Turnstile vs hCaptcha
hCaptcha was the first mainstream privacy-friendly CAPTCHA. Turnstile is Cloudflare's more recent entry. Both are solid — but they differ in UX and integration ergonomics.
At a Glance
| Dimension | Cloudflare Turnstile | hCaptcha |
|---|---|---|
| Puzzles for users? | Rarely (Managed mode) | Sometimes (image grid) |
| Average latency | ~50ms | ~120ms |
| Privacy-friendly? | Yes | Yes |
| GDPR-compliant? | Yes | Yes |
| Free tier | Unlimited | 1M requests/month |
| Pays users? | No | Yes (enterprise tier) |
| Works on .cn? | Yes | Limited |
User Experience
Turnstile (Managed mode)
- Invisible for most users
- Brief non-interactive challenge when Cloudflare detects risk
- Interactive challenge only for high-risk scores
hCaptcha
- Always shows a checkbox ("Verify you are human")
- Often escalates to image grid puzzles ("Select all images with buses")
- Puzzles feel like reCAPTCHA v2
For everyday stores where every extra click hurts conversion, Turnstile's default flow is a clear win.
Performance
| Metric | Turnstile | hCaptcha |
|---|---|---|
| JS payload | ~50kb | ~80kb |
| First render | <100ms | ~200ms |
| Verify API call | 50-100ms | ~120ms |
Privacy
Both are genuinely privacy-friendly — no tracking cookies, no ad-network data sharing.
Differences:
Turnstile
- All data processed within Cloudflare infrastructure
- Relies on passive browser signals (TLS fingerprint, client timing) — no active fingerprinting
- Open-source challenge protocol
hCaptcha
- Some puzzle types train ML for hCaptcha customers (data labeling)
- Your bot traffic implicitly contributes to their ML training pipeline
- No active user tracking — but the puzzle-for-training model raises eyebrows in privacy circles
Accuracy
Both catch a similar percentage of real bots. hCaptcha has a slight edge against targeted attacks because its visual puzzles are harder to automate. Turnstile compensates with client-side passive signal detection.
For commodity bot attacks (brute-force login, card-testing scripts), both are effectively equivalent.
Pricing
Turnstile
- Free forever
- No call limits
- No paid tier
hCaptcha
- Free tier: 1M requests/month
- Pro: $99/mo for higher limits + enterprise features
- Pays you on the Enterprise tier if your site hosts puzzles for training
Most WooCommerce stores stay on hCaptcha's free tier. But Turnstile removes the concern entirely.
Setup
| Aspect | Turnstile | hCaptcha |
|---|---|---|
| Sign-up | Cloudflare account | hCaptcha account |
| Key generation | Instant | Instant |
| Widget config | 3 fields | 4-5 fields |
| Site list | Hostname allowlist | Site list + difficulty preset |
Both take 3-5 minutes. Turnstile edges ahead because Cloudflare offers DNS, CDN, and CAPTCHA in one — easier to pitch to IT.
Integration With This Plugin
This plugin is built specifically for Cloudflare Turnstile. It does NOT integrate with hCaptcha.
If you need hCaptcha, use a different plugin. If you need Turnstile or you are deciding, this plugin is purpose-built for it.
When hCaptcha Is The Right Pick
- You already run hCaptcha on a lot of sites and standardization matters
- You need the user-pays feature (Enterprise tier pays you to host puzzles)
- Compliance requires a specific vendor (some government sites mandate non-CF infrastructure)
When Turnstile Is The Right Pick
- You want the cleanest UX — no checkbox, no puzzle on most submits
- You are already on Cloudflare — consolidate vendors
- You care about page speed — half the JS, half the latency
- You want truly unlimited free without monthly request counting
Migration Between the Two
Both use Site Key + Secret Key on the same verify-API pattern. The flow is identical:
- Sign up with the other vendor
- Create widget
- Copy keys
- Swap plugin (or swap keys in the same plugin if it supports both — this plugin does NOT)
- Test forms
Related Pages
- Turnstile vs reCAPTCHA — The bigger competitor
- Get Turnstile Keys — Start with Turnstile