WordPress CAPTCHA — privacy-friendly, GDPR-clean

Why WordPress sites need a privacy-friendly CAPTCHA.

Most WordPress sites are run by SMBs, charities, agencies, and freelancers who can't afford a full-time DPO. They want to comply with GDPR but don't have the bandwidth for ongoing Transfer Impact Assessments every time their CAPTCHA vendor changes its routing. They want one decision they can make once.

That's exactly why TrustedCaptcha works for WordPress. EU-only data residency means no SCCs to maintain, no TIAs to refresh, no cookie banner section to write. The legitimate-interest basis under GDPR Article 6(1)(f) for processing form-protection data is straightforward when the processor is in the same jurisdiction as the data subjects.

What you protect.

Most WordPress sites need CAPTCHA on at least four surfaces:

• Login form (/wp-login.php) — to slow credential-stuffing.
• Registration form — if you allow open registration.
• Comments — for sites that accept comments without moderation.
• Contact forms — Contact Form 7, Gravity Forms, Formidable, or any custom form.

Installation.

The official TrustedCaptcha plugin is on the WordPress.org repository: search for "TrustedCaptcha" in your admin, install, and activate. From the plugin settings page:

1. Paste your sitekey and secret.
2. Tick the surfaces you want protected (login, register, comments, lost-password).
3. If you use Contact Form 7, the plugin auto-registers a [trustedcaptcha] shortcode you can drop into any form template.
4. If you use Gravity Forms or Formidable, the plugin adds a "TrustedCaptcha" field type to the form builder.

Save settings. Test login. Done.

Manual integration (no plugin).

If you maintain a custom theme or want to avoid the plugin, the integration is short. In your theme's header.php:

<script src="https://cdn.trustedcaptcha.com/widget/v1/api.js" async defer></script>

In any form template:

<div class="trustedcaptcha" data-sitekey="0x..."></div>

In your form-handler PHP:

$resp = wp_remote_post('https://challenges.trustedcaptcha.com/api/v1/siteverify', [
  'body' => [
    'secret'   => get_option('trustedcaptcha_secret'),
    'response' => $_POST['trustedcaptcha-response'] ?? '',
    'remoteip' => $_SERVER['REMOTE_ADDR'] ?? '',
  ],
  'timeout' => 10,
]);
$body = json_decode(wp_remote_retrieve_body($resp), true);
if (empty($body['success'])) {
  wp_die('CAPTCHA verification failed.');
}

Multilingual sites.

The widget auto-detects the page language from the <html lang> attribute. Override with data-language="de" if needed. Available locales: en, de, fr, es. Other locales fall back to English.

WPML / Polylang.

Both work transparently — the widget picks up the language from WPML's switcher or Polylang's URL. No configuration needed.

Performance.

The widget loader is ~12 KB gzipped. The iframe is render-deferred until the form is in viewport on most modern WordPress themes (the async defer on the script tag is sufficient). Lighthouse Performance score impact: typically < 2 points on the protected page.

Multisite networks.

The plugin supports network-level activation. You can configure one set of credentials at the network level and let individual sites inherit them, or override per-site. Site-level overrides take precedence.

WooCommerce specific notes.

For checkout protection see our WooCommerce guide. The TrustedCaptcha plugin includes WooCommerce-aware hooks for the checkout, register, and login forms; you don't need a separate plugin.

Help.

Plugin issues: GitHub at github.com/trustedcaptcha/wordpress-plugin. Account/billing: support@trustedcaptcha.com. We respond to Pro tickets within 24 hours; community tickets are best-effort.

Start free →   Get the WordPress plugin →