WP Simple Pay Documentation

Documentation, Reference Materials, and Tutorials for WP Simple Pay

Anti-Spam Reference

Reading time: 7 minutes | Difficulty: Beginner

The Anti-Spam settings subsection showing the four CAPTCHA provider cards and the Email Verification toggle.

Overview

Card-testing is the most common form of automated abuse against WordPress payment forms — bots submit thousands of stolen card numbers per hour to find which ones still work. WP Simple Pay’s Anti-Spam settings give you two complementary defences:

  1. CAPTCHA — Stops automated submissions before they even reach Stripe. Choose between Google reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile.
  2. Email Verification — A reactive layer that requires customers to confirm their email address after a configurable number of fraud declines have occurred within a configurable timeframe.

Both layers are configured under WP Simple Pay > Settings > General > 🛡️ Anti-Spam.

Prerequisites

  • WP Simple Pay (CAPTCHA is available in the free version)
  • WP Simple Pay Pro for Email Verification

CAPTCHA

The CAPTCHA setting at the top of the Anti-Spam tab lets you choose one provider — None, Google reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile. After picking a provider, the matching credential fields appear below.

Google reCAPTCHA v3

Score-based, invisible CAPTCHA from Google. No customer interaction required — Google scores each request 0.0 (likely bot) to 1.0 (likely human) and WP Simple Pay blocks submissions below the threshold.

  • Site Key — Public credential from your reCAPTCHA admin console.
  • Secret Key — Private credential from your reCAPTCHA admin console.

Setup: Sign up at google.com/recaptcha/admin, choose reCAPTCHA v3 (not v2), add your domain, and paste the resulting keys.

hCaptcha

Privacy-friendly Google reCAPTCHA alternative. Visible challenge widget that customers solve once. Same data shape as reCAPTCHA — site key + secret key.

  • Site Key — From your hCaptcha dashboard.
  • Secret Key — From your hCaptcha dashboard.

Setup: Sign up at hcaptcha.com, retrieve credentials, and paste them in.

Cloudflare Turnstile

Cloudflare’s free, privacy-respecting CAPTCHA. Often invisible, occasionally interactive. Same configuration shape — site key + secret key.

  • Site Key — From your Cloudflare Turnstile dashboard.
  • Secret Key — From your Cloudflare Turnstile dashboard.

Setup: Sign up at cloudflare.com/products/turnstile, create a Turnstile widget, and paste the keys.

Choosing a Provider

Provider Cost Customer friction Privacy Notes
reCAPTCHA v3 Free None (invisible) Sends data to Google Best default if you already use Google services
hCaptcha Free / Paid tiers Low (occasional click) Privacy-respecting Good GDPR alternative to reCAPTCHA
Cloudflare Turnstile Free Mostly none Privacy-respecting Best choice if you already use Cloudflare

You can only enable one provider at a time. To switch providers, change the CAPTCHA selection at the top of the tab — the previous credentials remain saved but inactive until you switch back.

Email Verification

Email Verification is a reactive defence that activates only after WP Simple Pay detects a pattern of fraudulent payment attempts. It’s designed to be invisible to legitimate customers in normal traffic and only kick in during an attack.

How It Works

  1. WP Simple Pay listens for charge.failed webhooks from Stripe with a fraudulent outcome.
  2. When the count of fraud declines crosses your configured threshold within the configured timeframe, every subsequent on-site payment form requires email verification before submission.
  3. Customers receive a verification code at the email address they entered. They must enter the code to complete payment.
  4. Once the timeframe elapses with no further fraud events, verification is automatically disabled.

Settings

  • Email Verification (Enable/Disable) — Master toggle. Highly recommended to leave on.
  • Threshold — Number of fraud declines required before verification activates. Default: 3.
  • Timeframe — Window (in hours) during which the threshold is measured. Default: 6 hours.

Tuning the Threshold and Timeframe

The defaults (3 declines in 6 hours) are deliberately conservative — they catch obvious card-testing without hassling customers during normal traffic spikes.

  • Lower the threshold if you’ve been targeted before and want a faster reaction (e.g., 2 declines).
  • Lower the timeframe if your site has high transaction volume and 6 hours of history would mask a fresh attack.
  • Raise the threshold if you have very high traffic and the default is triggering on normal noise.

How CAPTCHA and Email Verification Interact

The two layers are complementary, not redundant:

  • CAPTCHA runs on every submission and blocks bots before they reach Stripe.
  • Email Verification runs after the fact, only when CAPTCHA has been bypassed (e.g., by a human-driven attack) and fraud declines have already accumulated.

For best results, enable both. CAPTCHA handles 99% of automated abuse cheaply; Email Verification catches the 1% that gets through.

Anti-Spam in the Form Builder

In addition to the global settings, individual forms can opt into Email Verification under the form editor’s General tab. This is useful when you have a high-risk form (e.g., a small donation form) that you always want verified, regardless of whether the global threshold has been reached.

Frequently Asked Questions

Will customers see the CAPTCHA on every form?

reCAPTCHA v3 and Cloudflare Turnstile are usually invisible — most customers never see a challenge. hCaptcha shows a small widget that requires one click. None of them block legitimate customers under normal conditions.

Why do I see “🛡️ Anti-Spam” instead of “reCAPTCHA”?

The tab was renamed from reCAPTCHA to Anti-Spam when hCaptcha and Cloudflare Turnstile support was added. The reCAPTCHA name lingers in some older documentation; the underlying settings are the same.

Are CAPTCHA settings respected on Stripe Checkout (off-site) forms?

CAPTCHA is enforced on the WordPress side before the redirect to Stripe Checkout. Stripe’s hosted page also has its own bot protections. For on-site forms (Embedded/Overlay), CAPTCHA validates each submission before the payment is created.

Do I need a CAPTCHA if I have Email Verification?

Both serve different purposes. CAPTCHA blocks bots. Email Verification blocks human-driven card testing where the attacker can solve the CAPTCHA but doesn’t have access to many real email inboxes. Use both if your site processes meaningful payment volume.

What happens to verification codes after the timeframe ends?

Expired codes are cleaned up by a scheduled task (simpay_cleanup_email_verification_codes). They’re invalidated automatically and can’t be reused.

Can I exempt specific forms from Anti-Spam?

Yes — see the per-form General tab settings. You can override the global behavior on a per-form basis when needed.

What’s Next?

Still have questions? We're here to help!

Last Modified:

Start Accepting Payments Today

Start accepting one-time and recurring payments or donations on your WordPress website.