Index
reCaptcha for WooCommerce
Multi-provider CAPTCHA plugin that protects your WooCommerce checkout, login, registration, and 12 other form types from spam bots and carding attacks.
Why Captcha for WooCommerce?
Most CAPTCHA plugins were built for WordPress blogs and ported to WooCommerce as an afterthought. They break on Block Checkout, conflict with PayPal Payments, and ignore express payment methods like Apple Pay and Google Pay. This plugin was built for WooCommerce stores from day one.
Five providers, one plugin
Switch between CAPTCHA providers without installing a different plugin each time:
| Provider | Type | API Keys | Best For |
|---|---|---|---|
| Cloudflare Turnstile | Invisible challenge | Yes (free) | Most stores |
| Google reCAPTCHA v3 | Score-based invisible | Yes (free) | Google ecosystem |
| Google reCAPTCHA v2 | "I'm not a robot" checkbox | Yes (free) | Visible verification |
| hCaptcha | Challenge-based | Yes (free) | Privacy-focused stores |
| Self-Hosted Honeypot | Multi-layer bot trap | No | GDPR-strict, no external calls |
What makes this different
| Feature | Us | Most Plugins |
|---|---|---|
| Block Checkout support | ✅ Store API | ❌ Classic only |
| PayPal reCAPTCHA auto-detection | ✅ Built-in | ❌ Conflicts |
| Express payment skip | ✅ Automatic | ❌ Breaks Apple Pay |
| Rate limiting | ✅ Included | ❌ Separate plugin |
| IP whitelist/blocklist | ✅ CIDR + wildcards | ❌ Not available |
| Failsafe when provider is down | ✅ Honeypot fallback | ❌ Blocks everyone |
| Settings export/import | ✅ JSON | ❌ Not available |
| WC Product Vendors support | ✅ | ❌ |
| WC Subscriptions support | ✅ | ❌ |
| WC Memberships support | ✅ | ❌ |
Quick start
- Install -- Upload and activate the plugin
- Choose provider -- Go to WooCommerce > Settings > CAPTCHA and select a provider
- Enter API keys -- Get keys from your provider (or pick Honeypot for zero setup)
- Select forms -- Check the forms you want to protect
Key features
For store owners
- 5 CAPTCHA providers in one plugin with one-click switching
- 15 form locations protected including checkout, login, registration, and comments
- Rate limiting with configurable lockout after failed attempts
- IP whitelist and blocklist with CIDR notation and wildcard support
- Dashboard widget showing blocked attempts, lockout count, and provider status
- Settings export/import for staging-to-production workflows
- Failsafe mode falls back to honeypot when the external provider is unreachable
For developers
- 19 hooks and filters for customization
- Public API to render and verify CAPTCHA on custom forms
- Custom provider registration via the
cfwc_register_providersaction - Template override for widget appearance
- WooCommerce logging integration for debugging
Use cases
Online stores under bot attack
Protect checkout from carding attacks, fake orders, and registration spam. Rate limiting catches repeat offenders after the first few failures.
Multi-vendor marketplaces
Protect vendor registration forms (WooCommerce Product Vendors) alongside customer-facing forms. Most CAPTCHA plugins ignore vendor registration entirely.
GDPR-strict European stores
Use the self-hosted honeypot provider with zero external API calls. No data leaves your server, no cookie consent banner needed for CAPTCHA.
Documentation
| Guide | Description |
|---|---|
| Getting Started | Installation, API keys, first setup |
| CAPTCHA Providers | All 5 providers explained |
| Protected Forms | 15 form locations and how they work |
| Rate Limiting & IP Control | Lockouts, whitelists, blocklists |
| Compatibility | PayPal, Block Checkout, HPOS, express payments |
| Settings | Complete settings reference |
| Developer Guide | Hooks, filters, API, custom providers |
| FAQ | Common questions and troubleshooting |
Requirements
- WordPress 6.0+
- WooCommerce 8.0+
- PHP 7.4+
Support
- Documentation: You're here!
- Themology Support: Bug reports, feature requests, and critical support
License
Captcha for WooCommerce is released under the GPL v3 or later.