How to Add hCaptcha to Magento 2 Forms

calendar_today April 9, 2026 visibility 19 views folder_open Magento 2 Extensions, Magento 2 Security label WebForms, CAPTCHA, Form Security

hCaptcha for Magento 2 is a privacy-friendly CAPTCHA that protects your store forms \xe2\x80\x94 including contact forms \xe2\x80\x94 from bots without sending visitor data to Google. MageMe WebForms supports hCaptcha out of the box — enable it in form settings with your site key and secret key. Free for up to 1M verifications/month, GDPR-compliant by design.

Why Choose hCaptcha Over reCAPTCHA

Google reCAPTCHA is the most common CAPTCHA solution, but it sends visitor browsing data to Google for risk analysis. For stores operating under GDPR, CCPA, or other privacy regulations, this creates compliance concerns. hCaptcha solves this by keeping data processing minimal and transparent.

hCaptcha

No visitor tracking or profiling
GDPR & CCPA compliant by design
Free tier: 1M requests/month
Data processed in the US & EU
Works without cookies
Accessibility mode available

Google reCAPTCHA

Collects browsing data for risk scoring
Requires cookie consent under GDPR
Free, but data is used by Google
Data processed by Google globally
Uses tracking cookies
May require privacy policy updates

For EU-based stores or merchants selling to EU customers, hCaptcha eliminates the need for complex consent mechanisms that reCAPTCHA requires under GDPR regulations.

How to Set Up hCaptcha in WebForms

Step 1: Get Your hCaptcha Keys

Go to hcaptcha.com and create a free account
Add your site domain in the dashboard
Copy your Site Key and Secret Key

Step 2: Configure WebForms

In Magento Admin, navigate to MageMe → WebForms → Settings.

hCaptcha configuration in WebForms for Magento 2

Set CAPTCHA Mode to Always on or Auto (shows only to suspicious visitors)
Select CAPTCHA Type as hCaptcha
Paste your Site Key and Secret Key
Choose Theme: Light or Dark (matches your store design)
Select Size: Normal or Compact
Save and flush cache

Step 3: Enable Per Form

Each form in WebForms inherits the global CAPTCHA settings. To override per form:

Open the form in MageMe → WebForms → Manage Forms
Go to the CAPTCHA tab
Set Mode to override the global setting if needed
Save the form

hCaptcha will now appear on the form frontend. Test by submitting the form to verify the challenge works correctly.

When to Use Each CAPTCHA Type

Scenario	Recommended CAPTCHA
EU store, GDPR priority	hCaptcha or Cloudflare Turnstile
High-traffic US store	reCAPTCHA v3 (invisible scoring)
Already using Cloudflare CDN	Cloudflare Turnstile (zero added latency)
Maximum bot protection	reCAPTCHA Enterprise + honeypot
Privacy + simplicity	hCaptcha (3-minute setup)

WebForms supports all four CAPTCHA providers. You can switch between them at any time without modifying form structure — just change the type in settings. See the full Magento 2 Spam Protection Guide for detailed comparison of all options.

Key Takeaways

Privacy-first protection — hCaptcha doesn’t track visitors or share data with ad networks, making it ideal for GDPR/CCPA compliance.
Free for most stores — the free tier covers 1 million verifications per month, enough for virtually any Magento store.
3-minute setup — get your keys from hcaptcha.com, paste them into WebForms settings, done.
No vendor lock-in — WebForms lets you switch between hCaptcha, reCAPTCHA, and Turnstile without changing form structure.
Works with Lite and Pro — hCaptcha support is available in both the free WebForms Lite and the full WebForms Pro.

Frequently Asked Questions

sell Is hCaptcha really free for Magento stores? expand_more

Yes. hCaptcha offers a free tier that includes up to 1 million verifications per month. Most Magento stores never exceed this limit. Paid plans add features like custom branding and priority support, but the free tier is fully functional for spam protection.

palette Does hCaptcha work with Hyva and Breeze themes? expand_more

Yes. WebForms renders hCaptcha using standard JavaScript that is compatible with both Hyva and Breeze (Luma-based) themes. The widget loads asynchronously and does not conflict with Alpine.js or Breeze JS frameworks.

tune Can I use hCaptcha on some forms and reCAPTCHA on others? expand_more

WebForms uses a global CAPTCHA type setting that applies to all forms. You cannot mix different CAPTCHA providers on different forms simultaneously. However, you can control which forms show CAPTCHA and which do not using per-form CAPTCHA mode settings.

verified_user Is hCaptcha GDPR compliant? expand_more

hCaptcha is designed with privacy as a core principle. It does not use tracking cookies, does not build visitor profiles, and processes minimal data required for bot detection. hCaptcha’s GDPR page details their compliance approach. Many EU-focused stores prefer hCaptcha over reCAPTCHA specifically for this reason.

compare_arrows How does hCaptcha compare to Cloudflare Turnstile? expand_more

Both are privacy-friendly alternatives to reCAPTCHA. Cloudflare Turnstile is invisible (no user interaction required) and integrates seamlessly if you already use Cloudflare CDN. hCaptcha shows a visual challenge but offers a free tier with generous limits. Choose Turnstile for seamless UX, hCaptcha for maximum independence from any single provider.

speed Will hCaptcha slow down my Magento store? expand_more

No. The hCaptcha script loads asynchronously and only activates on pages with forms. It adds approximately 30-50KB to the page weight, comparable to reCAPTCHA. WebForms loads the script only when a form with CAPTCHA enabled is present on the page.

How to Add hCaptcha to Magento 2 Forms