Core Forms
Get Core Forms

Comparison

reCAPTCHA v3 vs Turnstile vs hCaptcha

Three captchas, three privacy stories, three setups. After running all three on production sites for a year, here's what holds up.

4 min read captcha, spam, comparison

The “which captcha” question has three real answers in 2026: Google reCAPTCHA v3, Cloudflare Turnstile, and hCaptcha. Picking by what your forms plugin defaults to is wrong. Pick by your privacy story and your spam volume.

I run all three on different client sites. Here’s what each one is actually good at and where it fails.

The fast comparison

reCAPTCHA v3. Google. Invisible. Score 0.0 to 1.0 per submission. Free up to 1,000 assessments per second. Heavy bundle (~110 KB). Privacy story: it’s Google.

Cloudflare Turnstile. Cloudflare. Invisible (mostly). Pass/fail per submission. Free, unmetered, no traffic ceiling. Lighter bundle (~60 KB). Privacy story: better than reCAPTCHA, no advertising tracking.

hCaptcha. Privacy-focused alt. Sometimes invisible, sometimes shows a checkbox. Pass/fail per submission. Free up to 1,000 verifications/month, then $99/month. Medium bundle (~80 KB). Privacy story: explicitly GDPR-friendly.

For most sites: Turnstile wins on privacy + weight. reCAPTCHA wins on raw spam-catch accuracy. hCaptcha wins on regulatory paperwork (their docs make GDPR/CCPA conversations easier).

What each one is actually good at

reCAPTCHA v3

The most accurate of the three. Google has the largest signal database. If you’re getting hit by sophisticated spam (botnets that solve image challenges), reCAPTCHA’s score is the most useful filter.

Per-form score thresholds matter a lot. Default is 0.5. For a contact form, I run 0.5. For a high-value form (demo request, application), I run 0.7. For a newsletter signup where false positives kill the conversion, I run 0.3.

The Core Forms setup is in the form’s Settings tab → Spam protectionreCAPTCHA score threshold. Override the default per form.

Cloudflare Turnstile

The privacy answer. Cloudflare doesn’t track users across sites the way Google does. Doesn’t profile humans. Doesn’t sell ads.

For most contact and lead-gen forms, Turnstile catches enough spam to be useful, doesn’t break conversion, and reads cleanly in privacy policies. If you’re already using Cloudflare for DNS (most of you are), Turnstile is the natural pick.

The setup is in the Turnstile integration page. Pick the Managed mode for visible-but-passive challenges, Invisible for fully silent. I use Managed on contact forms (so users see the badge and trust it) and Invisible on newsletter signups (where the badge would feel weird).

hCaptcha

The “we ran a privacy audit and need to point at our captcha” answer. Their docs are explicit on GDPR, CCPA, and HIPAA compliance. If you’re at a healthcare-adjacent or finance-adjacent company, the procurement team likes hCaptcha’s paper trail.

The catch: at scale, hCaptcha gets expensive. $99/month past 1,000 verifications. Turnstile and reCAPTCHA are free at every realistic volume.

Setup is in the hCaptcha integration page.

What I actually run

Personal sites (this one, gauravtiwari.org). Cloudflare Turnstile, Invisible mode. Privacy story matches my brand. Bundle is light.

Client e-commerce sites running paid traffic. reCAPTCHA v3 with score threshold 0.5 on contact forms, 0.7 on high-value forms. Spam volume is highest there, accuracy matters most.

Client B2B SaaS sites. Cloudflare Turnstile, Managed mode. The visible badge is positive trust signal for B2B buyers.

Healthcare or finance clients. hCaptcha. The compliance paperwork pays for itself.

That’s not “best for everyone.” It’s what I match to the site’s threat model.

What none of them solve

Honeypot evasion. None of these catch a sophisticated spammer who’s specifically targeting you. For that, layer Akismet on top, use a custom honeypot field, and rate-limit submissions per IP.

Bypass via residential proxies. Cheap residential IPs evade most captchas eventually. The fix is the submission-limit feature (max submissions per IP per hour) and Akismet’s reputation signal.

Coordinated low-volume spam. A spammer who submits one form per IP per day will pass any captcha. The fix is Akismet (it knows the email-domain reputation across the web).

The right pattern is layered: captcha + honeypot + rate limit + Akismet. Each layer catches different spam.

The setup pattern

In Core Forms, captcha selection is per form. The defaults flow from Settings → Spam protection but each form can override.

For most clients I deploy:

  • Contact form: Turnstile + Akismet + honeypot.
  • Demo request: reCAPTCHA v3 (threshold 0.7) + Akismet + rate limit.
  • Newsletter signup: Turnstile + honeypot. (Skip Akismet because false positives on legit signups hurt.)
  • Job application: reCAPTCHA v3 (threshold 0.5) + file upload restrictions.

Different forms, different threats, different layers.

The next step

Pick one captcha. Set it up on one form. Watch the spam graphs in Core Forms’ submissions tab for two weeks.

If false positives drag conversion, lower the threshold or switch to a lighter captcha. If real spam slips through, raise the threshold or layer Akismet.

All four (reCAPTCHA, hCaptcha, Turnstile, Akismet) are bundled with every Core Forms license. Pricing.

Keep reading

Related notes

Build the form. Stop reading.

Every note here came out of a real Core Forms setup. Use CFLAUNCH for 20% off either plan.

Get Lifetime — $249 Yearly — $59/yr Browse integrations →