reCaptcha for WooCommerce

Your WooCommerce order list is full of garbage. Fake names, gibberish addresses, dozens of "Failed" orders from bots testing stolen credit cards against your checkout. Every fake order wastes your time, messes up your analytics, and every successful carding attempt triggers chargebacks that cost $20–100 each.

reCaptcha for WooCommerce stops this. Five CAPTCHA providers, built-in rate limiting, IP blocklist, and automatic WooCommerce PayPal Payments compatibility. One plugin, every form protected, no conflicts.

Why store owners choose this plugin

Stop fake orders and carding attacks: Bots can't submit orders when CAPTCHA, rate limiting, and IP blocking work together. Even the "Failed" orders from card testing bots stop filling your order list.

5 providers, one plugin: Cloudflare Turnstile, Google reCAPTCHA v2, reCAPTCHA v3, hCaptcha, and a 7-layer self-hosted honeypot. More providers than any competing plugin. Switch anytime without changing plugins.

Works with WooCommerce PayPal Payments: The plugin reads PayPal Payments' own reCAPTCHA settings and automatically skips CAPTCHA for PayPal methods. No double verification, no broken checkouts, no manual configuration.

Protects 13 form types: Every WordPress login, registration, checkout, comment, and WooCommerce extension form. Including Product Vendors, Subscriptions, and Memberships.

Rate limiting that actually helps: Block IPs after repeated failed attempts. Configure the threshold, lockout duration, and time window. Works across all forms, not just checkout.

GDPR-friendly option: The self-hosted honeypot sends zero data to third parties. No API keys needed.

Who is this for?

WooCommerce store owners tired of cleaning up fake orders and failed carding attempts every morning.

Stores using WooCommerce PayPal Payments that need a CAPTCHA plugin that won't break PayPal checkout. We're the only one that auto-detects PayPal's own reCAPTCHA.

Multi-vendor marketplaces using WooCommerce Product Vendors. We're the only CAPTCHA plugin that protects vendor registration forms.

Subscription and membership sites dealing with spam signups. We protect early renewal and plan switch forms too, not just initial registration.

Privacy-conscious stores in the EU, UK, or Australia that need GDPR-compliant spam protection without external API calls.

High-security sites that need rate limiting, IP management, and layered defense beyond basic CAPTCHA.

Stores under active carding attacks that need to block bots immediately with rate limiting and IP blocklists.

Choose your CAPTCHA provider

Five providers, each suited to different needs:

Provider	Best for	Privacy	User experience
Cloudflare Turnstile	Most stores	Privacy-focused	Usually invisible
Google reCAPTCHA v3	High-traffic sites	Standard	Invisible (score-based)
Google reCAPTCHA v2	Maximum visible security	Standard	Checkbox challenge
hCaptcha	Privacy-conscious stores	Privacy-focused	Challenge-based
Self-Hosted Honeypot	GDPR strict compliance	No external data	Completely invisible

Our recommendation: Start with Cloudflare Turnstile. It's free, privacy-focused, usually invisible to users, and stops most bots. If Turnstile ever goes down, the plugin automatically falls back to the honeypot so your forms stay protected.

All 13 protected forms

WordPress core (4 forms)

Login page

User registration

Lost password / Password reset

Comment forms (guest and logged-in)

WooCommerce (6 forms)

Checkout (both Classic and Block-based)

My Account login

My Account registration

Lost password

Pay for Order page

WooCommerce extensions (3 forms)

Product Vendors registration (the only CAPTCHA plugin that supports this)

Subscriptions checkout, early renewal, and plan switch forms

Memberships registration

All extension forms load conditionally. If you don't use Product Vendors, Subscriptions, or Memberships, those hooks never fire.

Beyond CAPTCHA: layered security

CAPTCHA is the first line of defense. This plugin adds three more:

Rate limiting

Bots don't try once. They try hundreds of times. Rate limiting blocks IPs after a configurable number of failed attempts.

Configurable threshold: Set max failed attempts (default 5, range 3–50).

Configurable lockout: Set lockout duration (default 15 minutes, up to 24 hours).

Configurable window: Set the tracking window (default 60 minutes, up to 24 hours).

Works on all protected forms, not just checkout. Login, registration, lost password, everything.

Cloudflare and proxy aware: Detects real client IPs behind Cloudflare, Nginx proxies, and load balancers.

Auto-cleanup: Expired lockouts and old data are cleaned up automatically on a scheduled basis.

Even if a bot passes CAPTCHA (using human-solving services), it can't brute-force your forms.

IP blocklist and whitelist

Block known bad actors before they even see your CAPTCHA:

Exact IPs: Block or whitelist specific addresses.

CIDR ranges: Block entire subnets, like 192.168.1.0/24 or IPv6 ranges.

Wildcards: Match patterns like 192.168.1.*.

Comments: Add notes to your IP lists with # for organization.

Blocklist runs first: Blocked IPs are rejected before CAPTCHA validation even starts. They can't submit any protected form.

Role-based skip rules

Your team shouldn't solve CAPTCHAs on their own site:

Skip all logged-in users: One checkbox, all logged-in users bypass CAPTCHA.

Skip specific roles: Choose which roles skip, like administrators and shop managers, while keeping CAPTCHA for customers and subscribers.

Smart payment gateway handling

Payment gateway conflicts are the #1 reason CAPTCHA plugins break WooCommerce checkouts. This plugin handles it properly.

WooCommerce PayPal Payments auto-detection

The WooCommerce PayPal Payments plugin has its own built-in reCAPTCHA that protects PayPal's payment endpoints. Most CAPTCHA plugins don't know this. They add a second CAPTCHA on top, causing double verification that breaks the checkout.

This plugin reads PayPal Payments' reCAPTCHA settings directly from the database. When PayPal's reCAPTCHA is active, it automatically skips CAPTCHA for:

PayPal Standard (Smart Buttons)

PayPal Advanced Card Processing

PayPal Card Button

No manual configuration. An admin notice on the settings page confirms the detection.

Express payment handling

Express payment methods have their own fraud protection built in. Adding CAPTCHA on top just breaks them. This plugin automatically detects and skips:

Apple Pay (WooPayments, Stripe, PayPal)

Google Pay (WooPayments, Stripe, PayPal)

Amazon Pay

Stripe Link

WooPayments express checkout

12+ payment method IDs are recognized, plus pattern matching catches any variation. Developers can extend the list via the cfwc_express_payment_methods filter.

Dashboard security widget

See your protection stats at a glance from the WordPress admin dashboard:

Today's blocked attempts and this week's blocked attempts

Currently locked IPs (with warning styling when lockouts are active)

Active CAPTCHA provider status

Rate limiting and honeypot status

Total blocked across CAPTCHA and honeypot combined

No need to dig through logs. Open your dashboard and see if bots are hitting your store.

The honeypot: not a hidden field

Most honeypot implementations add a hidden form field and call it a day. Bots figured that out years ago. Ours uses seven verification layers:

JavaScript-injected field: The honeypot field only exists if JavaScript executes. No JS = bot.

Visible trap field: A decoy field that bots fill, thinking it's real. Must be empty.

Timestamp validation: Verifies the form isn't submitting impossibly fresh or stale data.

Nonce verification: Prevents replay attacks with a unique nonce tied to the field name and timestamp.

Minimum time check: Forms submitted in under 3 seconds are rejected. Configurable.

Maximum age check: Forms older than 24 hours are rejected as expired.

JavaScript math challenge: A random math problem (a * b + c) encoded in base-36. Proves a real browser executed the JavaScript.

Each WordPress installation gets a unique, randomly generated field name. If a field name is ever compromised, it can be regenerated.

Failsafe mode

What happens when Cloudflare, Google, or hCaptcha has an outage?

Fall back to honeypot (recommended): The plugin automatically switches to the 7-layer honeypot. Protection continues with zero external dependencies.

Block submissions: Maximum security, but forms won't work during the outage.

Allow submissions: Forms always work, less secure during outages.

The honeypot requires no API keys and no external services. It's always available as a fallback.

Settings export and import

Moving from staging to production? Migrating to a new site? Export your settings as JSON and import them on the new site. The export automatically strips your API secret key for security. The import merges with existing settings, preserving any secret key already configured.

Setup takes 2 minutes

Install and activate the plugin.

Choose your CAPTCHA provider.

Enter your API keys (free from each provider, or skip this step for Honeypot).

Select which forms to protect.

Save. You're protected.

Scripts only load on pages with protected forms. Your other pages stay fast.

Getting your free API keys

Each provider offers free API keys:

Cloudflare Turnstile: Get keys from Cloudflare dashboard. Unlimited requests, free forever.

Google reCAPTCHA: Create keys at Google reCAPTCHA admin. Free up to 1M assessments/month.

hCaptcha: Register at hCaptcha dashboard. Free tier available.

For developers

19 filters and actions for deep customization:

cfwc_skip_verification — skip CAPTCHA based on custom conditions

cfwc_skip_for_payment_method — skip for specific payment methods

cfwc_supported_forms — register custom forms for protection

cfwc_register_providers — add custom CAPTCHA providers

cfwc_express_payment_methods — extend the express payment detection list

cfwc_paypal_protected_methods — modify which PayPal methods are skipped

cfwc_error_message — customize error messages per provider

cfwc_blocked_ip_message — customize the blocked IP rejection message

cfwc_honeypot_min_time — adjust minimum form submission time

cfwc_recaptcha_v3_threshold — adjust the reCAPTCHA v3 score threshold

cfwc_should_load_assets — force-load CAPTCHA assets on specific pages

cfwc_before_render, cfwc_after_render — hook around the CAPTCHA widget

cfwc_before_verify, cfwc_verified, cfwc_failed — hook into verification lifecycle

All CAPTCHA widgets include proper accessibility attributes: role="group", aria-labelledby, and screen-reader text.

Privacy and compliance

Important for GDPR/CCPA compliance: When using external providers (Turnstile, reCAPTCHA, hCaptcha), user data including IP addresses is transmitted to third-party servers. You should:

Disclose CAPTCHA usage in your privacy policy.

Consider your regional compliance requirements.

Use the Self-Hosted Honeypot option if you need zero external data transmission.

All debug logs are stored locally using WooCommerce's logging system. Nothing is transmitted externally. Clean uninstall removes all plugin data from your database when you choose to.

Frequently asked questions

Will this slow down my checkout?

No. Scripts only load on pages with protected forms. Modern providers like Cloudflare Turnstile run in the background without visible delay. Your product pages, category pages, and homepage are never affected.

Does it work with the new WooCommerce Block Checkout?

Yes. The plugin has a dedicated Block Checkout integration using WooCommerce's Store API. It's not a hack on top of Classic Checkout. Both checkout types are supported as first-class citizens.

Does it work with WooCommerce PayPal Payments?

Yes. The plugin auto-detects when PayPal Payments has its own reCAPTCHA enabled and skips CAPTCHA for PayPal payment methods. You'll see a confirmation notice on the settings page. No manual configuration needed.

What if a real customer fails the CAPTCHA?

With providers like Turnstile or reCAPTCHA v3, most legitimate users never see a challenge. If someone does fail, they can retry immediately. The error messages are clear and helpful.

Is this compatible with caching plugins?

Yes. CAPTCHA verification happens server-side after form submission, so page caching works normally.

Can I protect custom forms?

Yes. Developers can use the cfwc_supported_forms and cfwc_register_providers filters to add CAPTCHA protection to any custom form.

Do I need coding skills to use this?

Not at all. Choose your provider, paste in your free API keys, select which forms to protect, and save. Most store owners are protected within 2 minutes.

What's the difference between this and free CAPTCHA plugins?

Free CAPTCHA plugins typically offer one provider, cover basic WordPress forms, and treat WooCommerce as an afterthought. Here's what this plugin does differently:

5 CAPTCHA providers (Turnstile, reCAPTCHA v2, v3, hCaptcha, honeypot) vs. 1 in most free plugins.

13 protected form types including Product Vendors, Subscriptions, and Memberships. The only CAPTCHA plugin supporting Product Vendors.

PayPal Payments auto-detection that prevents double verification. No other CAPTCHA plugin does this.

Built-in rate limiting with configurable thresholds across all forms.

IP blocklist with CIDR and wildcard support, not just basic IP matching.

7-layer honeypot with JavaScript challenges, not a simple hidden field.

Dashboard widget showing blocked attempts, locked IPs, and provider status.

Failsafe mode that falls back to honeypot when your CAPTCHA provider is down.

Settings export/import for staging-to-production workflows.

Block Checkout support via the Store API, not a DOM hack.

19 developer hooks for deep customization.

Is there a free trial?

We offer a 30-day money-back guarantee. Try it risk-free. If it doesn't stop your spam problem, get a full refund.

What about WooCommerce Subscriptions?

Yes. We protect Subscriptions checkout, early renewal forms, and plan switch forms. Not just the initial signup.

How is the rate limiter different from KoalaApps' checkout rate limiter?

Our rate limiter works across all 13 protected form types, not just checkout. It blocks IPs after configurable failed CAPTCHA attempts with adjustable thresholds (3–50 attempts), lockout duration (5 min–24 hours), and tracking window (5 min–24 hours). Whitelisted IPs are never rate-limited. Combined with the IP blocklist, it provides layered protection that goes well beyond checkout-only rate limiting.

Technical details

PHP Version: 7.4 or higher

WordPress: 6.0 or higher (tested up to 6.9)

WooCommerce: 8.0 or higher (tested up to 10.4.3)

HPOS Compatible: Yes

Block Checkout: Fully supported (Store API integration)

Multisite: Compatible

Uninstall: Clean removal of all plugin data (optional)

Ready to stop spam bots and carding attacks? Get reCaptcha for WooCommerce today. $29/year, 30-day money-back guarantee.