WP Simple Pay Documentation

Documentation, Reference Materials, and Tutorials for WP Simple Pay

Tips & Tricks

Join our Newsletter

Please enable JavaScript in your browser to complete this form.
Get tips, tricks, and resources delivered directly to your mailbox.

How to Prevent Fraud by Using a CAPTCHA System (Recommended)

A CAPTCHA is an anti-spam technique which helps to protect your website from spam and abuse while letting real people pass through with ease. This can help automatically protect your custom payment forms from excessive declines occurring due to card testing, spam, and other fraud.

We strongly recommend that you enable and configure and use a CAPTCHA implementation as well as email verification to help prevent fraudulent payments.

Choosing a CAPTCHA Service

WP Simple Pay supports three popular services, hCaptcha, Google’s reCAPTCHA, and Cloudflare Turnstile.

ServiceTypePriceRecommended For
hCaptchaImage ChallengeFreeOn-site payment forms
reCAPTCHAInvisible/No FrictionFreeOff-site Stripe Checkout forms
Cloudflare TurnstileAdaptive (checkbox challenge)FreeOn-site payment forms

Google’s reCAPTCHA uses an “invisible challenge” by monitoring the user’s behavior on your site to look for what it considers suspicious activity. When a payment form is submitted reCAPTCHA will assign the user a score. If the score is below the set threshold the request will be rejected.

hCaptcha is a free reCAPTCHA alternative that focuses on user privacy. It only ever collects necessary user data, and clearly lays out which information it collects and how it uses those details. hCaptcha offers you control over the difficulty of the image challenge, ranging from Easy to Always On. Each difficulty level influences how often your users will see an image challenge.

Cloudflare Turnstile is a free CAPTCHA alternative provided by Cloudflare. Similar to hCaptcha there are fewer privacy concerns than using Google reCAPTCHA service. Turnstile offers multiple CAPTCHA types: Managed, Non-interactive, and Invisible. The type can be chosen when creating or configuring the service.

hCaptcha

hCAPTCHA works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.

Register for hCaptcha

To enable hCAPTCHA, register your site with hCaptcha:

If you find the Moderate Passing Threshold setting is not reducing card testing, spam, etc., you can switch to the Difficult setting which will show harder challenges.

Configure hCaptcha in WP Simple Pay

After registering you will be redirected to a page where you can retrieve your Sitekey to enter into your WP Simple Pay Pro settings.

wp simple pay hcaptcha sitekey

Your Secret Key can be found by clicking on your avatar in the top right corner of the screen to open your account menu. Then click on Settings. Next, copy your secret key from the Secret key section on this screen.

You will find the hCAPTCHA settings in the WP Simple Pay → Settings → General → Anti-Spam tab.

wp simple pay settings anti spam hcaptcha

You’ll know things are set up correctly when you visit or preview your payment form and see hCAPTCHA’s challenge added to the payment form.

wp simple pay hcaptcha challenge

Google reCAPTCHA

Google’s reCAPTCHA works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.

Register for reCAPTCHA

To enable invisible reCAPTCHA, register your site with Google choosing the reCAPTCHA v3:

Google reCAPTCHA settings

If your website can also be accessed via www. please ensure both domains are added to the list: www.my-website.com and my-website.com

Configure reCAPTCHA in WP Simple Pay

After registering you will be redirected to a page where you can retrieve the necessary credentials to enter into your WP Simple Pay Pro settings.

You will find the reCAPTCHA settings near the bottom of the WP Simple Pay → Settings → General → Anti-Spam tab.

wp simple pay settings recaptcha

If you find the Default Score Threshold setting is not reducing card testing, spam, etc., you can switch to the Aggressive setting which will be more stringent in its analysis.

You’ll know things are set up correctly when you visit your website and see Google’s reCAPTCHA privacy and terms overlay in the lower right-hand corner of the page.

google's recaptcha badge

Using additional reCAPTCHA implementations

If you have multiple plugins using reCAPTCHA in addition to the WP Simple Pay implementation, such as Contact Form 7 or another payment plugin, please ensure they are set up using reCAPTCHA v3. Also, use the same Site and Secret keys as entered above to avoid any potential conflicts.

Cloudflare Turnstile

Turnstile works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form.

Cloudflare Turnstile is not compatible with overlay payment forms. Please use a different CAPTCHA solution if you are displaying your forms in an overlay.

Register for Turnstile

To enable Turnstile, create an account with Cloudflare, and then add your site to Turnstile.

add your site to turnstile

Once you’ve added your Site Name, your Domain and chosen the Widget Type, you can press the Create button.

Your Site Key and Secret Key will be displayed after the Create button is pressed. Keep this page/tab open as you will need to copy and paste these key into Turnstile settings in WP Simple Pay.

Configure Turnstile in WP Simple Pay

You will find the Turnstile settings in the WP Simple Pay → Settings → General → Anti-Spam tab.

Enter your Site Key and Secret Key from the Turnstile settings page into the appropriate fields, and then click the Save Changes button at the bottom of the page.

You’ll know things are set up correctly when you visit or preview your payment form and see Turnstile’s challenge added to the payment form.

Still have questions? We’re here to help!

Last Modified:

Start Accepting Payments Today

Start accepting one-time and recurring payments or donations on your WordPress website.