CAPTCHAs are an important challenge-response test that distinguishes bots from humans. They are incredibly helpful in deterring spam and can even help with rate limiting. Common places they are used include login pages, comment areas on a blog, and contact forms. The most popular solution is Google reCAPTCHA, launched in 2007 and used on over 15 million websites (source). The problem with Google reCAPTCHA is that it’s a performance killer. We’ve seen it drop Core Web Vitals scores by over 20-30 points.
Beyond the JS issue, the reCAPTCHA also loads two separate Roboto fonts from Google.
Due to how the Google reCAPTCHA is coded, it’s typically not possible to optimize it. And apart from the performance issues, it can also be really annoying. I’m sure you’ve all been there, trying to guess the right image to click and get it wrong. This is simply a bad UX. The last thing you want to do is frustrate your visitors or customers before they even complete their action, whether it’s logging into your website or submitting a form.
Thankfully, there are some great free Google reCAPTCHA alternatives these days which take performance, privacy, and UX into account.
In the options below, you must first remove the Google reCAPTCHA from your site. If you have the reCAPTCHA key added to a contact form (for example, in Contact Form 7), sometimes removing the key is all you need to do.
The first option is to use a honeypot instead of a reCAPTCHA. We recommend using the free WP Armour WordPress plugin. It uses a combination of JS (which spam bots can’t use) and unique hidden fields to block spam. It’s lightweight, doesn’t make any external calls, and is GDPR compliant. They also have a premium version if you need additional protection. The plugin is regularly updated, and the developer is very active in the support forums.
If you’re already using Cloudflare, then Turnstile is an excellent Google reCAPTCHA alternative. In fact, we’re using it on this site (see the bottom of our contact form). And it’s completely free. There are no frustrating puzzles to solve, and there is even an invisible mode. Turnstile is lightweight and GDPR-compliant. It doesn’t use any cookies.
There are a couple of different ways to deploy Cloudflare Turnstile. If you’re on WordPress, the easiest way to implement Cloudflare Turnstile is if whatever solution you already use has an integration. For example, on our contact page, we use the Fluent Forms WordPress plugin. They have an easy integration with Turnstile. Many other plugins (Gravity Forms, WS Form, etc.) do too, so make sure to check their documentation.
If your plugin doesn’t have an integration, no worries; the free Simple Cloudflare Turnstile WordPress plugin works great. It supports WordPress login areas, WooCommerce, contact form plugins, comments, and even LMS solutions. The plugin is regularly updated, and the developer is very active in the support forums.
How to remove the Google reCAPTCHA
It can sometimes be tricky to remove the Google reCAPTCHA based on how it’s implemented. We always recommend checking the documentation of whatever plugin or theme you use. We’ll try to document any more complicated ones that we come across below.
Contact Form 7
- Click on “Contact → Integration.”
- Under the “reCAPTCHA” section, click on “Setup Integration.”
- Click on “Remove Keys.”
- Go to the place where your Contact Form is located.
- Click the little gear icon to edit the Contact Form settings.
- Scroll down under the “Content” tab and click on “Spam Protection.”
- Turn off Spam Protection, and also make sure to remove the reCAPTCHA account. If you don’t remove the account, it will still insert the code on your site.