Google's reCAPTCHA service is a free service that can generate and display a CAPTCHA box in your form. It has evolved over time from asking users to decipher a scrambled message in an image to displaying addresses and other street signs and asking users to enter what they saw. In its latest incarnation, reCAPTCHA simply asks the user to check a box to indicate that they are not a robot and only asks more advanced questions if it suspects the visitor from being an automated system. When visitors check the box, a hidden field is populated with a validation code that gets sent to our data processing function along with the rest of the form data.

Adding a reCAPTCHA to our form is actually quite easy, only requiring us to load a Javascript script and add a line of code to our form that gets transformed into the service's trademark checkbox. Once the form data is posted, validating it is a bit more complex than the nonces we have used before since our plugin needs to communicate with Google's servers to check the validation code. Thankfully, Google offers an easy-to-use library to hide away much of this operation's complexity. If the reCAPTCHA code received is valid, the previously created data processing and storage code is executed as before. Otherwise, an error message is displayed to users. In addition to being easy to integrate, a benefit of using a third-party service is that most code updates are done by the service provider. You would still need to check for occasional updates to the PHP validation library, but that is only a small part of this service's functionality.

If you are planning to distribute a plugin that makes use of the reCAPTCHA service for more than one person or customer, it would not make sense to leave your own website and secret keys in the final plugin code, as we have done here. Instead, you should create an administration panel, as you learned to do in Chapter 3, User Settings and Administration Pages, so that users can enter their own keys and have them be used on the website.