reCAPTCHA Pricing in 2026: What Changed and What It Costs Now
On April 2, 2026, Google reduced reCAPTCHA's free tier from 1 million assessments per month to just 10,000. If your site handles more than a few hundred visitors per day, you're now paying — or you need to switch. Here's exactly what reCAPTCHA costs in 2026 and whether it's worth it.
What Changed in April 2026
Google restructured reCAPTCHA into three tiers — Essentials, Premium, and Enterprise — and dramatically reduced the free allowance. The old reCAPTCHA (v2 and v3) gave you roughly 1 million free assessments per month with no questions asked. That's gone.
The key detail most developers miss: an "assessment" is not the same as a form submission. Google recommends loading reCAPTCHA v3 on every page to build a behavioural risk score. That means every page view counts against your quota. A site with just 350 daily visitors blows through 10,000 monthly assessments in under a month — even if nobody submits a form.
Alongside the pricing change, Google shifted its contractual role from data controller to data processor under its updated reCAPTCHA Terms of Service. You, the site operator, are now the sole data controller of all reCAPTCHA customer data. This means additional GDPR obligations on your end — not fewer.
reCAPTCHA Pricing Tiers (April 2026)
| Tier | Free Allowance | 10K–100K/month | Above 100K/month | Key Features |
|---|---|---|---|---|
| Essentials | 10,000/month | Not available — must upgrade | Not available | Basic bot detection, score-based (v3 style) |
| Premium | 10,000/month | $8 flat fee | $1 per 1,000 assessments | Enhanced detection, account defender, password leak detection |
| Enterprise | 10,000/month | Custom pricing | ~$1 per 1,000 (volume commitment) | Full feature set, WAF integration, multi-site management, SLA |
The 10,000 free allowance applies per Google Cloud project, not per domain. Agencies managing multiple sites under one GCP project share a single 10K pool — which can run out fast.
Billing setup required: to use any reCAPTCHA tier (including the free Essentials), you now need an active Google Cloud billing account. For hobbyists and small site owners, that credit card requirement alone is reason enough to look elsewhere.
What reCAPTCHA Actually Costs at Scale
The flat $8 fee for Premium up to 100K assessments sounds cheap — until you count actual page loads, not just form submissions. A site with 50,000 monthly visitors running reCAPTCHA v3 site-wide easily generates 100K+ assessments.
| Monthly Assessments | Essentials | Premium | Enterprise (est.) |
|---|---|---|---|
| 10,000 | Free | Free | Free |
| 50,000 | Over limit | $8/month | ~$40/month |
| 100,000 | Over limit | $8/month | ~$90/month |
| 500,000 | Over limit | $408/month | ~$490/month |
| 1,000,000 | Over limit | $908/month | ~$900/month |
Watch the failure mode: if you exceed the Essentials free tier without configuring billing, reCAPTCHA enters a degraded state. Google's documentation indicates the API may return success responses even when quota is exhausted — effectively failing open. Your forms continue accepting submissions, but with no bot protection. There's no visible error to you or your users. Set up billing alerts or monitoring, or switch to a provider without usage caps.
When reCAPTCHA Is Still Worth Paying For
reCAPTCHA isn't dead — it's just no longer free for most sites. Paying makes sense in specific scenarios:
- High-fraud industries — banking, fintech, e-commerce with significant card fraud. reCAPTCHA Enterprise's account defender and password leak detection add real value that alternatives don't offer.
- Existing Google Cloud investment — if you already pay for GCP, reCAPTCHA Enterprise integrates tightly with Cloud Armor WAF and Identity Platform. The $8/month is a rounding error on your existing bill.
- Score-based routing — reCAPTCHA v3's 0.0–1.0 risk score lets you route users to different flows (instant checkout vs. manual review vs. block). Alternatives like Turnstile are binary pass/fail — useful, but less granular.
- Compliance teams that already approved it — switching CAPTCHA providers in a regulated environment takes months of review. If reCAPTCHA is already in your DPIA, the monthly cost may be cheaper than the compliance overhead of migrating.
If none of those apply to you, the maths favours switching.
reCAPTCHA vs Turnstile vs hCaptcha: Pricing Compared
Here's how reCAPTCHA stacks up against the two leading alternatives on cost, privacy, and developer experience:
| reCAPTCHA (Premium) | Cloudflare Turnstile | hCaptcha | |
|---|---|---|---|
| Free tier | 10,000/month | No published usage cap (managed mode) | 100,000/month |
| Paid pricing | $8–$908+/month | Free; Enterprise plan available for advanced features | From $99/month (Pro, billed annually) |
| Cost at 100K/month | $8 | $0 | $0 |
| Cost at 1M/month | $908 | $0 | $99 (Pro tier) |
| User experience | Invisible (v3) or checkbox (v2) | Invisible — no user interaction | Image challenges (free) or invisible (Enterprise) |
| Privacy | Sends data to Google US servers | No tracking cookies, minimal data collection | Privacy-focused, though still third-party processing |
| GDPR burden | High — consent banner, DPIA, privacy policy updates | Low — no cookies, no persistent identifiers | Medium — third-party processing, but simpler than Google |
| PHP integration | Server-side cURL verification | Server-side cURL verification | Server-side cURL verification |
The PHP server-side integration for all three providers follows an identical pattern: receive a token from the client, POST it to a verification endpoint with your secret key, and check the JSON response. Switching providers means changing an endpoint URL, a POST field name, and a secret key. The structure of your verification code stays the same.
See our integration guides for the full implementation: PHP reCAPTCHA, PHP Turnstile, or PHP hCaptcha.
Deciding Whether to Stay or Switch
This comes down to your traffic volume and what you need from bot protection:
- Under 10K assessments and staying on reCAPTCHA v2 (forms only): You're still free on Essentials. But the moment you add v3 site-wide or your traffic grows, you'll hit the cap.
- 10K–100K assessments and cost-sensitive: Cloudflare Turnstile is the pragmatic choice. It's free with no published usage cap, invisible to users, and lighter on privacy obligations. Our Turnstile integration guide covers the migration step by step.
- Privacy or GDPR is a concern: Turnstile (no cookies, no tracking) or hCaptcha (privacy-first, but still third-party). Both are simpler to justify in a DPIA than reCAPTCHA.
- WordPress site: The Simple Cloudflare Turnstile plugin (100K+ installs, 4.7/5 rating) supports 30+ form integrations including Contact Form 7. Uninstall your reCAPTCHA plugin, install Turnstile, enter your keys — five minutes. See our WordPress CAPTCHA plugin comparison for the full picture.
- High-fraud enterprise on GCP: Stay on reCAPTCHA Enterprise. The account defender and fraud scoring justify the cost.
The Verdict
reCAPTCHA's free era is over for any site with meaningful traffic. At 10,000 assessments per month — roughly 350 page views per day with v3 loaded site-wide — the free tier covers almost nobody who actually needs bot protection.
If you're in a high-fraud vertical with a Google Cloud contract, reCAPTCHA Enterprise still earns its keep. For the majority of PHP developers and WordPress site owners, the numbers point to switching. Turnstile costs nothing, requires no billing account, has no usage cap on its free tier, and the server-side PHP code is structurally identical to what you already run.
Pair it with a honeypot field and a CSRF token for a layered defence stack that costs nothing and stops the vast majority of automated abuse. That's the PHP form protection playbook for 2026 — and it doesn't have a billing page.