Stop checkout fraud and bot account creation without alienating real customers. Smart-click default for most users; image fallback when risk signals demand it.
WooCommerce stores see a particular kind of CAPTCHA challenge: card-testing fraud. Attackers test stolen cards by attempting low-value purchases at scale. Even if every charge is declined, the failed-attempt cost from your payment processor adds up — Stripe, for example, charges a few cents per declined-card attempt. A persistent attacker can run thousands of attempts in a day. CAPTCHA is the cheapest practical defence.
The challenge: card-testing fraud doesn't look like classic spam. The bot performs realistic-looking checkouts. It needs IP-velocity detection, fingerprint analysis, and risk scoring rather than just "is this a human?" — which is why TrustedCaptcha's smart-click + risk engine combination works particularly well for WooCommerce.
The recommended placements:
Install the TrustedCaptcha WordPress plugin (see the WordPress guide). It includes WooCommerce-aware integration: the settings panel exposes WooCommerce-specific toggles for Checkout, My Account → Login, My Account → Register, and Lost Password.
For the checkout specifically, we recommend invisible mode with the risk engine in "managed challenge" mode. Most legitimate checkouts will complete with no visible CAPTCHA; suspicious sessions get a visible image grid. Configure in plugin settings → Checkout → Mode = invisible (managed).
add_action('woocommerce_review_order_before_submit', function() {
echo '<div class="trustedcaptcha" data-sitekey="0x..." data-mode="invisible"></div>';
});
add_action('woocommerce_checkout_process', function() {
$token = $_POST['trustedcaptcha-response'] ?? '';
$resp = wp_remote_post('https://challenges.trustedcaptcha.com/api/v1/siteverify', [
'body' => [
'secret' => get_option('tc_secret'),
'response' => $token,
'remoteip' => WC_Geolocation::get_ip_address(),
],
'timeout' => 10,
]);
$data = json_decode(wp_remote_retrieve_body($resp), true);
if (empty($data['success'])) {
wc_add_notice(__('CAPTCHA verification failed. Please try again.'), 'error');
}
});WooCommerce ships with anti-fraud features (address verification, SCA support via your payment gateway). TrustedCaptcha is complementary: it blocks the upstream traffic before it reaches your payment processor, reducing decline-fee costs. We don't try to replace gateway-level fraud detection.
Most WooCommerce stores fit comfortably in our 1,000-verification/day free tier (rough rule: ~30k orders/month would still fit if you only protect checkout). High-volume stores running at > 1k orders/day, or stores where you protect login/registration/checkout simultaneously, will want the €25/month Pro plan for unlimited verifications.
CAPTCHA at checkout is a friction point — you should monitor your cart-abandonment rate before and after deployment. With TrustedCaptcha's invisible-mode default, the impact is typically < 0.5% in our customer data. If you see a larger increase, switch to "smart" mode (visible click) which has slightly more friction but very high pass rates.
For WooCommerce Subscriptions sites, the renewal flow doesn't need CAPTCHA — only initial checkout. The plugin handles this distinction automatically.
The plugin works on the customer-facing storefront. For vendor onboarding flows in Dokan/WCFM, add the widget manually using the snippet above; both plugins expose the standard checkout hooks.