Settings
Settings
Complete reference for all Captcha for WooCommerce settings.
Accessing settings
Navigate to: WooCommerce > Settings > CAPTCHA
Settings are organized into sections: Provider, Appearance, Protected Forms, Access Control, Advanced, and Privacy & Compliance.
Provider settings
CAPTCHA Provider
Description: Select which CAPTCHA provider to use.
Options: Cloudflare Turnstile, Google reCAPTCHA v3, Google reCAPTCHA v2, hCaptcha, Self-Hosted Honeypot
Default: None (must be selected during setup)
Changing the provider does not reset other settings. API keys for each provider are stored separately, so switching back is instant.
See CAPTCHA Providers for details on each.
Site Key
Description: The public key from your CAPTCHA provider.
Not required for the Honeypot provider.
Secret Key
Description: The private/secret key from your CAPTCHA provider.
Stored securely. Not included in settings exports for security.
Test Connection
Description: AJAX button that validates your API keys against the provider.
A green checkmark confirms valid keys. A red error explains what went wrong (invalid key, domain mismatch, etc.).
Appearance settings
Theme
Description: Visual theme for the CAPTCHA widget.
Options:
- Auto -- matches user's system preference (light/dark)
- Light -- always light background
- Dark -- always dark background
Only applies to Turnstile, reCAPTCHA v2, and hCaptcha. reCAPTCHA v3 and Honeypot are invisible.
Size
Description: Widget size.
Options: Normal, Compact
Default: Normal
Compact is useful for narrow forms or mobile layouts.
Score Threshold (reCAPTCHA v3 only)
Description: Minimum score required to pass verification.
Range: 0.0 to 1.0 (step 0.1)
Default: 0.5
Only visible when reCAPTCHA v3 is selected. See CAPTCHA Providers for tuning guidance.
Protected forms
Fifteen individual checkboxes grouped by category. Check the forms you want to protect.
WordPress: Login, Registration, Lost Password, Comments
WooCommerce: My Account Login, My Account Registration, My Account Lost Password, Checkout (Classic), Checkout (Block), Pay for Order
Extensions (conditional): Product Vendors Registration, Subscriptions Checkout, Memberships Registration
Extension checkboxes only appear when the corresponding plugin is active.
See Protected Forms for details on each form type.
Access control
Skip CAPTCHA for logged-in users
Description: When enabled, logged-in users bypass CAPTCHA on all forms.
Default: Off
Useful for stores where most orders come from returning customers with accounts.
Skip CAPTCHA for specific roles
Description: Multi-select of WordPress user roles that should bypass CAPTCHA.
Uses the WooCommerce enhanced select (searchable dropdown). Common choices: Administrator, Shop Manager, Editor.
IP Whitelist
Description: IP addresses that skip CAPTCHA entirely.
One entry per line. Supports single IPs, CIDR notation, wildcards, and inline comments.
See Rate Limiting & IP Control for format details.
IP Blocklist
Description: IP addresses that are blocked from all protected forms.
Same format as the whitelist. Blocked IPs are rejected before CAPTCHA verification.
See Rate Limiting & IP Control for format details.
Enable Rate Limiting
Description: Track failed attempts and lock out repeat offenders.
Default: Off
Max Failed Attempts
Description: Number of failed CAPTCHA attempts before lockout.
Default: 5 Range: 3-50
Lockout Duration (minutes)
Description: How long an IP is locked out after exceeding the failure threshold.
Default: 15 Range: 5-1440 (24 hours)
Time Window (minutes)
Description: Rolling window for tracking failed attempts. Failures older than this are not counted.
Default: 60 Range: 5-1440
See Rate Limiting & IP Control for configuration strategies.
Advanced settings
Enable honeypot as secondary layer
Description: Add the honeypot detection alongside your primary CAPTCHA provider.
Default: Off
When enabled, both the primary provider and the honeypot must pass. Catches bots that solve the CAPTCHA challenge but fail time-based or JavaScript detection.
Honeypot minimum submission time (seconds)
Description: Forms submitted faster than this are rejected by the honeypot.
Default: 3 Range: 1-30
Only relevant when honeypot is the primary provider or enabled as a secondary layer.
Failsafe Mode
Description: What happens when the external CAPTCHA provider is unreachable.
Options:
- Block all -- reject all form submissions
- Use honeypot fallback (recommended) -- fall back to honeypot
- Allow all -- skip CAPTCHA check entirely
See Compatibility for details.
Enable debug logging
Description: Log CAPTCHA verification attempts and errors to WooCommerce logs.
Default: Off
Logs are viewable at WooCommerce > Status > Logs. Look for entries with source captcha-for-woocommerce. Enable temporarily when troubleshooting verification failures.
Delete data on uninstall
Description: Remove all plugin data (settings, rate limit records) when the plugin is deleted.
Default: Off
When disabled, deactivating and deleting the plugin preserves settings in the database. Useful if you plan to reinstall later.
Privacy & compliance
The settings page includes a dynamic information section that updates based on your selected provider. It shows:
- What data the provider collects
- Where the data is sent
- Links to the provider's privacy policy and terms of service
- GDPR guidance
Settings export and import
Export
Click Export Settings to download a JSON file containing all current settings. The secret key is excluded for security.
Import
Click Import Settings and select a previously exported JSON file. Settings are merged with existing values. The secret key is preserved (not overwritten by import).
Useful for:
- Migrating settings from staging to production
- Backing up configuration before changes
- Sharing configuration across multiple sites
Reset
Click Reset to Defaults to restore all settings to their default values. This clears API keys, form selections, and all customizations. A confirmation dialog prevents accidental resets.