So that the resources they provide are not overwhelmed by automated requests. It adds a layer of security and throttling.

Because otherwise you (or someone else) will be able to DDoS them.

Think of it like this: website A has an average user base of 10 users and can easily handle 20 requests simultaneously. So the server doesn’t usually have any trouble providing data to the clients under normal circumstances.

But there is one flaw – no one provided DDoS protection to the server. So let’s say one bad guy whose name is Gary is going to ruin everybody’s fun by Denial of Service (DoS). But since 11 requests from 11 users (clients+Gary) is well within the operational limits, he chooses to use Distributed Denial of Service (hence DDoS) tactic by attacking the server via let’s say 100 bots. These bots send requests to the server which can only handle 20 at once, “overloading” it with them. Since the server already struggles with these bots’ request, my or your request won’t get response – hence we are denied of service

Every time you visit a webpage, a server has to spend a small amount of computing resources sending the page back to you. That’s cool; most websites will rarely have too many visitors at once, and those that do will have the server capacity for it.

But now imagine you run a website and someone had a grudge against you. By using an automated piece of software (that’s what we mean by a bot here, not a literal robot), they could request so many web pages from your server that those small amounts of resources add up and it’s using so many resources to respond to those requests that when someone legitimately wants to view the page, the server doesn’t have the available resources to show it to them. This is called a *denial of service* (DoS) attack.

In reality, this generally happens with many computers, often infected with malware to make them all send requests to this server, in which case it is called a *distributed* DoS attack, or DDoS.

So human verification is a way to prevent that happening.

Of course, some sites have additional reasons to not want bots, such as social networks, where bots could be used to manipulate the numbers of likes etc.

Imagine you work at the grocery store giving out cheese samples. The sign says “one sample per customer”, but I’m a greedy cheese monster and I want a lot of cheese for free.

​

If I know how to cheaply build robots which can convincingly pretend to be customers, if each and every one of those robots *counts* as a customer, then I can send an army of robot shoppers to take all your cheese! If you want to save your cheese for your human customers, you might start asking a skill-testing question to keep the robots out.

It’s fairly trivial for a programmer to create a script that automatically fills forms. If there was no validation, anyone could create infinite accounts or send contact forms with garbage data and eventually either exploit a promo for new users or crash the server by making it use lots of resources. There are many other possibilities but the main purpose is to stop automatic bots from exploiting the system. Not that a captcha makes it impossible but it does make it harder for most cases.