Security: Enabling Google reCAPTCHA

Security: Enabling Google reCAPTCHA

Keeping forms secure is essential, but it shouldn’t come at the expense of a smooth supporter experience. reCAPTCHA helps protect your platform from spam, automated abuse, and card testing while allowing genuine supporters to move through donation and registration flows with minimal friction.

This article explains how reCAPTCHA works within Funraisin, where it can be applied, and how to enable and manage it across different form types. The goal is to help you apply the right level of protection in the right places—so your forms stay secure, usable, and conversion-friendly.

Jump to:

What is Google reCAPTCHA?

Google reCAPTCHA is a free security service from Google designed to protect websites from spam and automated abuse. It works by analysing user behaviour and other signals to determine whether an interaction is being performed by a real person or a bot. If suspicious activity is detected, the interaction is blocked—helping keep forms secure while minimising disruption for genuine users.

There are two versions of reCAPTCHA. While many people are familiar with reCAPTCHA v2, Funraisin recommends using reCAPTCHA v3.

reCAPTCHA v2 requires users to complete challenges, such as selecting specific images from a grid. While effective at stopping basic bots, this approach introduces friction into the user experience.

reCAPTCHA v3 runs quietly in the background, continuously analysing behaviour and assigning a score between 0 and 1 that indicates how likely the interaction is to be automated. When activity falls below an acceptable threshold, the interaction is blocked—without requiring the user to complete a challenge.

When reCAPTCHA is active on a form, a reCAPTCHA icon appears in the bottom-right corner of the screen.

Where can Google reCAPTCHA can be used?

Google reCAPTCHA can be applied to multiple form types across the platform to help protect against spam and automated abuse.

reCAPTCHA can be used on:

• Donation form blocks and pages (Event and platform pages, including crowdfunding pages)
• Sponsored donation forms on fundraising pages
• Registration forms within events
• Standalone webforms used on content pages

reCAPTCHA can be enabled either platform-wide or at the individual form level, depending on the form type. Some forms—such as sponsored donation forms—are controlled at the platform level only, while others allow more granular control.

Creating Google reCAPTCHA Keys

Each platform requires its own Google reCAPTCHA keys for reCAPTCHA to work correctly. These keys are created within your organisation’s Google account and only need to be generated once per domain.

You can use an existing Google account—such as the one used for tools like Google Analytics—or create a new account using your organisation’s work email address if needed.

To create Google reCAPTCHA keys:

1

Navigate to google.com/recaptcha/admin/create

2

Log in to your Google account (or create one if required)

3

Once you’re on the reCAPTCHA setup page, configure the following settings:

• • Label: Give your reCAPTCHA a clear, recognisable name. A good approach is to use your charity name and site URL.
  • reCAPTCHA type: Select reCAPTCHA v3.
  • Domains: A domain refers to the website address where your forms are hosted, such as goodcharity.com or fundraise.goodcharity.com.

If your site does not use a subdomain (for example, https://www.goodcharity.com/):

• Remove https://
• Remove www.
• Remove the trailing /

Enter the domain as: goodcharity.com

If your site uses a subdomain (for example, https://fundraise.goodcharity.com/):

• Remove https://
• Remove the trailing /

Enter the domain as: fundraise.goodcharity.com

If you use multiple domains, you can add them all here. The same reCAPTCHA keys can be used across multiple platforms, as long as each domain is listed.

If your site does not use a subdomain (for example, https://www.goodcharity.com/):

• Remove https://
• Remove www.
• Remove the trailing /

Enter the domain as: goodcharity.com

If your site uses a subdomain (for example, https://fundraise.goodcharity.com/):

• Remove https://
• Remove the trailing /

Enter the domain as: fundraise.goodcharity.com

If you use multiple domains, you can add them all here. The same reCAPTCHA keys can be used across multiple platforms, as long as each domain is listed.

Google Cloud Platform

If your Google account already has a Google Cloud Platform project, you can select it from the dropdown. If not, Google will create one for you, or you can name a new project during setup.

Once complete, accept the Terms of Service and click Submit. Google will then generate the reCAPTCHA keys you’ll use in your platform settings.

Adding Google reCAPTCHA Keys

Once you’ve submitted your reCAPTCHA setup in Google, you’ll be taken to a confirmation page displaying your site key and secret key.

In your Funraisin platform:

1

Navigate to Platform Setup > General Setup > App Settings > Google reCAPTCHA

2

Enter the keys provided by Google:

• • Secret key: Enter the Secret Key
  • Public key: Enter the Site Key

3

Click Save to apply the changes.

Enabling Google reCAPTCHA

Once the keys have been added, reCAPTCHA can be enabled either at the individual donation form, registration form, or webform level, or across the entire platform. Funraisin recommends enabling reCAPTCHA platform-wide to help protect your forms from spam and automated abuse.

Platform-wide

To enable reCAPTCHA platform-wide:

1

Navigate to Platform Setup > General Setup > App Settings > Google reCAPTCHA

2

Tick Enable reCAPTCHA on all forms (located below the key fields)

3

Click Save

Sponsored Donation Forms

Enabling reCAPTCHA for sponsored donation forms (those displayed on fundraising pages) is managed at the platform level and applies to all events.

To enable on sponsored donation forms:

1

Navigate to Platform Setup > Donation Defaults > Sponsored Donations > Form Options

2

Tick Enable reCAPTCHA

3

Click Save

This applies reCAPTCHA to individual, team, and organisation fundraising pages.

Donation Forms

To enable reCAPTCHA on a donation form or crowdfunding page—whether at the platform or event level—locate the page and open it in either Classic Builder or Visual Builder.

To enable reCAPTCHA using Classic Builder:

1

Within the page settings, navigate to Donation Settings > Form Options > Security

2

Tick Enable reCAPTCHA

3

Click Save, then Publish

To enable reCAPTCHA using Visual Builder:

1

Open the page in Visual Builder

2

Hover over the donation block and click the heart icon to open donation settings

3

Navigate to Form tab > Additional Fields

4

Toggle Security on, then tick Enable reCAPTCHA

5

Click Save, then Publish

Registration Forms

reCAPTCHA for registration flows is managed at the individual form level. This allows you to protect specific entry points without affecting other registration experiences.

To enable reCAPTCHA within a registration form:

1

Navigate to the relevant event > then Entry Forms

2

Click the edit icon to open the relevant registration form

3

Click the edit icon to open the Create Account step

4

Scroll to the Security section and tick Enable reCAPTCHA

5

Click Continue to save the changes.

Webforms

For standalone webforms used on content pages—for example, Contact Us forms—reCAPTCHA is enabled directly within the webform itself.

To enable reCAPTCHA on a webform:

1

Navigate to Content, then Webforms

2

Click the edit icon to open the relevant webform.

3

Go to Form Details, then in the Form Settings section, tick Enable Google reCAPTCHA

4

Click Save

When enabled, reCAPTCHA applies to standalone uses of the webform on content pages.

Testing and Troubleshooting

Once reCAPTCHA is enabled, it’s important to test your sea tup to confirm everything is working as expected. We recommend testing all form types where reCAPTCHA is enabled, including registration forms, donation forms, and webforms.

Testing helps ensure a positive user experience and avoids unnecessary friction. If reCAPTCHA is enabled but set up incorrectly, supporters won’t be able to proceed past the Create Account step during registration, and donors will be unable to complete their donation.

If reCAPTCHA is set up correctly, the reCAPTCHA icon will be displayed in the bottom-right corner of the screen when interacting with a protected form.

If there’s an issue with the setup, an error message may instead appear in red in the bottom-right corner of the screen.

If reCAPTCHA isn’t working as expected, check the following:

• Confirm the keys were entered correctly. If the public (site) key and secret key are entered in the wrong fields, reCAPTCHA won’t function correctly.
• Check that the domain was entered correctly when the keys were created in Google.
• Verify whether the site URL has changed since the keys were originally generated.

If issues persist, disable reCAPTCHA, generate a new set of keys in your Google account, and then add the updated keys to your platform.

Managing Spam and Card Testing

While reCAPTCHA is highly effective at reducing spam and automated abuse, no protection method is completely foolproof. As spam tactics continue to evolve, you may occasionally see activity get through—such as spam registrations, spam webform submissions, or card testing attempts on donation forms.

Managing spam registrations and webform submissions

Spam registrations or webform submissions can be safely deleted. If you start to notice patterns—such as repeated email addresses, domains, or IP addresses—you can add these to your blocklists to prevent further activity.

Managing card testing

Card testing occurs when stolen credit cards are used on donation forms, typically with small donation amounts, to check whether the card is still valid.

Any donations identified as card testing should be refunded as soon as possible. If a cardholder disputes a transaction, payment providers may charge a dispute fee (for example, around £15 / $20 per dispute), so prompt refunds can help reduce additional costs.

If you suspect card testing activity or need further assistance, reach out to the Support team by lodging a ticket via your platform.