Setting up reCAPTCHA (v2 & v3

TitanCart ships with built-in Google reCAPTCHA bot protection for your storefront forms. It’s a core feature — no separate purchase or license is required — and it covers the login, registration, guest checkout, and product-review forms. You choose between two flavours: reCAPTCHA v2 (the familiar “I’m not a robot” checkbox) or reCAPTCHA v3 (invisible, scoring each visitor in the background). This guide walks through getting keys from Google, turning the extension on, and choosing which forms to protect.

Note: reCAPTCHA only protects your storefront forms. Your WordPress admin login (wp-login.php for staff) is never affected by this extension, by design — so you won’t lock yourself or your team out of the dashboard.

1. Get your reCAPTCHA keys from Google

Every reCAPTCHA site needs a matching pair of keys: a Site key (public, used in the page) and a Secret key (private, used by TitanCart’s server to verify each token). v2 and v3 use different key pairs that are not interchangeable — if you plan to use v3, you must register a v3 site to get v3 keys.

1. Sign in at google.com/recaptcha/admin with a Google account.
2. Click + (Create) to register a new site.
3. Give it a label you’ll recognise (e.g. your store name).
4. Choose the reCAPTCHA type:
   • reCAPTCHA v2 → “I’m not a robot” Checkbox.
   • reCAPTCHA v3 → invisible, score-based.
5. Under Domains, add your storefront domain (e.g. yourstore.com). Add www and any staging domains you test on too.
6. Accept the terms and submit. Google then shows your Site key and Secret key — keep this tab open, you’ll paste both into TitanCart next.

Note: If you want to offer both modes or switch later, register the site twice in Google’s console — once as v2, once as v3 — so you have both key pairs on hand. TitanCart stores both pairs and only uses the one matching your chosen version.

2. Enable the reCAPTCHA extension in TitanCart

reCAPTCHA is a built-in extension, so it lives alongside your other extensions rather than under the main Settings screen.

1. In wp-admin, go to TitanCart → Extensions → Installed Extensions.
2. Find Google reCAPTCHA in the Built-in Extensions card.
3. Make sure its Status toggle is set to Active.
4. Click the gear icon on that row to open the Google reCAPTCHA settings page.

Note: Turning the extension on does nothing on its own. reCAPTCHA stays dormant until the keys for your active version are filled in — so there’s no risk of showing a broken widget while you’re still setting up.

3. Choose your version and paste your keys

The settings page is organised into four sections: Mode, reCAPTCHA v2 Settings, reCAPTCHA v3 Settings, and Protected Forms.

1. Under Mode, set reCAPTCHA version to either v2 (checkbox widget) or v3 (invisible, score-based). The default is v2.
2. Fill in the matching key section:
   • For v2 — paste your Site key and Secret key into the reCAPTCHA v2 Settings section. Optionally set the widget Theme (Light or Dark) and Size (Normal or Compact).
   • For v3 — paste your v3 Site key and v3 Secret key into the reCAPTCHA v3 Settings section, then pick a v3 success score (see step 4).
3. Save.

Note: Only the section matching your chosen version is used. You can leave the other section blank — or fill both in if you want to switch between modes without re-entering keys.

4. Set the v3 success score (v3 only)

reCAPTCHA v3 never challenges the visitor. Instead it returns a score from 0.0 to 1.0 on each submission — higher means more likely to be a real human. TitanCart blocks the submission when the score falls below your threshold.

The v3 success score dropdown offers:

• 0.9 — strict (blocks more aggressively; risks turning away real users)
• 0.7
• 0.5 — recommended default, and a good starting point
• 0.3
• 0.1 — permissive (lets almost everything through)

Start at 0.5, then tune up or down based on what you see in Google’s score analytics (covered below). If legitimate customers report being blocked, lower the threshold; if spam is still getting through, raise it.

5. Choose which forms to protect

The Protected Forms section lets you switch reCAPTCHA on per form. Each is an independent checkbox:

• Login form — on by default. Protects the storefront customer login.
• Registration form — on by default. Protects new-customer sign-up.
• Checkout (guest) — off by default. Turn this on only if you’re seeing bot orders; a CAPTCHA at checkout adds friction to a sale, so it’s left off unless you need it.
• Review form — on by default. Protects the product-review submission form.
• Contact form — on by default. Note that TitanCart has no built-in contact form; this protects a theme contact form only if your theme is wired to TitanCart’s reCAPTCHA field hook.

Note: The widget script from Google is loaded lazily — only on pages that actually display a protected form. Pages without a protected form never load Google’s code, which keeps the rest of your store fast.

6. Test that it’s working

1. Open your storefront in a private/incognito window (so you’re logged out).
2. Visit a protected form — the login or registration page is easiest.
3. v2: you should see the “I’m not a robot” checkbox. Complete the form normally; it should submit.
4. v3: there’s no visible widget. Submit the form normally; a valid human submission should go through. You’ll see the small reCAPTCHA badge in the page corner.

If a submission is blocked by reCAPTCHA, the customer sees a “reCAPTCHA verification failed. Please try again.” message on the login form (and the equivalent on other surfaces).

How to verify on Google’s side

Google’s reCAPTCHA admin console is the source of truth for whether tokens are reaching Google and how your traffic scores.

1. Go to google.com/recaptcha/admin and open the site you registered.
2. Check the Domains list — your live storefront domain must be listed, or every verification will fail. This is the single most common cause of “reCAPTCHA always blocks me.”
3. Open the Analytics / dashboard for the site. After a few real submissions you’ll see request volume and, for v3, the score distribution. Use that distribution to decide whether your TitanCart success-score threshold is set sensibly — if most legitimate traffic scores around 0.7–0.9, a 0.5 threshold is comfortable.
4. Confirm the key type matches: a v2 key pair only works with v2 mode in TitanCart, and likewise for v3. Mismatched keys are rejected by Google.

Troubleshooting

• The widget never appears (v2) / the badge never appears (v3) — the active version is missing its keys. Open the settings page and confirm both the Site key and Secret key for your chosen version are filled in; the extension stays dormant until they are.
• Every submission is blocked even by real people — your storefront domain isn’t in the site’s Domains list in Google’s console, the wrong key pair is in use for the selected version, or (v3) your success-score threshold is too high. Check the Domains list first.
• “reCAPTCHA verification failed” when Google is unreachable — verification is fail-closed: if TitanCart can’t reach Google to validate the token, the submission is rejected rather than waved through. A transient network blip can cause this; retrying usually resolves it.
• I enabled the Contact form but no widget shows — there is no built-in contact form in TitanCart. The Contact form toggle only takes effect on a theme contact form that opts into TitanCart’s reCAPTCHA field hook; a stock storefront has nothing to protect there.
• I see no CAPTCHA on my WordPress admin login — that’s intended. This extension protects storefront forms only and deliberately never gates the wp-admin / wp-login.php login.
• Switched from v2 to v3 (or back) and forms broke — make sure the section for the version you switched to has valid keys. The two versions read separate key fields; the old version’s keys don’t carry over.

See also

• Setting up Age Verification — restrict age-sensitive products and pages.
• GDPR & cookie consent — privacy and consent settings for your storefront.
• Store setup checklist — the full go-live to-do list, including trust and security steps.