CAPTCHA Setup

CAPTCHA protects your login, registration, and other forms from bots and spam. PaywallWP Pro supports three CAPTCHA providers.

Accessing CAPTCHA Settings

1. Go to PaywallWP → Settings → Captcha
2. Find the Bot Protection section
3. Select your preferred Captcha Provider from the toggle buttons:
   • None — No CAPTCHA protection
   • reCAPTCHA v2 — Classic checkbox challenge
   • reCAPTCHA v3 — Invisible, score-based
   • Turnstile — Cloudflare's invisible solution

Supported Providers

Provider	Type	Cost	Recommendation
Cloudflare Turnstile	Invisible	Free	⭐ Recommended
reCAPTCHA v3	Invisible	Free	Good alternative
reCAPTCHA v2	Checkbox	Free	Most compatible

Cloudflare Turnstile (Recommended)

Turnstile is Cloudflare's privacy-friendly CAPTCHA alternative. It's invisible to users, free, and doesn't track behavior like reCAPTCHA.

Why Turnstile?

• ✅ Free with no request limits
• ✅ Invisible — users don't see challenges
• ✅ Privacy-friendly — no tracking cookies
• ✅ Fast — minimal impact on page load
• ✅ Works everywhere — no Cloudflare DNS required

Setup Steps

1. Create a Cloudflare Account

   If you don't have one, create a free account. You don't need to use Cloudflare for your DNS.

2. Go to Turnstile Dashboard

   Navigate to Cloudflare Turnstile and click Add site.

3. Configure Your Widget

   • Site name: Your website name
   • Domain: yourdomain.com (without https://)
   • Widget Mode: Select Invisible (recommended) or Managed

   Click Create.

4. Copy Your Keys

   After creation, copy:

   • Site Key (public)
   • Secret Key (private)

5. Add to WordPress

   1. Go to PaywallWP → Settings → Captcha
   2. Select Turnstile as the provider
   3. Paste your Site Key and Secret Key
   4. Click Save Settings

Widget Modes

Mode	User Experience
Invisible	No visible widget, best UX
Managed	Shows widget only when needed
Non-interactive	Always shows a small badge

Google reCAPTCHA v3

reCAPTCHA v3 runs invisibly in the background and scores user behavior. It's a good alternative if you prefer Google's solution.

Setup Steps

1. Register Your Site

   Go to reCAPTCHA Admin.

2. Configure

   • Label: Your site name
   • reCAPTCHA type: Select Score based (v3)
   • Domains: Add your domain (e.g., yourdomain.com)
   • Accept terms and click Submit

3. Copy Your Keys

   Copy the Site Key and Secret Key.

4. Add to WordPress

   1. Go to PaywallWP → Settings → Captcha
   2. Select reCAPTCHA v3 as the provider
   3. Paste your Site Key and Secret Key
   4. Click Save Settings

Score Threshold

reCAPTCHA v3 returns a score from 0.0 to 1.0:

• 1.0 — Very likely a human
• 0.0 — Very likely a bot

The default threshold is 0.5. Requests scoring below this are blocked.

Performance Impact

reCAPTCHA v3 loads on every page to analyze behavior, which can affect page load times slightly.

Google reCAPTCHA v2

reCAPTCHA v2 shows the classic "I'm not a robot" checkbox. It's the most compatible option but requires user interaction.

Setup Steps

1. Register Your Site

   Go to reCAPTCHA Admin.

2. Configure

   • Label: Your site name
   • reCAPTCHA type: Select Challenge (v2) → "I'm not a robot" Checkbox
   • Domains: Add your domain
   • Click Submit

3. Copy Your Keys

   Copy the Site Key and Secret Key.

4. Add to WordPress

   1. Go to PaywallWP → Settings → Captcha
   2. Select reCAPTCHA v2 as the provider
   3. Paste your Site Key and Secret Key
   4. Click Save Settings

Invisible Mode

reCAPTCHA v2 can also run in "Invisible" mode, showing only a small badge instead of a checkbox:

1. In Google reCAPTCHA admin, create a new site with type Challenge (v2) → Invisible reCAPTCHA badge
2. Copy the new Site Key and Secret Key
3. In WordPress, enable the Invisible Mode toggle
4. Save Settings

note

Invisible reCAPTCHA v2 requires different keys than the checkbox version. You must create a new site in Google reCAPTCHA admin with the "Invisible" option selected.

Comparison Table

Feature	Turnstile	reCAPTCHA v3	reCAPTCHA v2
User Experience	⭐ Invisible	⭐ Invisible	Checkbox
Privacy	⭐ Privacy-first	Google tracking	Google tracking
Page Load Impact	⭐ Minimal	Moderate	Minimal
Cost	⭐ Free	Free	Free
Bot Detection	Excellent	Excellent	Good
Accessibility	⭐ Best	Good	Requires interaction

Protected Forms

CAPTCHA is automatically applied to:

• ✅ Login form
• ✅ Registration form
• ✅ Password reset form
• ✅ Checkout (optional)

Troubleshooting

"Invalid Site Key" Error

• Verify you copied the complete key
• Check that the domain matches your site
• Ensure you're not mixing test/production keys

CAPTCHA Not Showing

• Check browser console for JavaScript errors
• Verify the provider is properly configured
• Some ad blockers block CAPTCHA scripts

Form Submissions Failing

• Check that the Secret Key is correct
• Verify your server can reach the CAPTCHA verification API
• Check for firewall rules blocking outbound connections

"Challenge Failed" for Legitimate Users

For reCAPTCHA v3:

• Lower the score threshold (but not below 0.3)
• Some users may trigger false positives

For Turnstile:

• Try switching from Invisible to Managed mode

Testing CAPTCHA

Test Keys (Development Only)

Both Turnstile and reCAPTCHA offer test keys that always pass:

Turnstile Test Keys:

• Site Key: 1x00000000000000000000AA
• Secret Key: 1x0000000000000000000000000000000AA

reCAPTCHA Test Keys:

• Site Key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
• Secret Key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

warning

Never use test keys in production—they accept all submissions.

Next Steps

• Google OAuth Setup for social login
• General Settings for more configuration