CAPTCHA Providers

CAPTCHA Providers#

Bouncer supports five CAPTCHA providers. You can switch between them at any time from WooCommerce > Settings > Bouncer without losing your form protection settings.

Cloudflare Turnstile#

Type: Invisible challenge (occasionally shows a brief widget) Cost: Free, unlimited requests Privacy: Cloudflare-managed, GDPR-friendly

Turnstile runs invisible browser challenges that verify visitors without interaction. Most legitimate users never see anything. Occasionally, a small widget appears for a few seconds while Turnstile verifies the browser.

When to use#

Default choice for most stores
Good balance of security and user experience
Free with no usage limits
Privacy-friendly (Cloudflare doesn’t use the data for ad targeting)

Configuration#

Setting	Description	Default
Site Key	From Cloudflare Turnstile dashboard	Required
Secret Key	From Cloudflare Turnstile dashboard	Required
Theme	Auto (match site), Light, or Dark	Auto
Size	Normal or Compact	Normal
Appearance	Always, Interaction-only, or Invisible	Always

The Appearance setting controls when the Turnstile widget is shown. “Always” shows it on every page load. “Interaction-only” shows it only when Turnstile needs to verify the visitor. “Invisible” never shows the widget.

Getting keys#

Go to Cloudflare Turnstile dashboard.
Click Add widget.
Enter your site name and domain.
Select Managed mode.
Copy Site Key and Secret Key.

Google reCAPTCHA v3#

Type: Score-based, fully invisible Cost: Free up to 1M assessments/month Privacy: Google data collection applies

reCAPTCHA v3 runs entirely in the background. It assigns each visitor a score between 0.0 (likely bot) and 1.0 (likely human). No user interaction required.

When to use#

Maximum invisibility (no widget at all)
Stores already in the Google ecosystem
When you want score-based decisions rather than binary pass/fail

Configuration#

Setting	Description	Default
Site Key	From Google reCAPTCHA console	Required
Secret Key	From Google reCAPTCHA console	Required
Score Threshold	Minimum score to pass (0.0-1.0)	0.5

Score threshold guide#

Threshold	Effect
0.3	Permissive. Lets most traffic through. Some bots may pass.
0.5	Balanced. Good default for most stores.
0.7	Strict. May block some legitimate users on VPNs or shared IPs.
0.9	Very strict. High false-positive risk. Not recommended for checkout.

Start with 0.5. If you still see spam, raise to 0.6 or 0.7. If legitimate customers report issues, lower it.

The threshold is filterable for developers:

add_filter( 'cfwc_recaptcha_v3_threshold', function( $threshold ) {
    return 0.6;
});

Alternative domain (recaptcha.net)#

In regions where google.com is blocked (China, Iran, etc.), the plugin can load reCAPTCHA from recaptcha.net instead. Configure this at WooCommerce > Settings > Bouncer > General > reCAPTCHA domain. Both the JavaScript API and the verification endpoint switch to recaptcha.net.

Getting keys#

Go to google.com/recaptcha/admin/create.
Select reCAPTCHA v3.
Add your domain(s).
Copy Site Key and Secret Key.

Google reCAPTCHA v2#

Type: “I’m not a robot” checkbox Cost: Free up to 1M assessments/month Privacy: Google data collection applies

The classic checkbox challenge. Users click “I’m not a robot” and occasionally solve an image puzzle. Visible confirmation that protection is active.

When to use#

When you want visible proof of bot protection (some users feel safer)
Registration and login forms where a checkbox is less disruptive
Stores with older demographics who may not trust invisible methods

Configuration#

Setting	Description	Default
Site Key	From Google reCAPTCHA console	Required
Secret Key	From Google reCAPTCHA console	Required
Theme	Auto, Light, or Dark	Auto
Size	Normal or Compact	Normal

Alternative domain (recaptcha.net)#

Getting keys#

Go to google.com/recaptcha/admin/create.
Select reCAPTCHA v2 > “I’m not a robot” Checkbox.
Add your domain(s).
Copy Site Key and Secret Key.

hCaptcha#

Type: Challenge-based (image selection or invisible) Cost: Free up to 1M requests/month Privacy: Does not sell personal data, GDPR-friendly

hCaptcha is a privacy-focused alternative to Google reCAPTCHA. It can run as an invisible challenge or show image puzzles when needed.

When to use#

Privacy-conscious stores that want to avoid Google
EU/UK/Australian stores focused on data minimization
Stores that want an alternative to Cloudflare

Configuration#

Setting	Description	Default
Site Key	UUID format from hCaptcha dashboard	Required
Secret Key	From hCaptcha account settings	Required
Theme	Auto, Light, or Dark	Auto
Size	Normal or Compact	Normal

Getting keys#

Go to dashboard.hcaptcha.com.
Create an account and add your site.
Copy the Site Key (UUID format like a1b2c3d4-e5f6-...).
Copy the Secret Key from your account settings.

Self-Hosted Honeypot#

Type: Multi-layer invisible bot trap Cost: Free Privacy: Maximum. No external calls, no cookies, no data leaves your server.

The honeypot is not a traditional single hidden field. It uses seven layers of detection:

JavaScript-injected hidden fields — bots that don’t execute JS fill out visible-to-them fields
Multiple decoy trap fields — with site-unique naming that changes per installation
Time-based detection — forms submitted faster than the configurable minimum (default 3 seconds) are rejected
Nonce protection — prevents replay attacks and form resubmission
JavaScript math challenge — a simple math problem solved by the browser’s JS engine
Form expiry — submissions older than 24 hours are rejected
Spam statistics tracking — tracks blocked attempts for the dashboard widget

When to use#

GDPR-strict stores where no external service calls are acceptable
Stores that don’t want to require cookie consent for CAPTCHA
As a secondary layer alongside another provider (enable via Advanced Settings)
As a failsafe fallback when the primary provider is unreachable

Configuration#

Setting	Description	Default
Minimum submission time	Seconds before form can be submitted	3

The minimum time is filterable:

add_filter( 'cfwc_honeypot_min_time', function( $min_time ) {
    return 5; // Require 5 seconds minimum
});

Limitations#

Less effective against sophisticated bots that execute JavaScript
No challenge-based verification for edge cases
Best used as a layer rather than sole protection for high-risk stores

Using honeypot as a secondary layer#

Regardless of which primary provider you use, you can enable the honeypot as an additional detection layer. Go to WooCommerce > Settings > Bouncer > Advanced and check Enable honeypot as secondary layer.

When enabled, both your primary provider and the honeypot must pass for a form submission to succeed. This catches bots that might solve the CAPTCHA challenge but still fail the time-based or JavaScript detection.

Language support#

All external CAPTCHA providers support displaying the widget in the visitor’s language. By default, the plugin auto-detects the visitor’s browser language. You can override this by selecting a specific language at WooCommerce > Settings > Bouncer > General > CAPTCHA language.

30+ languages are supported, including English, Spanish, French, German, Japanese, Chinese, Arabic, and more. The honeypot provider is invisible and doesn’t display any text, so the language setting doesn’t apply.

Switching providers#

Changing providers does not affect:

Which forms are protected (those settings are independent)
Rate limiting configuration
IP whitelist/blocklist
Any other settings

You only need to enter the new provider’s API keys. The old keys are not deleted, so switching back is instant.

Provider-specific settings like the Turnstile appearance mode, reCAPTCHA domain, and language are preserved when switching. They apply when you switch back.