How to Prevent Fraud by Using a CAPTCHA System (Recommended)
A CAPTCHA is an anti-spam technique which helps to protect your website from spam and abuse while letting real people pass through with ease. This can help automatically protect your custom payment forms from excessive declines occurring due to card testing, spam, and other fraud.
Choosing a CAPTCHA Service
WP Simple Pay supports three popular services, hCaptcha, Google’s reCAPTCHA, and Cloudflare Turnstile.
| Service | Type | Price | Recommended For |
|---|---|---|---|
| hCaptcha | Image Challenge | Free | On-site payment forms |
| reCAPTCHA | Invisible/No Friction | Free | Off-site Stripe Checkout forms |
| Cloudflare Turnstile | Adaptive (checkbox challenge) | Free | On-site payment forms |
Google’s reCAPTCHA uses an “invisible challenge” by monitoring the user’s behavior on your site to look for what it considers suspicious activity. When a payment form is submitted reCAPTCHA will assign the user a score. If the score is below the set threshold the request will be rejected.
hCaptcha is a free reCAPTCHA alternative that focuses on user privacy. It only ever collects necessary user data, and clearly lays out which information it collects and how it uses those details. hCaptcha offers you control over the difficulty of the image challenge, ranging from Easy to Always On. Each difficulty level influences how often your users will see an image challenge.
Cloudflare Turnstile is a free CAPTCHA alternative provided by Cloudflare. Similar to hCaptcha there are fewer privacy concerns than using Google reCAPTCHA service. Turnstile offers multiple CAPTCHA types: Managed, Non-interactive, and Invisible. The type can be chosen when creating or configuring the service.
hCaptcha
hCAPTCHA works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.
Register for hCaptcha
To enable hCAPTCHA, register your site with hCaptcha:
If you find the Moderate Passing Threshold setting is not reducing card testing, spam, etc., you can switch to the Difficult setting which will show harder challenges.
Configure hCaptcha in WP Simple Pay
After registering you will be redirected to a page where you can retrieve your Sitekey to enter into your WP Simple Pay Pro settings.
Your Secret Key can be found by clicking on your avatar in the top right corner of the screen to open your account menu. Then click on Settings. Next, copy your secret key from the Secret key section on this screen.
You will find the hCAPTCHA settings in the WP Simple Pay → Settings → General → Anti-Spam tab.
You’ll know things are set up correctly when you visit or preview your payment form and see hCAPTCHA’s challenge added to the payment form.
Google reCAPTCHA
Google’s reCAPTCHA works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.
Register for reCAPTCHA
To enable invisible reCAPTCHA, register your site with Google choosing the reCAPTCHA v3:
Configure reCAPTCHA in WP Simple Pay
After registering you will be redirected to a page where you can retrieve the necessary credentials to enter into your WP Simple Pay Pro settings.
You will find the reCAPTCHA settings near the bottom of the WP Simple Pay → Settings → General → Anti-Spam tab.
If you find the Default Score Threshold setting is not reducing card testing, spam, etc., you can switch to the Aggressive setting which will be more stringent in its analysis.
You’ll know things are set up correctly when you visit your website and see Google’s reCAPTCHA privacy and terms overlay in the lower right-hand corner of the page.
Using additional reCAPTCHA implementations
If you have multiple plugins using reCAPTCHA in addition to the WP Simple Pay implementation, such as Contact Form 7 or another payment plugin, please ensure they are set up using reCAPTCHA v3. Also, use the same Site and Secret keys as entered above to avoid any potential conflicts.
Cloudflare Turnstile
Turnstile works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.
Register for Turnstile
To enable Turnstile, create an account with Cloudflare, and then add your site to Turnstile.
Once you’ve added your Site Name, your Domain and chosen the Widget Type, you can press the Create button.
Your Site Key and Secret Key will be displayed after the Create button is pressed. Keep this page/tab open as you will need to copy and paste these key into Turnstile settings in WP Simple Pay.
Configure Turnstile in WP Simple Pay
You will find the Turnstile settings in the WP Simple Pay → Settings → General → Anti-Spam tab.
Enter your Site Key and Secret Key from the Turnstile settings page into the appropriate fields, and then click the Save Changes button at the bottom of the page.
You’ll know things are set up correctly when you visit or preview your payment form and see Turnstile’s challenge added to the payment form.
Still have questions? We’re here to help!
Last Modified: