reCAPTCHA v3 score threshold issue

6 days ago
I have reCAPTCHA v3 enabled on the registration page and it works. The default v3 score threshold is 0.5. I can have many customers registered without any issue, but also get pretty often complaints about the "The reCAPTCHA response is invalid or malformed" message. So, I lower the threshold to 0.2. Now, a large volume of spammers has come in. After adjusting many times and settling at 0.3, I can finally just at the edge to stop the spammers, but I still got one or two complaints about the "reCAPTCHA malformed" every day. I feel I also lost some registrations each day since I got more valid registrations when the threshold was lower and spam can come in.

Does anyone have a similar experience or advice on how to find the sweet spot of this threshold?

I have been monitoring the Google reCaptcha site and see reCAPTHA v3 stopped thousands of spammers each day, but we still have to deal with customers who cannot register and lose potential customers each day.

Any help is really appreciated!

Thank you!
5 days ago
Hi there, I have done some R&D. There is no such standard for it!
I think you are in right path, you can't get 100% correctness from it.
As setting at 0.3 is giving you optimize result, it's good for you!
You might have some false positive and true negative case but you should accept that.
5 days ago
Thank you for the reply. Yesterday, I even tried the threshold at 0.299, some spammers can come in. Once I changed it back to 0.3, they stopped. It seems like it's the sweet spot for me. I have to put up a message on my registration page to ask customers who can't register to contact us. Hope we will spend less time in customer service and lose fewer customers by doing this. I also tried reCAPTCHA v2, it can't stop those spammers. I am wondering if reCAPTCHA is the best solution available. Does anyone have experience with other solutions?
2 days ago
Hey there. I am not trying to hijack this thread. Just adding my observation because something has changed with regards to how recaptcha is functioning in the last few days. Maybe what I add here can provide some clues.

I have had recaptcha v3 invisible mode on my site for couple years now without a single issue. No module or core platform upgrades so everything should just work like nothing has changed. Using nopC v4.40.4. It is enabled on all pages. Login, registration, forgot password, contact. I too have thousands of requests in my recaptcha admin.

All of a sudden in the last day or two, I am getting complaints about the recaptcha not working on only the contact page. request malformed, etc. What is interesting in my case, this only happens on the contact page but not any other page. In my searching online came across other cms's with similar issue having to do with page caching. I do use cloudflare. Maybe I poke around there and disable caching to see what happens.

Finding this thread is interesting in that I am not the only user having issues with recaptcha lately. My contact form currently does not work. It worked yesterday. All my other captcha enabled pages work fine. Weird.
2 days ago

Can you confirm this happens on all of your recaptcha enabled pages? Or just a certain page? The reason I ask is because maybe the recaptcha service is rate limiting certain pages due to high api requests? This is just a guess. My highest abused page is the contact page and ironically is the only one not working. What is yours? Check in your google recaptcha admin.

Change your date range to "All 90 Days" then look under "Top 10 Actions". It will show the the most abused page in dark blue.
21 hours ago
In my case, the contact us page is the most abused page. However, the problem is only on the registration page. Do you mean the page caching on the server side? If that is the case, maybe "clear cache" and restart application can help?
15 hours ago
Restating the application or clearing cache did not work.

However, I did some more research and came across users re-creating their api keys to solve the issue. I figured to leave no stone unturned and had no expectation that would actually work but to my amazement, it did work. So, try it and let us know. So weird.

Just create a new site in your recaptcha admin and get new keys.
7 hours ago
Thank you! I also add a new key and will let it run for a few days. Let's see if this can resolve the issue. There is also a reCAPTCHA enterprise version, I am not sure if that has better control.