Settings
Settings#
Complete reference for all Bouncer settings.
Accessing settings#
Navigate to: WooCommerce > Settings > Bouncer
Settings are organized into sections: General, Forms, Security, Fraud, Notifications, Advanced, and License.
Provider settings#
CAPTCHA Provider#
Description: Select which CAPTCHA provider to use.
Options: Cloudflare Turnstile, Google reCAPTCHA v3, Google reCAPTCHA v2, hCaptcha, Self-Hosted Honeypot
Default: None (must be selected during setup)
Changing the provider does not reset other settings. API keys for each provider are stored separately, so switching back is instant.
See CAPTCHA Providers for details on each.
Site Key#
Description: The public key from your CAPTCHA provider.
Not required for the Honeypot provider.
Secret Key#
Description: The private/secret key from your CAPTCHA provider.
Stored securely. Not included in settings exports for security.
reCAPTCHA Domain#
Description: Domain for loading reCAPTCHA scripts and verification API.
Options: google.com (default), recaptcha.net
Default: google.com
Use recaptcha.net in regions where google.com is blocked (China, Iran). Only applies to reCAPTCHA v2 and v3.
CAPTCHA Language#
Description: Language for the CAPTCHA widget display.
Options: Auto-detect (default), or a specific language from 30+ options
Default: Auto (browser language)
Uses a searchable WooSelect2 dropdown. Applies to all external providers.
Verify API Keys#
Description: Renders an actual CAPTCHA widget in the admin panel to verify your API keys work.
Click “Verify” to load a real CAPTCHA challenge. Solve it to confirm your keys are valid. More reliable than the basic connection test.
Test Connection#
Description: AJAX button that validates your API keys against the provider.
A green checkmark confirms valid keys. A red error explains what went wrong (invalid key, domain mismatch, etc.).
Appearance settings#
Theme#
Description: Visual theme for the CAPTCHA widget.
Options:
- Auto — matches user’s system preference (light/dark)
- Light — always light background
- Dark — always dark background
Default: Auto
Only applies to Turnstile, reCAPTCHA v2, and hCaptcha. reCAPTCHA v3 and Honeypot are invisible.
Size#
Description: Widget size.
Options: Normal, Compact
Default: Normal
Compact is useful for narrow forms or mobile layouts.
Score Threshold (reCAPTCHA v3 only)#
Description: Minimum score required to pass verification.
Range: 0.0 to 1.0 (step 0.1)
Default: 0.5
Only visible when reCAPTCHA v3 is selected. See CAPTCHA Providers for tuning guidance.
Turnstile Appearance Mode#
Description: Controls when the Turnstile widget is visible.
Options: Always (default), Interaction-only, Invisible
Default: Always
Only visible when Cloudflare Turnstile is the active provider.
Protected forms#
Nineteen form types plus extension-specific options, grouped by category. Check the forms you want to protect.
WordPress: Login, Registration, Lost Password, Reset Password, Comments
WooCommerce: My Account Login, My Account Registration, My Account Lost Password, Reset Password, Checkout (Classic), Checkout (Block), Pay for Order, Product Reviews, Order Tracking
Extensions (conditional): Product Vendors Registration, Subscriptions Checkout, Memberships Registration, Bookings, Elementor Pro
Extension checkboxes only appear when the corresponding plugin is active.
The plugin also supports a [cfwc_captcha] shortcode for adding CAPTCHA to custom forms. This isn’t a checkbox in the settings but a separate feature you add to your form templates.
See Protected Forms for details on each form type.
Checkout settings#
Checkout CAPTCHA Position#
Description: Where the CAPTCHA widget appears on the classic checkout.
Options: Before submit button (default), After order notes, After customer details
Default: Before submit button
Checkout CAPTCHA Target#
Description: Who sees CAPTCHA at checkout.
Options: Everyone (default), Guests only, Logged-in users only
Default: Everyone
Access control#
Skip CAPTCHA for logged-in users#
Description: When enabled, logged-in users bypass CAPTCHA on all forms.
Default: Off
Useful for stores where most orders come from returning customers with accounts.
Skip CAPTCHA for specific roles#
Description: Multi-select of WordPress user roles that should bypass CAPTCHA.
Uses the WooCommerce enhanced select (searchable dropdown). Common choices: Administrator, Shop Manager, Editor.
IP Whitelist#
Description: IP addresses that skip CAPTCHA entirely.
One entry per line. Supports single IPs, CIDR notation, wildcards, and inline comments.
See Rate Limiting & IP Control for format details.
IP Blocklist#
Description: IP addresses that are blocked from all protected forms.
Same format as the whitelist. Blocked IPs are rejected before CAPTCHA verification.
See Rate Limiting & IP Control for format details.
Username Blocking#
Description: Block login attempts using specific usernames.
Format: One username per line. Supports wildcards (e.g. admin*, test*).
Default: Empty
Enable Rate Limiting#
Description: Track failed attempts and lock out repeat offenders.
Default: Off
Max Failed Attempts#
Description: Number of failed CAPTCHA attempts before lockout.
Default: 5 Range: 3-50
Lockout Duration (minutes)#
Description: How long an IP is locked out after exceeding the failure threshold.
Default: 15 Range: 5-1440 (24 hours)
Time Window (minutes)#
Description: Rolling window for tracking failed attempts. Failures older than this are not counted.
Default: 60 Range: 5-1440
Global Rate Limiting#
| Setting | Description | Default |
|---|---|---|
| Enable global rate limiting | Site-wide burst detection across all forms | Off |
| Max total submissions | Maximum form submissions in time window | 100 |
| Max total failures | Maximum failed verifications in time window | 50 |
| Time window (seconds) | Rolling window for counting | 300 |
See Rate Limiting & IP Control for configuration strategies.
Fraud settings#
Located at WooCommerce > Settings > Bouncer > Fraud.
Enable Fraud Scoring#
Description: Master toggle for the order fraud scoring engine.
Default: Off
When enabled, every order is evaluated against configurable rules. See Fraud Scoring.
Fraud rules#
Each of the 9 rules has an enable toggle and a weight slider. Rules and their defaults are documented in Fraud Scoring.
Risk thresholds#
| Setting | Default |
|---|---|
| Medium threshold | 26 |
| High threshold | 51 |
| Very high threshold | 76 |
Automatic actions#
| Setting | Description | Default |
|---|---|---|
| High-risk action | What to do with high-risk orders | Hold |
| Action threshold | Minimum risk level to trigger action | High |
Returning customer bypass#
| Setting | Description | Default |
|---|---|---|
| Skip returning customers | Bypass fraud scoring for repeat buyers | Off |
| Minimum completed orders | Number of past orders to qualify | 3 |
Disposable email handling#
| Setting | Description | Default |
|---|---|---|
| Action | Block, Warn, or Flag | Block |
Custom email blacklist#
| Setting | Description | Default |
|---|---|---|
| Patterns | Textarea, one wildcard pattern per line | Empty |
| Action | Block, Warn, or Flag | Block |
Proxy/VPN detection#
| Setting | Description | Default |
|---|---|---|
| proxycheck.io API key | Required for proxy detection | Empty |
Security settings (geo)#
Located at WooCommerce > Settings > Bouncer > Security.
Country-based CAPTCHA exclusion#
Description: Skip CAPTCHA for visitors from selected countries.
Field type: WooCommerce multi_select_countries (searchable dropdown)
Default: Empty (no exclusions)
Geo-blocking#
Description: Block visitors from selected countries.
Field type: WooCommerce multi_select_countries
Default: Empty (no blocking)
Blocked country message#
Description: Message shown to geo-blocked visitors.
Default: “Access to this site is not available in your region.”
Advanced settings#
Enable honeypot as secondary layer#
Description: Add the honeypot detection alongside your primary CAPTCHA provider.
Default: Off
When enabled, both the primary provider and the honeypot must pass. Catches bots that solve the CAPTCHA challenge but fail time-based or JavaScript detection.
Honeypot minimum submission time (seconds)#
Description: Forms submitted faster than this are rejected by the honeypot.
Default: 3 Range: 1-30
Only relevant when honeypot is the primary provider or enabled as a secondary layer.
Failsafe Mode#
Description: What happens when the external CAPTCHA provider is unreachable.
Options:
- Block all — reject all form submissions
- Use honeypot fallback (recommended) — fall back to honeypot
- Allow all — skip CAPTCHA check entirely
Default: Use honeypot fallback
See Compatibility for details.
Enable debug logging#
Description: Log CAPTCHA verification attempts and errors to WooCommerce logs.
Default: Off
Logs are viewable at WooCommerce > Status > Logs. Look for entries with source captcha-for-woocommerce. Enable temporarily when troubleshooting verification failures.
Delete data on uninstall#
Description: Remove all plugin data (settings, rate limit records) when the plugin is deleted.
Default: Off
When disabled, deactivating and deleting the plugin preserves settings in the database. Useful if you plan to reinstall later.
Privacy & compliance#
The settings page includes a dynamic information section that updates based on your selected provider. It shows:
- What data the provider collects
- Where the data is sent
- Links to the provider’s privacy policy and terms of service
- GDPR guidance
The Honeypot provider shows a “no external data transfer” notice since all processing happens locally.
License#
Located at WooCommerce > Settings > Bouncer > License.
Enter your license key and click Activate. The license controls access to auto-updates and support. All other settings tabs are hidden until the license is active.
To deactivate (e.g. moving to a different site), click Deactivate on this page.
Settings export and import#
Export#
Click Export Settings to download a JSON file containing all current settings. The secret key is excluded for security.
Import#
Click Import Settings and select a previously exported JSON file. Settings are merged with existing values. The secret key is preserved (not overwritten by import).
Useful for:
- Migrating settings from staging to production
- Backing up configuration before changes
- Sharing configuration across multiple sites
Reset#
Click Reset to Defaults to restore all settings to their default values. This clears API keys, form selections, and all customizations. A confirmation dialog prevents accidental resets.