Themology
HomeProductsBlogAboutLogin
reCaptcha for WooCommerce
Get this plugin$29
View Plugin
Introduction
Getting Started
CAPTCHA Providers
Protected Forms
Rate Limiting & IP Control
Compatibility
Settings
Developer Guide
FAQ
All Documentation
Get Plugin
DocsreCaptcha for WooCommerceFaq

Faq

Frequently Asked Questions

General questions

What does this plugin do?

reCaptcha for WooCommerce adds bot protection to your WooCommerce store's checkout, login, registration, and other forms. It supports five CAPTCHA providers (Cloudflare Turnstile, Google reCAPTCHA v3, Google reCAPTCHA v2, hCaptcha, and a self-hosted honeypot) and includes rate limiting and IP access control.

Do I need API keys?

For Cloudflare Turnstile, Google reCAPTCHA (v2 or v3), and hCaptcha, yes. All providers offer free tiers. The self-hosted Honeypot requires no API keys and makes no external calls.

Which provider should I use?

  • Cloudflare Turnstile for most stores. Free, invisible, privacy-friendly.
  • Google reCAPTCHA v3 if you want score-based invisible verification and are already in the Google ecosystem.
  • Google reCAPTCHA v2 if you want visible "I'm not a robot" confirmation.
  • hCaptcha for a privacy-focused alternative to Google.
  • Honeypot for GDPR-strict stores or if you want zero external service dependencies.
See CAPTCHA Providers for a detailed comparison.

Does it work with Block Checkout?

Yes. The plugin integrates with Block Checkout through the official WooCommerce Store API, not DOM injection. It works reliably with the React-based checkout without breaking on re-renders.

Does it work with PayPal Payments?

Yes. The plugin automatically detects when WooCommerce PayPal Payments has its own reCAPTCHA enabled and skips CAPTCHA for PayPal payment methods to prevent double verification conflicts. Other payment methods remain protected.

Does it work with Apple Pay / Google Pay?

Yes. Express payment methods are automatically skipped because they use their own secure wallet authentication (Face ID, Touch ID, device PIN). The plugin detects these methods and lets them through without CAPTCHA.

Setup questions

How do I get Cloudflare Turnstile keys?

You do not need a Cloudflare-proxied domain. Turnstile works on any site.

How do I test that CAPTCHA is working?

  • Enable at least one form (start with checkout).
  • Open your store in a private/incognito browser window.
  • Navigate to the protected form.
  • For visible providers (reCAPTCHA v2, hCaptcha), you should see the widget.
  • For invisible providers (Turnstile, reCAPTCHA v3, Honeypot), submit the form normally. It should work for real users.
  • Check the dashboard widget at Dashboard > CAPTCHA Protection for verification activity.

How do I know which forms to protect?

Start with:

  • WooCommerce Checkout (both Classic and Block) -- protects against carding attacks
  • WooCommerce My Account Login -- protects against brute force
  • WooCommerce My Account Registration -- protects against spam accounts
Add more forms based on your threat profile. See Protected Forms for the full list.

Can I use different providers for different forms?

No. The plugin uses one active provider for all forms. This is intentional: consistent behavior is easier to test and debug. You can skip CAPTCHA for specific forms using the settings checkboxes or the cfwc_form_enabled filter.

Troubleshooting

CAPTCHA verification fails for every user

  • Check API keys. Use the "Test Connection" button on the settings page.
  • Check domain. Your CAPTCHA provider keys must be registered for the exact domain your site uses (including www vs non-www).
  • Check caching. Page caching that serves stale CAPTCHA tokens will cause failures. Exclude checkout and account pages from caching.
  • Enable debug logging. Go to Advanced settings, enable logging, reproduce the issue, then check WooCommerce > Status > Logs.

CAPTCHA blocks legitimate customers

  • Lower the score threshold if using reCAPTCHA v3. Default 0.5 works for most stores. Try 0.3 if customers on VPNs or shared networks are affected.
  • Whitelist roles for logged-in customers who are being blocked. Go to Access Control and add their role.
  • Check rate limiting settings. If the lockout window is too aggressive, legitimate users who mistype their password may get locked out.

CAPTCHA widget doesn't appear

  • Check the provider. Invisible providers (reCAPTCHA v3, Honeypot) don't show a visible widget. Only Turnstile (sometimes), reCAPTCHA v2, and hCaptcha show visible elements.
  • Check the form setting. Verify the specific form is checked under Protected Forms.
  • Check for JavaScript errors. Open browser developer tools (F12) and look for errors in the Console tab.
  • Check asset loading. The plugin only loads scripts on pages with protected forms. If you're using a custom checkout page, you may need the cfwc_should_load_assets filter.

Checkout breaks after installing

  • PayPal conflict. If you use WooCommerce PayPal Payments with its reCAPTCHA enabled, the plugin should auto-detect this. Verify auto-detection is working by checking for the info notice on the settings page.
  • Express payments. Verify the plugin correctly skips CAPTCHA for Apple Pay, Google Pay, etc. Check that the express payment method IDs are in the skip list.
  • Another CAPTCHA plugin. Two CAPTCHA plugins on the same form will conflict. Deactivate the other plugin.
  • Failsafe mode. If the CAPTCHA provider is down, check your failsafe setting. "Use honeypot fallback" prevents blocking all customers.

Rate limiting locks out my office

Add your office IP to the whitelist at WooCommerce > Settings > CAPTCHA > Access Control > IP Whitelist. Whitelisted IPs bypass both CAPTCHA and rate limiting.

Privacy and compliance

Is this GDPR compliant?

It depends on your provider choice:

  • Honeypot: Fully GDPR compliant. No external data transfer, no cookies.
  • Cloudflare Turnstile and hCaptcha: GDPR-friendly. Both have published GDPR compliance documentation.
  • Google reCAPTCHA: Transfers data to Google servers. Requires disclosure in your privacy policy and potentially cookie consent.

What data is sent to the CAPTCHA provider?

For external providers (all except Honeypot), the following is typically sent:

  • The visitor's IP address
  • Browser user agent
  • The CAPTCHA response token
  • Your site key
No personal information like names, emails, or order details is sent to the CAPTCHA provider.

Do I need a cookie consent banner?

For Google reCAPTCHA, potentially yes, depending on your jurisdiction. Cloudflare Turnstile and hCaptcha have more privacy-friendly cookie practices. The Honeypot does not set any cookies.

The settings page includes a dynamic privacy section showing the data handling details for your selected provider.

Technical questions

Is it compatible with HPOS?

Yes. The plugin declares HPOS compatibility and works with both the legacy and custom order tables storage backends.

Does it work with WordPress multisite?

Yes. Each site in the network has its own CAPTCHA settings. The plugin can be activated per-site or network-wide.

Can developers extend it?

Yes. The plugin provides 7 action hooks, 12+ filter hooks, a public API for rendering and verifying CAPTCHA on custom forms, and the ability to register custom CAPTCHA providers. See the Developer Guide.

Where are settings stored?

Settings are stored in the cfwc_settings option in the WordPress options table. Individual settings are also mirrored to WooCommerce options with the cfwc_ prefix.

Is data deleted when I deactivate?

No. Deactivation preserves all settings. If you want a clean uninstall, enable "Delete data on uninstall" in Advanced settings before deleting the plugin.

Support

Where can I get help?

  • Themology Support: Bug reports, feature requests, and critical support.
  • Plugin documentation: You're reading it!

How do I report a bug?

Submit via Themology Support with:

  • WordPress version
  • WooCommerce version
  • Plugin version
  • CAPTCHA provider in use
  • Steps to reproduce
  • Browser developer console errors (if applicable)
Previous
Developer Guide