WordPress sites attract a constant stream of automated spam — comment spam, fake registrations, contact form abuse, bot-driven checkout attempts. Which CAPTCHA plugin you pick depends on user friction tolerance, GDPR requirements, and whether external API calls are acceptable.
Cloudflare Turnstile is the default choice for most sites: invisible, free, no ad-network data collection. But it is not right for every setup. This page covers when a self-hosted or no-API solution fits better.
Plugin comparison
| Plugin | Type | Free | User friction | Privacy / GDPR | Setup complexity | Forms covered |
|---|---|---|---|---|---|---|
| Simple Cloudflare Turnstile | Invisible verification | Yes | None | Good — no ad-network data | Low — enter two keys | Login, register, comment, CF7, WooCommerce, lost password |
| hCaptcha for WordPress | Image puzzle | Yes | Medium — solves image challenge | Better than reCAPTCHA</td> | Low | Login, register, comment |
| WP Google reCAPTCHA</td> | v3 (invisible) or v2 (checkbox) | Yes | None (v3) / Low (v2) | Poor — Google data collection; GDPR consent required in EU | Low | Wide — most major form plugins |
| Really Simple CAPTCHA | Image math challenge | Yes | Low — simple arithmetic | Excellent — no external calls | Low | Contact Form 7 native integration |
| Securimage-WP | Self-hosted image CAPTCHA | Yes (GPL) | Medium — solves image challenge | Excellent — fully self-hosted | Medium — requires GD extension | Comment forms; check plugin page for current coverage |
| WPForms (free tier) | Honeypot + optional CAPTCHA | Yes (honeypot) | None | Good (honeypot-only mode) | Low | WPForms drag-and-drop forms |
Recommended: Simple Cloudflare Turnstile
"Simple Cloudflare Turnstile" has 50,000+ active installs. It wraps Cloudflare's Turnstile service — invisible verification using browser signals instead of puzzles.
Installation: In your WordPress admin panel, go to Plugins > Add New and search for "Simple Cloudflare Turnstile". Install and activate. Then create a free Cloudflare account, navigate to the Turnstile section, register your domain, and copy the site key and secret key into the plugin settings.
What it protects: WordPress login, user registration, comment submission, Contact Form 7 forms, WooCommerce checkout and login, and the lost password form. One plugin covers most attack surfaces.
Why it is the default recommendation:
- Users see no challenge — verification runs in the background
- Free up to 1 million verifications per month
- Cloudflare does not use verification data for advertising, so GDPR compliance is simpler than with Google reCAPTCHA
- No impact on conversion rates or accessibility
hCaptcha for WordPress
hCaptcha is the most privacy-conscious image-challenge CAPTCHA. The official "hCaptcha for WordPress" plugin is well-maintained and covers login, registration, and comment forms.
On the free tier, users solve image puzzles like reCAPTCHA v2 ("select all images with traffic lights"). hCaptcha is less aggressive than reCAPTCHA, so most users finish in a few seconds.
Site owners earn micropayments for each completed challenge — a small revenue stream that funds the service.
Choose hCaptcha if your users expect a visible puzzle, or if you are migrating from reCAPTCHA and want similar UX with better privacy.
WP Google reCAPTCHA
Multiple plugins add reCAPTCHA to WordPress; the most widely installed is "reCAPTCHA by BestWebSoft". It supports reCAPTCHA v3 (invisible, score-based) and v2 (the "I'm not a robot" checkbox).
The main concern is Google's data collection. reCAPTCHA sends visitor browser data, cookies, and behaviour signals to Google. In the EU this requires GDPR consent. If your site already uses Google services (Analytics, Tag Manager), the incremental privacy cost is lower. If you are reducing third-party dependencies, reCAPTCHA moves you the wrong way.
Bot detection is strong — Google's model is well-trained. If GDPR compliance is not a concern and you already use Google services, reCAPTCHA is a workable choice. Otherwise, Turnstile covers the same ground with better privacy.
Really Simple CAPTCHA and math CAPTCHA plugins
Really Simple CAPTCHA generates image-based math questions. Originally bundled with Contact Form 7, now standalone. No external service, stores nothing, makes no third-party calls.
The trade-off is accuracy — simple image math challenges are solvable by OCR tools, and the challenge images are low-entropy. For low-traffic sites receiving basic spam, often sufficient. For anything with real traffic or abuse incentive, it will not hold.
If you want the no-external-service approach, honeypot + Really Simple CAPTCHA is a reasonable starting point. See the math CAPTCHA PHP guide for the underlying technique.
Securimage-WP
Securimage-WP brings the Securimage self-hosted CAPTCHA library into WordPress. No external API, GPL-licensed, fully under your control. It generates distorted text and audio CAPTCHAs from your server using PHP's GD image extension.
Requirements: PHP GD extension enabled on your host. The Securimage WordPress plugin download page has current compatibility and installation details.
This is the right choice for sites that cannot use external verification — regulated industries, internal tools, or any setup where a third-party API call is unacceptable.
Coverage is currently focused on comment forms; check the plugin page for supported form integrations before installing.
WPForms and honeypot-based protection
WPForms includes honeypot protection in its free tier — no CAPTCHA required. For many contact forms, a honeypot alone stops most spam. See the PHP honeypot guide for how the technique works.
If you use Contact Form 7, the "CF7 Honeypot" plugin adds the same protection without a CAPTCHA API. This is the lowest-friction starting point: zero user friction, no API keys, no external calls.
Add Turnstile on top if the honeypot alone is not enough. The combination is invisible to users and stops most bots.
What about Akismet?
Akismet and CAPTCHA plugins solve different problems. Akismet is spam filtering: it examines content after submission and marks it as spam or legitimate. A CAPTCHA or honeypot is pre-submission: it stops bots from completing the form at all.
They complement each other. Akismet catches spam that gets through your CAPTCHA; your CAPTCHA reduces the volume Akismet has to process. For comment-heavy sites, running both is stronger: Turnstile or a honeypot on the form, Akismet catching what slips through.
Akismet requires an API key (free for personal sites, paid for commercial use). Factor that into your stack decision.
Verdict:
- Default for most sites: Install "Simple Cloudflare Turnstile" — invisible, free, no GDPR issues, broad form coverage.
- No external services / maximum privacy: Securimage-WP for comment forms; add a honeypot plugin for contact forms.
- WooCommerce / high-volume sites: Turnstile on checkout and login + Akismet for double coverage.
- Starting out / minimum friction: WPForms honeypot (free, zero friction, no API key). Upgrade to Turnstile if spam still gets through.
- Already on Google stack, GDPR not a constraint: reCAPTCHA v3 via BestWebSoft plugin is a workable choice.
Also see: CAPTCHA alternatives comparison, Cloudflare Turnstile vs reCAPTCHA, reCAPTCHA vs hCaptcha.