Protected Forms
Protected Forms#
Bouncer can protect 19 form types plus a shortcode for custom forms across WordPress core, WooCommerce, and WooCommerce extensions. Each form can be enabled or disabled independently from WooCommerce > Settings > Bouncer > Forms.
WordPress forms#
Login form#
Setting: WordPress Login
Location: /wp-login.php
Protects the default WordPress login page. Useful for stores where the WordPress login is exposed (not redirected to WooCommerce My Account).
Registration form#
Setting: WordPress Registration
Location: /wp-login.php?action=register
Protects the default WordPress registration form. Only relevant if WordPress registration is enabled separately from WooCommerce.
Lost Password form#
Setting: WordPress Lost Password
Location: /wp-login.php?action=lostpassword
Prevents bots from flooding password reset emails to your users.
Reset Password form#
Setting: WordPress reset password
Form ID: wp_reset_password
Location: /wp-login.php?action=rp
Protects the “set new password” form that appears after clicking the reset link in the email. Different from the Lost Password form which only requests the email.
Comment form#
Setting: WordPress Comments Location: Any post or page with comments enabled
Stops comment spam. Works alongside or as a replacement for Akismet.
WooCommerce forms#
My Account Login#
Setting: WooCommerce Login
Location: /my-account/ login form
Protects the WooCommerce customer login form on the My Account page. This is separate from the WordPress login because WooCommerce uses its own authentication hooks.
My Account Registration#
Setting: WooCommerce Registration
Location: /my-account/ registration form
Stops automated account creation. Particularly important for stores that offer member-only pricing or subscription access.
My Account Lost Password#
Setting: WooCommerce Lost Password
Location: /my-account/lost-password/
Prevents password reset spam targeting your WooCommerce customers.
My Account Reset Password#
Setting: WooCommerce reset password
Form ID: wc_reset_password
Location: My Account reset password form
Protects the WooCommerce-specific reset password form. Only validates when the WooCommerce nonce is present, so it doesn’t conflict with the WordPress core reset form.
Classic Checkout#
Setting: WooCommerce Checkout (Classic)
Location: Checkout page using the classic [woocommerce_checkout] shortcode
The CAPTCHA widget appears before the Place Order button. Validation runs during woocommerce_checkout_process.
Block Checkout#
Setting: WooCommerce Checkout (Block) Location: Checkout page using the WooCommerce Checkout block
The CAPTCHA widget is injected via the render_block_woocommerce/checkout filter. The token is passed through the Store API as extensions['captcha-for-woocommerce']['token'] and validated server-side during woocommerce_store_api_checkout_update_order_from_request.
This is a proper Store API integration, not a DOM hack. It works reliably with WooCommerce’s React-based checkout.
Pay for Order#
Setting: WooCommerce Pay for Order
Location: /checkout/order-pay/{order-id}/
Protects the “Pay for Order” page that customers use when they need to retry payment on a pending order. This page is a common target for carding attacks because it already has an order with products attached.
Product Reviews#
Setting: WooCommerce product reviews
Form ID: wc_review
Location: Single product page review form
Protects product review submissions from spam bots.
Order Tracking#
Setting: WooCommerce order tracking
Form ID: wc_order_tracking
Location: Order tracking form/shortcode
Protects the order tracking form from automated lookups.
WooCommerce extension forms#
These form options only appear when the corresponding extension plugin is active.
Product Vendors Registration#
Setting: Product Vendors Registration Requires: WooCommerce Product Vendors active Location: Vendor registration shortcode form
Protects the vendor application/registration form. Most CAPTCHA plugins don’t detect or support Product Vendors forms at all.
Subscriptions Checkout#
Setting: WooCommerce Subscriptions Requires: WooCommerce Subscriptions active
Extends checkout protection to subscription-specific payment flows, including renewal, switch, and change payment method operations.
Memberships Registration#
Setting: WooCommerce Memberships Requires: WooCommerce Memberships active
Extends protection to membership-specific registration flows.
Bookings Add-to-Cart#
Setting: Bookings add-to-cart
Form ID: wc_bookings
Requires: WooCommerce Bookings active
Location: Single product page for bookable products
Protects the booking form add-to-cart button. Only fires on bookable product types, regular products are unaffected.
Elementor Pro Forms#
Setting: Elementor Pro forms
Form ID: elementor_form
Requires: Elementor Pro active
Location: Any page using the Elementor Form widget
Adds CAPTCHA to Elementor Pro’s form widget. Renders the CAPTCHA field as the last form item and validates during Elementor’s form validation hook.
How form protection works#
When a protected form is submitted:
- The CAPTCHA widget captures a response token (or honeypot data).
- The plugin sends the token to the provider’s API for verification (except honeypot, which validates locally).
- If verification passes, the form submission continues normally.
- If verification fails, the submission is blocked with an error message and the failed attempt is logged.
- If rate limiting is enabled, failed attempts count toward the IP lockout threshold.
On Block Checkout, the flow is slightly different:
- The JavaScript client collects the CAPTCHA token.
- The token is included in the Store API checkout request under the
extensionskey. - Server-side validation runs before order processing.
- Failed verification returns a Store API error that displays in the checkout error area.
Shortcode: [cfwc_captcha]#
Drop [cfwc_captcha] into any page, post, or template to render a CAPTCHA widget. Attributes:
theme— “light” or “dark” (optional, uses global setting if omitted)size— “normal” or “compact” (optional)
Example: [cfwc_captcha theme="dark" size="compact"]
The shortcode includes a nonce field and an AJAX verification endpoint at wp-admin/admin-ajax.php?action=cfwc_verify_shortcode. Custom form handlers can POST to this endpoint to validate the CAPTCHA token server-side.
Checkout options#
CAPTCHA position#
By default, the CAPTCHA widget appears before the Place Order button. You can change this at WooCommerce > Settings > Bouncer > Forms > Checkout CAPTCHA position:
- Before submit button (default)
- After order notes
- After customer details
Useful when payment gateways inject their own elements near the submit button and cause layout conflicts.
Guest vs logged-in toggle#
Control who sees CAPTCHA at checkout:
- Everyone (default)
- Guests only — logged-in customers skip CAPTCHA
- Logged-in only — only authenticated users see CAPTCHA (rare use case)
Configure at WooCommerce > Settings > Bouncer > Forms > Checkout CAPTCHA target.
Enabling and disabling forms#
Each form has an independent checkbox. Changing one form does not affect others. Extension forms (Product Vendors, Subscriptions, Memberships) automatically hide from the settings page when those plugins are not active.
You can also control form protection programmatically:
// Disable CAPTCHA on a specific form conditionally
add_filter( 'cfwc_form_enabled', function( $enabled, $form_type ) {
if ( $form_type === 'wc_checkout_block' && is_user_logged_in() ) {
return false;
}
return $enabled;
}, 10, 2 );Form type identifiers#
For developers using hooks and filters, these are the internal form type IDs:
| Form | ID |
|---|---|
| WordPress Login | wp_login |
| WordPress Registration | wp_register |
| WordPress Lost Password | wp_lost_password |
| WordPress Reset Password | wp_reset_password |
| WordPress Comments | wp_comment |
| WooCommerce Login | wc_login |
| WooCommerce Registration | wc_register |
| WooCommerce Lost Password | wc_lost_password |
| WooCommerce Reset Password | wc_reset_password |
| WooCommerce Checkout (Classic) | wc_checkout_classic |
| WooCommerce Checkout (Block) | wc_checkout_block |
| WooCommerce Pay for Order | wc_pay_order |
| WooCommerce Product Reviews | wc_review |
| WooCommerce Order Tracking | wc_order_tracking |
| Product Vendors Registration | wcpv_registration |
| WooCommerce Subscriptions | wc_subscriptions |
| WooCommerce Memberships | wc_memberships |
| WooCommerce Bookings | wc_bookings |
| Elementor Pro Forms | elementor_form |
| Shortcode | shortcode |