Automated card-testing (carding) bots can flood your checkout with hundreds of failed authorizations, spam confirmation emails, and wasted resources. WooCommerce PayPal Payments includes built-in bot protection for the PayPal payment endpoints to reduce this risk without adding friction for legitimate customers.
CAPTCHA for PayPal Payments
↑ Back to top- Protects only PayPal payment endpoints, including Advanced Card Processing for precise coverage of PayPal merchants
- Works on Classic and Checkout Block experiences, as well as express buttons
- Uses a layered approach:
- First line of defense: Google reCAPTCHA v3 (invisible background check) with a configurable score threshold. Tokens are pre-generated and refreshed regularly to keep flow smooth. This process is invisible to regular website visitors.
- Second line of defense: Google reCAPTCHA v2 (checkbox) that appears only when v3 verification scores above the threashold, giving suspected bots a chance to prove they are human by completing a challenge.
Why use this instead of a general CAPTCHA plugin
↑ Back to topGeneral CAPTCHA tools may not specifically protect PayPal Payment’s payment routes. This integration directly protects the PayPal endpoints, where automated payment attempts may be processed. It minimizes false positives while protecting the critical paths.
Requirements
↑ Back to top- Google account
- Google reCAPTCHA keys for v2 and v3 (Site Key and Secret Key).
- WooCommerce PayPal Payments has been updated to the version 3.3.0 or newer
Setup
↑ Back to top- Install, or update the WooCommerce PayPal Payments plugin to the latest version.
- In your WordPress dashboard, go to: WooCommerce → Settings → Integration → WooCommerce PayPal Payments reCAPTCHA.
- Check the option Enable reCAPTCHA protection
- Open the Google reCAPTCHA admin console and create keys for your domain: https://www.google.com/recaptcha/admin
- Generate Site Key and Secret Key for reCAPTCHA v3
- Paste the keys into the v3 Site Key & v3 Secret Key fields
- We recommend keeping the Score Threshold at 0.5 for a start. Optionally, adjust the value if too many legitimate website visitors are prompted with a challenge.
- Additionally, you must generate Site Key and Secret Key for reCAPTCHA v2
- Paste the keys into the v2 Site Key & v2 Secret Key fields
- Click Save changes to activate reCAPTCHA protection
Once saved, the reCAPTCHA v3 protection runs silently in the background. It can be observed by the reCAPTCHA banner in the bottom right of the page:
The reCAPTCHA v2 checkbox renders only when the visitor’s score is higher than the Score Threshold configuration.
Note
The reCAPTCHA protection will not be active if only v2 or v3 keys were configured. Both keys need to be configured for PayPal to be protected.
Protection Scope
↑ Back to topAdditional optional settings allow you to configure where reCAPTCHA protection is applied:
| Guest Orders Only | Guest Orders Only Only verify for non-logged-in users. We recommend only checking this when the user registration is protected with an alternative reCAPTCHA integration. |
|---|---|
| Order Metabox | Show reCAPTCHA status metabox on order edit pages with v3 score and additional meta. This information is not useful for most users. |
After correctly configuring your reCAPTCHA API v2 & v3 keys with your preferred configuration, the settings page should look like this:
Troubleshooting
↑ Back to top- Legitimate user challenged too often
Increase the v3 score threshold slightly and test again. - Bots still getting through
Lower the v3 score threshold incrementally and confirm via reCAPTCHA dashboard that the v2 fallback is triggering. Review hosting or WAF rate-limit options for additional layering. - No change after enabling
Clear any server, CDN, and browser caches. Confirm keys are valid for the exact domain. - Understanding the activity
Navigate to the reCAPTCHA dashboard and select the site you want to see the stats of