Captcha
Bot defense for the bid form, login, registration, and other public forms. Three providers supported.
Providers
| Provider | Best for | Free? |
|---|---|---|
| Cloudflare Turnstile | Lowest friction (no puzzles) | Free |
| Google reCAPTCHA v3 | Score-based, invisible | Free |
| hCaptcha | Privacy-focused alternative to reCAPTCHA | Free + paid |
Configure
Auctions → Settings → Fraud → Captcha
| Field | Option |
|---|---|
| Provider | wkafw_captcha_provider (none / turnstile / recaptcha / hcaptcha) |
| Site key | wkafw_captcha_site_key |
| Secret key | wkafw_captcha_secret_key |
| Threshold | wkafw_captcha_threshold (when to challenge) |
When CAPTCHA challenges fire
wkafw_captcha_threshold controls escalation:
| Threshold | Behavior |
|---|---|
0 | Challenge always on every protected form submission |
1+ | Challenge only when Fraud Detection score reaches this number of triggered rules |
For most stores, set threshold to 1 — let normal users bid friction-free; only challenge when fraud signals appear.
Protected forms
| Surface | Default protected? |
|---|---|
| Bid form | yes (when threshold met) |
| WP login | optional (wkafw_captcha_login) |
| WP registration | optional (wkafw_captcha_register) |
| Wallet transfer | yes (always when feature enabled) |
| Withdrawal request | yes (always) |
| Comment form | optional (wkafw_captcha_comment) |
| Custom forms | via shortcode |
Cloudflare Turnstile
Recommended for most stores — invisible, no user-visible puzzle, fast.
- Sign up at dash.cloudflare.com → Turnstile
- Create a site key + widget
- Copy site key + secret key
- Paste into plugin settings, set provider to
turnstile
The widget renders as a small "Verifying..." badge that auto-completes for legitimate users.
Google reCAPTCHA v3
Score-based; assigns each interaction a 0–1 score. The plugin auto-rejects scores below wkafw_recaptcha_min_score (default 0.5).
- Sign up at google.com/recaptcha
- Create a v3 site (specify your domain)
- Copy site key + secret key
- Paste into plugin settings
v2 vs v3
v2 shows the "I'm not a robot" checkbox — higher friction but more reliable. v3 is invisible — score-based. The plugin supports both via wkafw_recaptcha_version (default v3). For high-value sites, v2 is more secure.
hCaptcha
Privacy-focused; pays website operators for solved challenges (small revenue). Drop-in replacement for reCAPTCHA.
- Sign up at hcaptcha.com
- Add your site
- Copy site key + secret key
- Paste into plugin settings, set provider to
hcaptcha
Performance
| Provider | Page load impact |
|---|---|
| Turnstile | ~30 KB JS, minimal |
| reCAPTCHA v3 | ~150 KB JS (loaded async) |
| hCaptcha | ~80 KB JS |
For best performance, defer CAPTCHA loading until the form is interacted with:
Common questions
"Why does my bid keep failing CAPTCHA?"
Possible causes:
- Browser blocking third-party scripts (ad-blocker)
- VPN or proxy flagged by the provider's IP reputation
- Score-based (reCAPTCHA v3) — your behavior pattern looks bot-like; lower the min-score threshold
"How do I disable CAPTCHA for trusted users?"
"GDPR / privacy concerns?"
reCAPTCHA collects significant user data. For privacy-first sites, prefer hCaptcha or Turnstile (Cloudflare's privacy notice is more permissive). Update your privacy policy accordingly.