reCAPTCHA Checkout – Setup & Documentation
WooCommerce reCAPTCHA Checkout
Setup guide and documentation — powered by Web321 Marketing Ltd.
📋 Contents
1. What This Plugin Does
Add reCaptcha to your WordPress CMS to protect the WooCommerce checkout with reCaptcha.
This plugin protects your WooCommerce checkout page from bots and fraudulent order submissions by supporting both Google reCAPTCHA v2 and v3 with an admin mode selector:
- v2 (Checkbox) — a visible “I’m not a robot” checkbox that customers must tick before placing an order.
- v3 (Invisible / Score-based) — runs silently in the background, assigning each visitor a bot-likelihood score (0.0 = definitely a bot, 1.0 = definitely human). Requests below your configured threshold are blocked.
You can store both key pairs in plugin settings and choose which version is active on checkout.
2. Choosing v2 or v3
The checkout flow depends on your selected mode:
- Customer fills out the checkout form.
- If v2 is selected, the customer must complete the visible checkbox challenge.
- If v3 is selected, a token is generated silently during checkout submission.
- The selected token is sent to your server and verified with Google’s
siteverifyAPI. - If verification fails, the order is blocked and a friendly error is shown.
3. Getting Your API Keys
You can use either version, but the plugin supports saving two separate key pairs — one for v2 and one for v3.
Step-by-step
- Go to https://www.google.com/recaptcha/admin/create (sign in with a Google account).
- Fill in a label (e.g. “My Shop – Checkout v2”).
- Under reCAPTCHA type, select Challenge (v2) → “I’m not a robot” Checkbox.
- Add your domain(s) (e.g.
yourstore.com). Also addlocalhostif you’re testing locally. - Click Submit. Copy the Site Key and Secret Key. These are your v2 keys.
- Repeat steps 2–5, but this time select Score based (v3). These are your v3 keys.
4. Configuration
Go to Settings → reCAPTCHA Checkout in your WordPress admin.
| Field | Description |
|---|---|
| v2 Site Key | The public key for your v2 reCAPTCHA registration. |
| v2 Secret Key | The private key for your v2 reCAPTCHA. Never share this publicly. |
| v3 Site Key | The public key for your v3 reCAPTCHA registration. |
| v3 Secret Key | The private key for your v3 reCAPTCHA. Never share this publicly. |
| Active reCAPTCHA Version | Choose whether checkout uses v2 Checkbox or v3 Invisible Score. |
| v3 Score Threshold | Score below which requests are blocked (0.1–1.0). Default: 0.5. |
| Failure Message | The error shown to the customer if either check fails. |
| Enable on Checkout | Master on/off switch. Disable to temporarily remove reCAPTCHA without uninstalling. |
5. Understanding the v3 Score Threshold
Google reCAPTCHA v3 returns a score from 0.0 to 1.0 for every request:
- 0.5 (default): Good balance. Recommended by Google for most uses.
- 0.7 or higher: Stricter. May occasionally block legitimate customers.
- 0.3 or lower: Lenient. Lets more suspicious traffic through — only use if you’re seeing false positives.
If legitimate customers are getting blocked, try lowering the threshold slightly. If bots are still getting through, raise it.
6. Troubleshooting
The checkbox isn’t appearing
- Confirm Active reCAPTCHA Version is set to v2.
- Confirm the v2 Site Key is entered correctly under Settings.
- Check your browser console for JavaScript errors.
- Make sure your domain is listed in the reCAPTCHA admin console for your v2 key.
- Some aggressive caching plugins can delay script loading — try with cache cleared.
Orders are being blocked even for real customers
- If you use v3, lower the v3 Score Threshold (e.g. from 0.5 to 0.3).
- If you use v2, test the v2 site and secret keys from the admin screen.
- Check that
WP_DEBUGis enabled — v3 scores are logged to the PHP error log. - Ensure your site is using HTTPS. reCAPTCHA behaves unreliably on HTTP.
“reCAPTCHA verification failed” on every order
- Ensure the selected mode has a valid site key + secret key pair saved.
- Make sure you haven’t swapped the Site Key and Secret Key.
- Verify the domain in Google’s reCAPTCHA console matches the domain you’re testing on.
Conflict with page caching
- Exclude
/checkout/from your caching plugin’s rules. WooCommerce checkout must never be served from a static cache.
7. FAQ
Is this GDPR / PIPEDA compliant?
Google reCAPTCHA sends data to Google’s servers and sets cookies. You should disclose this in your privacy policy. Consider using a cookie consent plugin that gates reCAPTCHA loading until consent is given. Hosting your own anti-bot solution is the only way to avoid Google data sharing entirely.
Does this work with AJAX checkout or block-based checkout?
The plugin hooks into the standard WooCommerce checkout process. It works with the classic shortcode-based checkout (
Can I disable just v2 or just v3?
Yes. Choose your active mode in Settings → reCAPTCHA Checkout. You can save both key pairs and switch between v2 and v3 without re-entering keys.
Does this affect site speed?
Google’s reCAPTCHA script is only loaded on the checkout page — it doesn’t affect any other pages. The v3 script adds a small floating badge to the page (required by Google’s ToS). On most sites the impact is negligible.
What happens if Google’s reCAPTCHA service is unavailable?
If the siteverify API call fails (network error, timeout), the plugin currently blocks the order to err on the side of caution. If you prefer to fail open (allow orders through when Google is down), this can be customised via the wrc_fail_open_on_api_error filter hook.
8. Support & Credits
This plugin was built by Web321 Marketing Ltd. — a Canadian WordPress development company based in Saanichton, BC.
- Website: web321.co
- Email: shawn@web321.co
This plugin is free. If it’s saved you time or headaches, please consider a small donation.
Donate $20 via PayPal