Nothing is more annoying than a mailbox full of spam responses or fake requests via your contact form. To prevent this, use a CAPTCHA: a security measure that checks whether a visitor is a human or a script (bot).

Since the advent of Joomla 5, the default Google reCAPTCHA plugins have been removed from the installation. So Joomla no longer supplies built-in spam protection. You now have to choose which technique you want to use and install a plugin for it.

This does give you more freedom: do you opt for the classic Google reCAPTCHA, or for a privacy-friendly alternative that is becoming the standard in 2026?

Step 1: Choose and install a Captcha Plugin
Since the feature is no longer available by default, you first need to download a plugin from the Joomla Extensions Directory (JED).

You have some logical choices:

Cloudflare Turnstile: This is the modern alternative. It is free, much more privacy-friendly than Google.

Google reCAPTCHA: Still want to stay with Google? Then you need to install an external plugin that brings back the functionality, this can be done e.g. with SharkyKZ's free plugin

OCHCaptcha and ALTCHA: Are privacy-friendly Captchas

Installation:

• Download the chosen plugin.
• Log in to your Joomla Administrator.
• Go to System > Install > Extensions.
• Upload and install the package.

Step 2: Creating keys
Depending on your choice in step 1, you need to create keys with the vendor.

For Google reCAPTCHA:

• Go to the Google reCAPTCHA Admin Console.
• Choose v3 (invisible) or v2 (tick) and add your domain.
• Copy the Site Key and Secret Key.

For Cloudflare Turnstile:

• Create a free account on Cloudflare.com.
• In the dashboard, go to "Turnstile" and add your site.
• Copy the Site Key and Secret Key.

Step 3: Setting up the Plugin
Now we link the keys to your Joomla site.

In Joomla, go to System > Plugins (under the Manage heading).

Find the plugin you installed in step 1

Open the plugin and paste the Site Key and Secret Key in the appropriate fields.

Set the Status to Enabled.

Click Save & Close.

Step 4: Activate for the entire website
As a final step, you need to tell Joomla that this new plugin is the "Default Captcha" for all forms.

Go to System > General Settings (Global Configuration).

You're on the Site tab.

Find the Default Captcha option.

Here, select the name of the plugin you just installed.

Do you see "None selected"? Then the plugin is not yet on or has not been installed.

Click Save.

Congratulations! Your contact forms and registration pages are now protected against spam, with technology that fits current standards.

Custom captchas are available for External form plugins such as RSForms or Tassos Convert Forms.