How to Add CAPTCHA to Contact Form 7 (reCAPTCHA, hCaptcha, Turnstile)

Contact Form 7 is the most-installed form plugin in WordPress (5M+ active sites), and every one of those forms is a spam target. This guide covers the three CAPTCHA services worth using with CF7 in 2026 — reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile — with the exact plugin and setup steps for each.

Important context: Google cut reCAPTCHA's free tier from 1M to 10,000 assessments/month in April 2026. If you're choosing a CAPTCHA for the first time, start with the Turnstile section. If you're already on reCAPTCHA and wondering whether to stay, see our reCAPTCHA pricing breakdown.

A note on Securimage-WP: the self-hosted Securimage CAPTCHA plugin was closed on WordPress.org in July 2023 due to an XSS vulnerability. It hasn't been updated since 2018 and is not compatible with current WordPress versions. Do not install it.

Which CAPTCHA Should You Pick for CF7?

	reCAPTCHA v3	hCaptcha	Cloudflare Turnstile
Cost	Free up to 10K assessments/month; $8/mo after	Free up to 100K/month; $99/mo Pro	Free — no published usage cap
User experience	Invisible (score-based)	Image challenges (free tier)	Usually invisible; may show a checkbox on suspicious IPs
CF7 integration	Built-in (CF7 5.1+)	Plugin required	Built-in (CF7 5.9+) or plugin
GDPR	Requires consent banner + DPIA	Third-party processing, simpler than Google	No cookies or persistent IDs — easier to justify, but still routes through Cloudflare servers
Best for	Sites needing score-based routing, already on GCP	Sites wanting visual challenges and privacy-first processing	Most sites — free, mostly invisible, lightest setup

Quick verdict: Turnstile is the best default for most WordPress sites. It costs nothing, requires minimal user interaction, and avoids the GDPR complexity of reCAPTCHA. Use reCAPTCHA v3 only if you need score-based detection and are willing to pay. Use hCaptcha if you need a visual challenge or your audience distrusts both Google and Cloudflare.

Option 1: Cloudflare Turnstile (Recommended)

Turnstile is Cloudflare's invisible CAPTCHA replacement. In Managed mode, most users see nothing; suspicious visitors may see a simple checkbox. CF7 5.9+ includes native Turnstile support — no plugin needed.

Setup (Native CF7 5.9+ Integration)

Sign up at dash.cloudflare.com (free account — your domain doesn't need to use Cloudflare DNS).
Navigate to Turnstile in the sidebar. Create a widget, choose Managed mode, and add your domain.
Copy your Site Key and Secret Key.
In WordPress, go to Contact > Integration > Turnstile.
Paste your keys. Save.

Turnstile is now active on all CF7 forms. No form tags or shortcodes needed.

Alternative: Simple Cloudflare Turnstile Plugin

If your CF7 version is below 5.9 or you also need Turnstile on login pages, registration, and WooCommerce checkout, install Simple Cloudflare Turnstile (100K+ installs, 4.7/5). It supports 30+ integrations and is 100% free. Enter your keys at Settings > Cloudflare Turnstile and enable the CF7 integration.

What to Watch For

VPN and corporate network users may see a visible challenge or get blocked. Monitor with Flamingo and provide a fallback email address on your contact page.
Detection is binary — pass or fail. No score to tune. For most contact forms this is ideal; if you need score-based routing, reCAPTCHA v3 is the only option.
No Cloudflare DNS required. A free Cloudflare account is enough to get Turnstile keys.

Option 2: reCAPTCHA v3 (Built-in to CF7)

Contact Form 7 5.1+ has native reCAPTCHA v3 support. Note that CF7 dropped v2 support; if you need the checkbox or image challenge, you need a third-party plugin.

Setup

Register your site at google.com/recaptcha/admin. Choose reCAPTCHA v3. Enter your domain without the protocol (example.com, not https://example.com). Add both example.com and www.example.com.
In WordPress, go to Contact > Integration > reCAPTCHA.
Paste your Site Key and Secret Key. Save.

reCAPTCHA v3 is now active on every CF7 form.

Critical: Limit reCAPTCHA to Form Pages Only

CF7 loads the reCAPTCHA v3 script on every page of your site — not just pages with forms. Every page load counts as an assessment against your 10K monthly free tier. A site with 350 daily page views exhausts that limit in a month.

Fix this by dequeuing the script on pages that don't have a form:

<?php
// Add to functions.php or a custom plugin
// Only load reCAPTCHA on pages that actually have a CF7 form
add_action('wp_enqueue_scripts', function (): void {
    // List the page slugs or IDs that contain your forms
    if (!is_page(['contact', 'support', 'apply'])) {
        wp_dequeue_script('google-recaptcha');
        wp_dequeue_script('wpcf7-recaptcha');
    }
}, 100); // Priority 100 to run after CF7 enqueues its scripts

This single snippet can cut your assessment count by 80–90%.

Adjusting the Score Threshold

CF7 defaults to a 0.5 score threshold but doesn't expose it in the admin UI. To change it:

<?php
// Lower the reCAPTCHA v3 threshold to reduce false positives
// Range: 0.0 (allow everything) to 1.0 (block everything)
add_filter('wpcf7_recaptcha_threshold', function (): float {
    return 0.3; // More permissive — good for low-traffic sites
});

What to Watch For

Token expiration: reCAPTCHA v3 tokens expire after 2 minutes. Users composing long messages may hit a silent validation failure. CF7 handles token refresh, but caching plugins that defer JavaScript can break it.
Cache exclusions: if you use WP Rocket, LiteSpeed Cache, or W3 Total Cache, exclude these scripts from minification and deferral:
- google.com/recaptcha/api.js
- www.google.com/recaptcha/api.js
- www.gstatic.com/recaptcha/
Low-traffic score drift: reCAPTCHA v3 needs traffic to calibrate. New sites often see legitimate users scoring 0.1–0.3, triggering false positives. Install Flamingo to log submissions — the reCAPTCHA score appears in each entry's metadata.

Option 3: hCaptcha

hCaptcha is a privacy-focused alternative that shows image challenges on its free tier. It requires a plugin to work with CF7.

Plugin: hCaptcha for WordPress

hCaptcha for WordPress (70K+ installs, 4.5/5) is the official hCaptcha plugin with native CF7 support and 60+ other integrations. It includes built-in honeypot and minimum submission time features.

Setup

Sign up at hcaptcha.com and get your Site Key and Secret Key.
Install and activate hCaptcha for WordPress.
Go to hCaptcha > Settings. Enter your keys.
Under Integrations, enable Contact Form 7.
Add the [cf7-hcaptcha] form tag to your CF7 form where you want the challenge to appear.

What to Watch For

Image challenges cause friction. hCaptcha's free tier shows visual puzzles that some users find harder than reCAPTCHA's. Expect slightly lower form completion rates.
Free tier caps at 100K requests/month. Beyond that, Pro starts at $99/month (billed annually).
Privacy isn't absolute. hCaptcha collects IP addresses, browser fingerprints, and behavioural signals — they just don't use that data for ad targeting. For the lightest third-party footprint, Turnstile is simpler.

Layer Your Defences

No CAPTCHA stops all spam alone. The most effective CF7 anti-spam setup combines:

CAPTCHA (Turnstile, hCaptcha, or reCAPTCHA) — stops automated bots.
Honeypot fields — catches simple bots with zero user friction. The CF7 Honeypot plugin (300K+ installs) adds this with the [honeypot your-honeypot] form tag.
Akismet or CleanTalk — catches human spam and disposable email addresses.
Server-level rate limiting — Wordfence or fail2ban to block IP addresses making bulk submissions.

Troubleshooting

CAPTCHA badge appears but validation fails silently

This is the #1 issue and it's almost always one of these:

Domain format mismatch — the most common cause. In the reCAPTCHA or Turnstile dashboard, your domain must be entered without the protocol (example.com, not https://example.com). Register both example.com and www.example.com. Subdomain mismatches break validation silently.
Caching plugin interference — your cache is minifying or deferring the CAPTCHA script. Exclude the URLs listed in the reCAPTCHA section above. For Turnstile, exclude challenges.cloudflare.com/turnstile/v0/api.js.
Verify in DevTools — open Network tab, submit the form, and check the verification POST response for error codes.

Legitimate users get blocked

For reCAPTCHA v3: lower the threshold to 0.3 using the filter above.
For all services: VPN users, privacy browsers, and corporate firewalls trigger false positives. Always provide an alternative contact method (email address) on your contact page.

The Verdict

For most WordPress sites running Contact Form 7 in 2026:

Install Turnstile via CF7's native integration (5.9+) or the Simple Cloudflare Turnstile plugin. Free, mostly invisible, minimal GDPR headache.
Add a honeypot — the CF7 Honeypot plugin takes 30 seconds and catches bots that slip through.
Monitor with Flamingo — log submissions so you can spot false positives early.

reCAPTCHA v3 remains solid if you need score-based detection and use the dequeue snippet to manage your assessment budget. hCaptcha is right if you want visual challenges with privacy-first processing. But for the majority of CF7 users who want reliable, free, invisible spam protection — Turnstile is the 2026 answer.

For a broader look at all WordPress CAPTCHA options, see our WordPress CAPTCHA plugins guide. To understand the full CAPTCHA alternatives landscape beyond WordPress, start there.