Spam bots are getting smarter every day. Fake registrations, fraudulent orders, and automated carding attacks cost WooCommerce store owners thousands in chargebacks, wasted inventory, and lost time.
A good CAPTCHA plugin stops bots while letting real customers through. But which one actually works without killing your conversion rate, or breaking your checkout?
We build WooCommerce plugins, so we deal with checkout compatibility issues constantly. We set up a staging environment with WooCommerce, Stripe, WooCommerce PayPal Payments (with its built-in reCAPTCHA enabled), Block Checkout enabled, and HPOS turned on. Then we installed each CAPTCHA plugin one at a time and ran the same tests.
Here's what we found.
Why WooCommerce CAPTCHA is different from WordPress CAPTCHA
Before the plugin breakdown, here's what makes WooCommerce tricky for CAPTCHA plugins:
- WooCommerce PayPal Payments has its own reCAPTCHA now. The PayPal Payments plugin has built-in reCAPTCHA protection that covers PayPal's payment endpoints. If your CAPTCHA plugin also runs on checkout, you get double verification that often breaks the payment flow. Your CAPTCHA plugin needs to detect this and skip for PayPal methods automatically.
- Express payment buttons run their own flow. Apple Pay, Google Pay, and Amazon Pay inject JavaScript that bypasses the normal form submission. A CAPTCHA that hooks into form submission will either block the express payment or silently fail.
- Block Checkout is React-based. The new default WooCommerce checkout doesn't use traditional form submissions. PHP-based CAPTCHA hooks from the classic checkout era simply don't fire.
- HPOS changes the database structure. Plugins that write order-related data need to support the new custom order tables. This matters for CAPTCHA logging and rate limiting.
- Multi-vendor stores have extra forms. If you use WooCommerce Product Vendors, vendor registration and login forms are separate attack surfaces that most CAPTCHA plugins ignore entirely.
Quick comparison table
| Plugin | Price | Providers | Rate Limiting | Block Checkout | PayPal Payments | Express Payments |
|---|---|---|---|---|---|---|
| Simple Cloudflare Turnstile | Free | 1 | No | Yes | Manual config | Partial |
| reCaptcha for WooCommerce (I13 Web Solution) | $29/year | 2 | No | Yes | Manual config | Partial |
| hCaptcha for WordPress | Free | 1 | No | Partial | No | No |
| reCaptcha for WooCommerce (Themology) | $29/year | 5 | Yes | Yes | Auto-detected | Yes |
| Google reCaptcha for WooCommerce (KoalaApps) | $29/year | 1 | Yes | Yes | No | No |
| CAPTCHA 4WP (WPkube) | Free | 1 | No | No | No | No |
| Really Simple CAPTCHA | Free | 1 | No | No | N/A | N/A |
Plugin-by-plugin breakdown
1. Simple Cloudflare Turnstile
| Developer | Elliot Sowersby / RelyWP |
| Price | Free |
| Active Installs | 100,000+ |
What worked well: Turnstile is often invisible to legitimate users. Setup is straightforward. Get your Cloudflare keys, paste them in, done. Block Checkout support has improved in recent updates. It covers login, registration, checkout, and password reset. The plugin also works with popular form plugins like WPForms, Gravity Forms, and Contact Form 7.
Where we ran into issues: WooCommerce PayPal Payments compatibility. The plugin has a "Payment Methods to Skip" option, but it requires manual configuration and doesn't detect whether PayPal Payments has its own reCAPTCHA enabled. We saw inconsistent results during testing. Some checkout attempts with PayPal went through cleanly; others stalled. Apple Pay had similar quirks. No Product Vendors support.
Our take: For stores that don't use WooCommerce PayPal Payments, this is the best free option available. The 100K+ install base means issues get caught and fixed relatively fast. If you do use PayPal Payments, configure the skip list carefully and test thoroughly on staging.
2. reCaptcha for WooCommerce (I13 Web Solution)
| Developer | I13 Web Solution |
| Price | $29/year |
| Active Installs | 10,000+ |
What worked well: The hybrid mode, v3 by default, falling back to v2 if v3 scores too low, is clever. It prevents blocking real customers who trigger a low confidence score. Good form coverage: login, registration, checkout, password reset, product reviews, and order tracking. Block Checkout and HPOS both worked in our testing.
Where we ran into issues: WooCommerce PayPal Payments. The documentation mentions some express payment compatibility, but we saw mixed results. No automatic detection of PayPal Payments' own reCAPTCHA, so you risk double verification. No Product Vendors support. Configuration has more options than you'd expect for a CAPTCHA plugin; takes a bit of time to set up properly.
Our take: A solid mid-range choice, especially if you want the flexibility to switch between reCAPTCHA and Turnstile. The hybrid fallback is genuinely useful. Test with your payment methods before going live.
3. hCaptcha for WordPress
| Developer | hCaptcha |
| Price | Free |
| Active Installs | 60,000+ |
What worked well: Genuinely privacy-respecting; hCaptcha doesn't track users for advertising. HPOS compatible. Multiple difficulty levels. Good coverage across WooCommerce and general WordPress forms. Active development from the hCaptcha team.
Where we ran into issues: Block Checkout support is partial; some features didn't work correctly with the new checkout in our testing. Express payments and WooCommerce PayPal Payments both broke. Apple Pay, Google Pay, and PayPal checkout all had problems. No detection of PayPal Payments' built-in reCAPTCHA. The challenges also have slightly more friction than invisible alternatives; users actually see and interact with them more often.
Our take: If privacy is your top priority and you don't use express payment methods, hCaptcha is a genuine alternative to Google. Verify Block Checkout compatibility with your specific theme before committing.
4. reCaptcha for WooCommerce (Themology)
| Developer | Themology |
| Price | $29/year |
| Active Installs | New |
What it does differently: It automatically detects when WooCommerce PayPal Payments has its own reCAPTCHA enabled and skips CAPTCHA for PayPal payment methods (Standard, Advanced Card Processing, Card Button) to avoid double verification. No manual configuration needed. It also recognizes 12+ express payment methods (Apple Pay, Google Pay, Amazon Pay, Stripe Link, WooPayments) and skips them since those have their own fraud protection. It protects 13 form types across WordPress, WooCommerce, and extensions including Product Vendors, Subscriptions (including early renewal and plan switch forms), and Memberships.
What we think works well: five CAPTCHA providers (Cloudflare Turnstile, Google reCAPTCHA v2, reCAPTCHA v3, hCaptcha, self-hosted honeypot) in a single plugin, more than any competitor. The honeypot isn't a basic hidden field; it uses seven verification layers including JavaScript injection, time-based detection, nonce validation, and a math challenge. Built-in rate limiting blocks IPs after configurable failed attempts across all protected forms, not just checkout. IP whitelist/blacklist supports CIDR notation, wildcards, and inline comments. Role-based skip rules let your team bypass CAPTCHA entirely. A dashboard widget shows blocked attempts, locked IPs, and provider status in real time. Settings export/import makes staging-to-production migration easy. When your CAPTCHA provider goes down, a failsafe mode falls back to the honeypot automatically. Block Checkout and HPOS support from day one.
Where it falls short: It's premium-only with no free version. It's new, so it doesn't have the track record or install base of established alternatives like Simple Cloudflare Turnstile (100K+ installs). No country-based disabling like KoalaApps offers. If you only need basic Turnstile protection and don't use PayPal Payments, the free option covers that well enough.
5. Google reCaptcha for WooCommerce (KoalaApps)
| Developer | KoalaApps |
| Price | $29/year |
| Active Installs | 2,000+ |
What worked well: The checkout rate limiter blocks IPs after repeated failed attempts, useful for carding attacks. Country-based disabling is a nice touch for stores that only sell to specific regions. Good form coverage within its scope.
Where we ran into issues: Google reCAPTCHA only. No Turnstile, hCaptcha, or honeypot option. No IP blocklist or whitelist beyond the rate limiter. Documentation doesn't address WooCommerce PayPal Payments, Apple Pay, or Google Pay compatibility. No detection of PayPal Payments' built-in reCAPTCHA. HPOS support isn't confirmed. Smaller user base means fewer community reports on edge cases.
Our take: If you only need Google reCAPTCHA and want country-based controls, this covers that specific use case. For stores that need broader protection (multiple providers, PayPal compatibility, IP management), you'll want something more comprehensive.
6. CAPTCHA 4WP (WPkube)
| Developer | WPkube (previously Melapress) |
| Price | Free |
| Active Installs | 200,000+ |
What worked well: Free. Lightweight. Simple to configure. Large community. With new ownership, continued development is expected.
Where it broke: Block Checkout doesn't work. HPOS isn't supported. During testing, we saw checkout failures that traced back to the plugin interfering with WooCommerce's JavaScript. Express payments were completely broken. This plugin was built for WordPress forms first and WooCommerce was bolted on later. The reviews on WordPress.org confirm this; many users report order failures. It remains to be seen whether WPkube's team will address these WooCommerce-specific issues.
Our take: Fine for WordPress blogs and contact forms. Not recommended for WooCommerce stores right now. The checkout compatibility issues are too significant. Worth keeping an eye on under new ownership.
7. Really Simple CAPTCHA
| Developer | Takayuki Miyoshi |
| Price | Free |
| Active Installs | 900,000+ |
No WooCommerce support whatsoever. No checkout, login, or registration protection. Old-school image CAPTCHAs are also easily solved by modern OCR bots. We're including it only because it shows up in "best WooCommerce CAPTCHA" searches due to its install count.
What about honeypots?
Honeypot fields are invisible form fields that bots fill out but humans can't see. They're worth considering because:
- No user friction at all.
- No external API calls, making them GDPR-friendly.
- Lightweight with minimal performance impact.
Full feature comparison
The quick table above covers compatibility. This one covers the full feature set:
| Feature | Turnstile (Free) | I13 ($29/yr) | hCaptcha (Free) | Themology ($29/yr) | KoalaApps ($29/yr) |
|---|---|---|---|---|---|
| Providers | |||||
| Cloudflare Turnstile | Yes | Yes | No | Yes | No |
| Google reCAPTCHA v3 | No | Yes | No | Yes | No |
| Google reCAPTCHA v2 | No | Yes | No | Yes | Yes |
| hCaptcha | No | No | Yes | Yes | No |
| Self-hosted honeypot | No | No | No | Yes (7-layer) | No |
| Total providers | 1 | 2 | 1 | 5 | 1 |
| Anti-fraud | |||||
| Rate limiting | No | No | No | Yes | Yes |
| IP blocklist | No | No | No | Yes (CIDR + wildcard) | No |
| IP whitelist | No | No | No | Yes (CIDR + wildcard) | No |
| Role-based skip | No | No | No | Yes | No |
| Compatibility | |||||
| Block Checkout | Yes | Yes | Partial | Yes | Yes |
| HPOS | Yes | Yes | Yes | Yes | Unclear |
| PayPal Payments reCAPTCHA | Manual skip | Manual skip | No | Auto-detected | No |
| Express payments | Partial | Partial | No | Yes (12+ methods) | No |
| Product Vendors | No | No | No | Yes | No |
| Subscriptions / Memberships | No | No | No | Yes | No |
| Other | |||||
| Dashboard widget | No | No | No | Yes | No |
| Failsafe mode | No | No | No | Yes (honeypot fallback) | No |
| Settings export/import | No | No | No | Yes | No |
| Country-based disabling | No | No | No | No | Yes |
| Developer hooks | Limited | Limited | Limited | 19 filters/actions | Limited |
Choosing the right one
If you want the best free option: Simple Cloudflare Turnstile is well-maintained, privacy-respecting, and handles Block Checkout. If you don't use WooCommerce PayPal Payments, this covers the basics well. Start here to see if free is enough.
If privacy is your primary concern: hCaptcha for WordPress avoids Google tracking entirely. Verify Block Checkout compatibility with your specific theme before committing.
If you need the widest coverage: reCaptcha for WooCommerce (ours, so factor in our bias) is the only option with all five providers, PayPal Payments auto-detection, rate limiting, IP blocklist, and extension form support (Product Vendors, Subscriptions, Memberships). It covers more use cases than any single competitor, but it's premium-only and new.
If you already use I13 and it works: reCaptcha for WooCommerce by I13 Web Solution has 10,000+ installs and the hybrid v3-to-v2 fallback is genuinely clever. If PayPal Payments isn't causing you problems, there's no reason to switch just for more features.
If you only need Google reCAPTCHA with country controls: Google reCaptcha for WooCommerce by KoalaApps has country-based disabling, which is useful if you only sell to specific regions. Its rate limiter focuses on checkout specifically.
Frequently asked questions
Does CAPTCHA hurt conversion rates?
It can. Studies suggest visible CAPTCHAs reduce conversions by 3–5%. Invisible options like reCAPTCHA v3 and Cloudflare Turnstile minimize the impact. Every CAPTCHA also adds JavaScript to your pages, which can affect load times. If speed is already a concern, our guide on why WooCommerce stores feel slow covers the broader performance picture. For checkout pages, invisible is the way to go.
Which CAPTCHA provider is best?
Depends on your priorities:
- Cloudflare Turnstile: Best balance of security and user experience. Free, privacy-respecting, often invisible.
- Google reCAPTCHA v3: Most widely trusted, completely invisible, but has privacy concerns from Google's data collection.
- hCaptcha: Best for privacy. Slightly more user friction.
- Honeypot: Best for GDPR compliance with no external calls. Less effective alone against sophisticated bots.
Will CAPTCHA break WooCommerce PayPal Payments?
It can. WooCommerce PayPal Payments now has its own built-in reCAPTCHA that protects PayPal's payment endpoints. If your separate CAPTCHA plugin also runs on checkout, you get double verification that often breaks the payment flow. Either manually configure your CAPTCHA plugin to skip PayPal payment methods, or use a plugin that detects PayPal Payments' reCAPTCHA automatically. The same applies to express payments like Apple Pay and Google Pay, which have their own fraud protection.
Do I need CAPTCHA if I use Cloudflare?
Yes. Cloudflare's Bot Management operates at the network level. Form-level bots that pass Cloudflare's checks can still submit fake orders. They complement each other.
Will CAPTCHA stop all spam?
No. Determined attackers use CAPTCHA-solving services with human workers. CAPTCHA is one layer. Rate limiting, IP management, and monitoring are important supplements.
Is CAPTCHA required for GDPR compliance?
CAPTCHA isn't required by GDPR, but your implementation might create compliance issues. Some providers (notably Google reCAPTCHA) collect user data. If privacy matters, use a self-hosted honeypot, Cloudflare Turnstile, or hCaptcha.
The bottom line
Most WooCommerce CAPTCHA plugins were built for WordPress forms and adapted for WooCommerce later. That's fine for login and registration forms. But checkout is where the complexity lives. WooCommerce PayPal Payments with its own reCAPTCHA, express payments, Block Checkout, HPOS, multi-vendor forms. If you're not sure where your store stands on these, our HPOS and Block Checkout guide covers the details. And if fake orders are your main concern, we also wrote a hands-on guide on how to stop fake orders in WooCommerce that covers the full picture beyond just CAPTCHA.
Test on staging. Run real transactions through. Complete a PayPal checkout. Try Apple Pay. If the CAPTCHA breaks something, you'll find out in testing instead of from a customer who couldn't complete their order.
If you need the most comprehensive protection in a single plugin, five providers, rate limiting, IP management, PayPal Payments auto-detection, and extension form support, check out reCaptcha for WooCommerce.
