CAPTCHA Providers

reCaptcha for WooCommerce supports five CAPTCHA providers. You can switch between them at any time from WooCommerce > Settings > CAPTCHA without losing your form protection settings.

Cloudflare Turnstile

Type: Invisible challenge (occasionally shows a brief widget) Cost: Free, unlimited requests Privacy: Cloudflare-managed, GDPR-friendly

Turnstile runs invisible browser challenges that verify visitors without interaction. Most legitimate users never see anything. Occasionally, a small widget appears for a few seconds while Turnstile verifies the browser.

When to use

• Default choice for most stores
• Good balance of security and user experience
• Free with no usage limits
• Privacy-friendly (Cloudflare doesn't use the data for ad targeting)

Configuration

Getting keys

• Go to Cloudflare Turnstile dashboard.
• Click Add widget.
• Enter your site name and domain.
• Select Managed mode.
• Copy Site Key and Secret Key.

---

Google reCAPTCHA v3

Type: Score-based, fully invisible Cost: Free up to 1M assessments/month Privacy: Google data collection applies

reCAPTCHA v3 runs entirely in the background. It assigns each visitor a score between 0.0 (likely bot) and 1.0 (likely human). No user interaction required.

When to use

• Maximum invisibility (no widget at all)
• Stores already in the Google ecosystem
• When you want score-based decisions rather than binary pass/fail

Configuration

Score threshold guide

Start with 0.5. If you still see spam, raise to 0.6 or 0.7. If legitimate customers report issues, lower it.

The threshold is filterable for developers:

add_filter( 'cfwc_recaptcha_v3_threshold', function( $threshold ) {
    return 0.6;
});

Getting keys

• Go to google.com/recaptcha/admin/create.
• Select reCAPTCHA v3.
• Add your domain(s).
• Copy Site Key and Secret Key.

---

Google reCAPTCHA v2

Type: "I'm not a robot" checkbox Cost: Free up to 1M assessments/month Privacy: Google data collection applies

The classic checkbox challenge. Users click "I'm not a robot" and occasionally solve an image puzzle. Visible confirmation that protection is active.

When to use

• When you want visible proof of bot protection (some users feel safer)
• Registration and login forms where a checkbox is less disruptive
• Stores with older demographics who may not trust invisible methods

Configuration

Getting keys

• Go to google.com/recaptcha/admin/create.
• Select reCAPTCHA v2 > "I'm not a robot" Checkbox.
• Add your domain(s).
• Copy Site Key and Secret Key.

---

hCaptcha

Type: Challenge-based (image selection or invisible) Cost: Free up to 1M requests/month Privacy: Does not sell personal data, GDPR-friendly

hCaptcha is a privacy-focused alternative to Google reCAPTCHA. It can run as an invisible challenge or show image puzzles when needed.

When to use

• Privacy-conscious stores that want to avoid Google
• EU/UK/Australian stores focused on data minimization
• Stores that want an alternative to Cloudflare

Configuration

Getting keys

• Go to dashboard.hcaptcha.com.
• Create an account and add your site.
• Copy the Site Key (UUID format like a1b2c3d4-e5f6-...).
• Copy the Secret Key from your account settings.

---

Self-Hosted Honeypot

Type: Multi-layer invisible bot trap Cost: Free Privacy: Maximum. No external calls, no cookies, no data leaves your server.

The honeypot is not a traditional single hidden field. It uses seven layers of detection:

• JavaScript-injected hidden fields -- bots that don't execute JS fill out visible-to-them fields
• Multiple decoy trap fields -- with site-unique naming that changes per installation
• Time-based detection -- forms submitted faster than the configurable minimum (default 3 seconds) are rejected
• Nonce protection -- prevents replay attacks and form resubmission
• JavaScript math challenge -- a simple math problem solved by the browser's JS engine
• Form expiry -- submissions older than 24 hours are rejected
• Spam statistics tracking -- tracks blocked attempts for the dashboard widget

When to use

• GDPR-strict stores where no external service calls are acceptable
• Stores that don't want to require cookie consent for CAPTCHA
• As a secondary layer alongside another provider (enable via Advanced Settings)
• As a failsafe fallback when the primary provider is unreachable

Configuration

The minimum time is filterable:

add_filter( 'cfwc_honeypot_min_time', function( $min_time ) {
    return 5; // Require 5 seconds minimum
});

Limitations

• Less effective against sophisticated bots that execute JavaScript
• No challenge-based verification for edge cases
• Best used as a layer rather than sole protection for high-risk stores

---

Using honeypot as a secondary layer

Regardless of which primary provider you use, you can enable the honeypot as an additional detection layer. Go to WooCommerce > Settings > CAPTCHA > Advanced and check Enable honeypot as secondary layer.

When enabled, both your primary provider and the honeypot must pass for a form submission to succeed. This catches bots that might solve the CAPTCHA challenge but still fail the time-based or JavaScript detection.

Switching providers

Changing providers does not affect:

• Which forms are protected (those settings are independent)
• Rate limiting configuration
• IP whitelist/blocklist
• Any other settings

You only need to enter the new provider's API keys. The old keys are not deleted, so switching back is instant.