type: Give your site a label and select reCAPTCHA v2 > "I'm not a robot" Checkbox.
  4. Add Your Domain: Enter your website's URL (eg, yoursite.com  ).
  5. Copy Your Keys: Once you hit "Submit", Google will generate your Site Key and Secret Key.

Cloudflare Turnstile

  1. Access the Dashboard: Log in to your Cloudflare Dashboard.
  2. Navigate to Turnstile: Select Turnstile from the sidebar menu.
  3. Add Your Site: Click Add Widget and enter your site details.
  4. Select Widget Mode: We recommend Managed for the best balance of security and user experience.
  5. Copy Your Keys: Cloudflare will provide a Site Key and Secret Key immediately.

Keep your Secret Key safe! While the "Site Key" is visible in your website's code, the "Secret Key" should never be shared or posted publicly. If you think your Secret Key has been compromised, you can "Rotate" it in your service dashboard to generate a new one.

Form Protection: Where to Apply Protection

You can toggle protection on or off for specific high-risk areas of your WordPress site:

  • Protect Login Form: Stops "Brute Force" attacks where bots try thousands of password combinations.
  • Protect Registration Form: Prevents fake "bot accounts" from cluttering your user database.
  • Protect Lost Password Form: Stops bots from triggering thousands of password reset emails (which can hurt your email sender reputation).
  • Protect Comment Form: The best way to kill "Comment Spam" and keep your discussions clean.
  • Protect WooCommerce Checkout: Crucial for eCommerce. Prevents "carding" (where bots test stolen credit card numbers by making tiny purchases).

Best Practices & Expert Tips

The "Security Header" Connection

If you have the Site Booster's Security Headers module enabled, ensure your Content Security Policy (CSP) allows scripts from www.google.com   or challenges.cloudflare.com  . If the CAPTCHA doesn't show up, check your browser console for a "CSP Violation" error.

Don't Lock Yourself Out!

When enabling Protect Login Form, always keep a second tab open where you are already logged in. Test the login page in an Incognito window first. If you made a typo in your API keys, you could accidentally lock yourself out of your own site!

Which one should I choose?

  • For the best User Experience: Use Cloudflare Turnstile. It is faster and much less annoying for your customers.
  • For the most "Battle-Tested" security: Use Google reCAPTCHA v2. It has been the gold standard for years.

Quick Setup Checklist

  1. Register your site with either Google reCAPTCHA or Cloudflare Turnstile to get your keys.
  2. Paste the keys into the Site Booster settings.
  3. Start with the Comment Form to test that the CAPTCHA displays correctly.
  4. Slowly enable Login and Checkout protection once you’ve confirmed everything is working.

Advanced Usage: The Universal Shortcode

While Site Booster offers native toggles for standard WordPress and WooCommerce forms, we know many users utilize third-party plugins for contact pages, surveys, or custom registrations.

If the Form Protection module is active and configured with your API keys, you can manually insert a CAPTCHA into almost any form on your site using our universal shortcode:

[osb_captcha]  

How to Use It

  1. Ensure Configuration: Make sure you have entered your Site Key and Secret Key in the Form Protection module and that the module is toggled ON.
  2. Insert the Shortcode: Copy and paste [osb_captcha]   directly into your form builder's "HTML" or "Shortcode" block, typically just before the Submit button.
  3. Verify: View your page on the front end. The Google reCAPTCHA or Cloudflare Turnstile widget will render exactly where you placed the code.

Where to use this?

This is particularly useful for:

  • Contact Forms: Protect custom contact pages created with Gutenberg or Elementor.
  • Newsletter Sign-ups: Stop bots from filling your email list with "junk" addresses.
  • Custom Application Forms: Add a layer of security to job applications or membership inquiries.

Compatibility with OceanWP Pro Bundle

Site Booster is designed to work seamlessly with other OceanWP products. To prevent configuration conflicts and ensure a smooth user experience, we have built-in "Smart Detection" for the Ocean Popup Login extension.

Automatic Conflict Prevention

If you have Ocean Popup Login active and its Form Protection (reCAPTCHA or Turnstile) is enabled, Site Booster will automatically detect this state:

  • Smart Deactivation: Site Booster will temporarily disable its own Form Protection module if it detects that Ocean Popup Login is already handling these security tasks.
  • Why we do this: This prevents "Duplicate CAPTCHA" errors, where a user might be asked to verify themselves twice, which can lead to failed logins or broken forms.

If you prefer to manage all your security settings in one central place, you can disable the protection within Ocean Popup Login and then enable it here in Site Booster.

Found an error in this doc or believe it needs improvement?

Send us a prepurchase ticket, include the URL of the page, and add suggestions and more details about how we can make things better for you.

That's it!

Boost your WordPress website on all levels with OceanWP and Ocean Site Booster.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.