Themology
HomeProductsBlogAboutLogin
reCaptcha for WooCommerce
Get this plugin$29
View Plugin
Introduction
Getting Started
CAPTCHA Providers
Protected Forms
Rate Limiting & IP Control
Compatibility
Settings
Developer Guide
FAQ
All Documentation
Get Plugin
DocsreCaptcha for WooCommerceProtected Forms

Protected Forms

Protected Forms

reCaptcha for WooCommerce can protect 15 different form types across WordPress core, WooCommerce, and WooCommerce extensions. Each form can be enabled or disabled independently from WooCommerce > Settings > CAPTCHA > Protected Forms.

WordPress forms

Login form

Setting: WordPress Login Location: /wp-login.php

Protects the default WordPress login page. Useful for stores where the WordPress login is exposed (not redirected to WooCommerce My Account).

Registration form

Setting: WordPress Registration Location: /wp-login.php?action=register

Protects the default WordPress registration form. Only relevant if WordPress registration is enabled separately from WooCommerce.

Lost Password form

Setting: WordPress Lost Password Location: /wp-login.php?action=lostpassword

Prevents bots from flooding password reset emails to your users.

Comment form

Setting: WordPress Comments Location: Any post or page with comments enabled

Stops comment spam. Works alongside or as a replacement for Akismet.

WooCommerce forms

My Account Login

Setting: WooCommerce Login Location: /my-account/ login form

Protects the WooCommerce customer login form on the My Account page. This is separate from the WordPress login because WooCommerce uses its own authentication hooks.

My Account Registration

Setting: WooCommerce Registration Location: /my-account/ registration form

Stops automated account creation. Particularly important for stores that offer member-only pricing or subscription access.

My Account Lost Password

Setting: WooCommerce Lost Password Location: /my-account/lost-password/

Prevents password reset spam targeting your WooCommerce customers.

Classic Checkout

Setting: WooCommerce Checkout (Classic) Location: Checkout page using the classic [woocommerce_checkout] shortcode

The CAPTCHA widget appears before the Place Order button. Validation runs during woocommerce_checkout_process.

Block Checkout

Setting: WooCommerce Checkout (Block) Location: Checkout page using the WooCommerce Checkout block

The CAPTCHA widget is injected via the render_block_woocommerce/checkout filter. The token is passed through the Store API as extensions['captcha-for-woocommerce']['token'] and validated server-side during woocommerce_store_api_checkout_update_order_from_request.

This is a proper Store API integration, not a DOM hack. It works reliably with WooCommerce's React-based checkout.

Pay for Order

Setting: WooCommerce Pay for Order Location: /checkout/order-pay/{order-id}/

Protects the "Pay for Order" page that customers use when they need to retry payment on a pending order. This page is a common target for carding attacks because it already has an order with products attached.

WooCommerce extension forms

These form options only appear when the corresponding extension plugin is active.

Product Vendors Registration

Setting: Product Vendors Registration Requires: WooCommerce Product Vendors active Location: Vendor registration shortcode form

Protects the vendor application/registration form. Most CAPTCHA plugins don't detect or support Product Vendors forms at all.

Subscriptions Checkout

Setting: WooCommerce Subscriptions Requires: WooCommerce Subscriptions active

Extends checkout protection to subscription-specific payment flows, including renewal and switch operations.

Memberships Registration

Setting: WooCommerce Memberships Requires: WooCommerce Memberships active

Extends protection to membership-specific registration flows.

How form protection works

When a protected form is submitted:

  • The CAPTCHA widget captures a response token (or honeypot data).
  • The plugin sends the token to the provider's API for verification (except honeypot, which validates locally).
  • If verification passes, the form submission continues normally.
  • If verification fails, the submission is blocked with an error message and the failed attempt is logged.
  • If rate limiting is enabled, failed attempts count toward the IP lockout threshold.
On Block Checkout, the flow is slightly different:
  • The JavaScript client collects the CAPTCHA token.
  • The token is included in the Store API checkout request under the extensions key.
  • Server-side validation runs before order processing.
  • Failed verification returns a Store API error that displays in the checkout error area.

Enabling and disabling forms

Each form has an independent checkbox. Changing one form does not affect others. Extension forms (Product Vendors, Subscriptions, Memberships) automatically hide from the settings page when those plugins are not active.

You can also control form protection programmatically:

// Disable CAPTCHA on a specific form conditionally
add_filter( 'cfwc_form_enabled', function( $enabled, $form_type ) {
    if ( $form_type === 'wc_checkout_block' && is_user_logged_in() ) {
        return false;
    }
    return $enabled;
}, 10, 2 );

Form type identifiers

For developers using hooks and filters, these are the internal form type IDs:

FormID
WordPress Loginwp_login
WordPress Registrationwp_register
WordPress Lost Passwordwp_lost_password
WordPress Commentswp_comment
WooCommerce Loginwc_login
WooCommerce Registrationwc_register
WooCommerce Lost Passwordwc_lost_password
WooCommerce Checkout (Classic)wc_checkout_classic
WooCommerce Checkout (Block)wc_checkout_block
WooCommerce Pay for Orderwc_pay_order
Product Vendors Registrationwcpv_registration
WooCommerce Subscriptionswc_subscriptions
WooCommerce Membershipswc_memberships
Scroll to see all columns →
Previous
CAPTCHA Providers
Next
Rate Limiting & IP Control