It’s never been easier to automate bad-faith activity on the internet. On Wikipedia, we deal with bots making inauthentic edits and the risk of scaled campaigns that could disrupt the projects. As part of the Wikimedia Foundation’s focus on securing our platform and detecting bad-faith activity, we are building stronger protections against bots carrying out activities that are generally intended for humans, such as creating accounts and editing.
Historically, many websites have used a “CAPTCHA” to try to present a puzzle that is doable for humans and hard for computers. As the web has evolved and computers have gotten smarter, these have become both more challenging for humans and easier for computers. We recognize this and are updating our approach to automated abuse on Wikipedia.
We began in September 2025, by launching a trial of hCaptcha, third-party bot detection service, to replace our old CAPTCHA. Since then, eight large Wikipedias (including English) have relied on hCaptcha for account creation and certain kinds of edits. hCaptcha is a company that specializes in bot detection, with experience protecting very large online websites while prioritizing user privacy in its design.
The way our legacy CAPTCHA system has worked is to challenge all users, in the hope that the challenge will be doable for humans but hard for bots. In this new approach with hCaptcha, the system only challenges suspicious activity, so very few human users (we estimate about 2%) receive a visual challenge at all. hCaptcha also gives us “likely bot” signals for account creation and covered edits, regardless of whether the session was challenged.
During the trial, we shared those signals with trusted community members, who used them to find and remove bad-faith activity on the wikis that were likely made by bots and which may not have been found any other way. We also tested whether using hCaptcha affected how easy it was for users to edit and create accounts. We found that editing appears unaffected, and account creation went up by about 10%. This strongly suggests that this new approach is detecting bad-faith activity as intended, without making things harder for users.
How well the system does at blocking bots upfront, by serving a challenge that they do not complete, is encouraging – but inherently difficult to measure. Using abuse metrics as an indirect measure, in our testing we saw a 31% reduction in block rates for user accounts where hCaptcha was involved. This suggests that hCaptcha was stopping bots from registering that would otherwise have gone on to make edits that led it to be blocked by a human reviewer.
Overall, we believe this is a very promising direction that has made Wikipedia easier to use, and better protected the Wikimedia projects from bots. Next, our team will expand our use of hCaptcha to the rest of the Wikimedia projects, so that all wikis can benefit from stronger protections.
Thanks to everyone who provided feedback, critiques, and questions throughout the trial. You can follow this work going forward on our project page, on Tech News, and in the Wikimedia Foundation Bulletin.
Can you help us translate this article?
In order for this article to reach as many people as possible we would like your help. Can you translate this article to get the message out?
Start translation