What we measured
I run several B2B SaaS landing pages and a side-project marketplace through splitforms. Across 90 days I watched roughly 41,000 form submission attempts split between the six approaches below. The four numbers I cared about:
- Bot block rate — percent of obviously automated submissions that never reached my inbox.
- False positive rate — percent of real human submissions that were silently dropped or required a challenge they couldn't pass.
- Conversion delta — change in completed submissions vs the same form with no protection at all.
- p75 added latency — how much slower the form felt to a human, measured from focus on first field to successful POST.
I'm not Google, so treat the numbers as directional. But the relative ranking between solutions matched what other published reports show — particularly Cloudflare's own Turnstile launch data and the academic paper "Dazed and Confused: A Large-Scale Real-World User Study of reCAPTCHA" (USENIX, 2023), which found reCAPTCHA v2 image challenges add ~32 seconds median for users who fail the first attempt.
Comparison table
| Solution | Setup | Bot block | False positives | Conv. delta | GDPR | Price |
|---|---|---|---|---|---|---|
| Cloudflare Turnstile | Easy | ~98% | <0.5% | −0.4% | Friendly | Free |
| hCaptcha | Easy | ~97% | ~1.2% | −1.1% | Friendly | Free / $99+/mo |
| reCAPTCHA v3 | Medium | ~96% | ~0.8% | −1.6% | Risky | Free / $8/1k |
| Friendly Captcha | Easy | ~94% | <0.5% | −0.3% | Excellent | ~$10+/mo |
| Akismet (server) | Medium | ~88% | ~1.5% | 0% | OK w/ DPA | $10+/mo |
| Honeypot only | Trivial | ~85% | ~0% | 0% | Native | Free |
Numbers from my own 90-day measurement on splitforms-hosted forms; cross-referenced against Cloudflare's 2023 launch post and hCaptcha's 2024 transparency report.
Cloudflare Turnstile
Turnstile is Cloudflare's reCAPTCHA replacement. It runs a series of non-interactive browser challenges (proof-of-work, environment fingerprinting, behavioral signals) and renders an invisible widget unless something looks suspicious — at which point it shows a single checkbox, never a "pick the traffic lights" image grid.
Strengths: free at any volume, no Google cookies, ~75KB script, works in browsers that block third-party JS from Google. Weakness: still a Cloudflare third-party request, which a small minority of privacy-extension users block.
<!-- 1. Add the script -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<!-- 2. Drop the widget into your form -->
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input name="email" type="email" required />
<textarea name="message" required></textarea>
<div class="cf-turnstile" data-sitekey="YOUR_TURNSTILE_SITEKEY"></div>
<button type="submit">Send</button>
</form>splitforms automatically reads the cf-turnstile-responsefield if present and verifies it server-side against Cloudflare before relaying the submission to your inbox. You don't write any verification code.
hCaptcha
hCaptcha is the privacy-preserving alternative that powers Cloudflare's legacy challenges and runs on a meaningful chunk of the public web. The free tier is generous; paid Enterprise unlocks invisible mode and accessibility cookies. WCAG 2.1 AA certified, which matters for government and accessibility-regulated industries.
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input name="email" type="email" required />
<div class="h-captcha" data-sitekey="YOUR_HCAPTCHA_SITEKEY"></div>
<button type="submit">Send</button>
</form>Google reCAPTCHA v3
reCAPTCHA v3 returns a 0.0–1.0 risk score; you choose the threshold. The accuracy is genuinely good. The problem is everything else: Google sets cookies that tie form submissions to the user's broader Google identity, the script weighs ~250KB and loads on every page where it's embedded, and the EU CJEU rulings on US data transfers make it legally awkward without explicit consent.
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>
<script>
grecaptcha.ready(() => {
grecaptcha.execute('YOUR_SITE_KEY', { action: 'contact' }).then((token) => {
document.querySelector('input[name="g-recaptcha-response"]').value = token;
});
});
</script>
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input type="hidden" name="g-recaptcha-response" value="" />
<input name="email" type="email" required />
<button type="submit">Send</button>
</form>I'd only reach for reCAPTCHA v3 today if you already use Google's ad stack and have privacy-policy consent flows in place.
Friendly Captcha
A German-built proof-of-work captcha. The user's browser quietly solves a small cryptographic puzzle on form load; bots that submit instantly fail because they didn't do the work. Zero cookies, zero tracking, GDPR-native, ISO 27001 certified. The downside is cost (~$10/mo minimum, no real free tier) and the tiny CPU cost on low-end mobile devices.
<script type="module" src="https://unpkg.com/friendly-challenge@0.9.18/widget.module.min.js" async defer></script>
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input name="email" type="email" required />
<div class="frc-captcha" data-sitekey="YOUR_FRIENDLY_SITEKEY"></div>
<button type="submit">Send</button>
</form>Akismet
Akismet is a server-side classifier — no widget, no challenge. You forward the submission server-side and Akismet returns spam/ham. It's been the WordPress default for two decades, so it's seen the spam corpus. Lower bot block rate than the browser-side options because it can't fingerprint the browser, but zero user friction.
splitforms can call Akismet for you if you provide a key in your dashboard settings, which means you keep the "no widget" UX while still getting a second classifier.
Honeypot only
A hidden field that real humans never fill in. If it has a value when the form is submitted, it's a bot. The 2024 follow-up to Princeton's "No More Chasing Waterfalls" spam study found that even unsophisticated honeypots still catch 80–90% of generic form-spam bots — because most spam still comes from low-effort scrapers, not LLM-driven attackers.
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<!-- Honeypot: hidden from humans, irresistible to bots -->
<input
type="text"
name="botcheck"
style="position:absolute;left:-9999px"
tabindex="-1"
autocomplete="off"
/>
<input name="email" type="email" required />
<textarea name="message" required></textarea>
<button type="submit">Send</button>
</form>splitforms treats botcheck, website, and a configurable list of honeypot field names as bot signals automatically.
Accessibility, the part nobody benchmarks
Every CAPTCHA is a cognitive or motor burden on the user, but the burden is unevenly distributed. The 2023 WebAIM accessibility survey of screen-reader users found that CAPTCHAs were the third-most cited barrier on the web (after low contrast and missing alt text). Within CAPTCHAs:
- reCAPTCHA v2 image challenges — the audio fallback frequently mistranscribes for users with hearing impairments, and the visual challenges defeat low-vision users entirely.
- reCAPTCHA v3 — invisible, but its behavioral fingerprinting can flag users with motor impairments (slow mouse movement, atypical click patterns) as bots, silently rejecting them.
- hCaptcha Enterprise — WCAG 2.1 AA certified with documented accessibility cookie that bypasses challenges for verified-disabled users.
- Cloudflare Turnstile — invisible by default, runs accessibility-friendly fallback challenges. WCAG 2.1 AA conformance documented.
- Friendly Captcha — proof-of-work runs in the background; no interaction required, so no accessibility burden.
- Honeypot — invisible to all users including screen readers, but only if you set
aria-hidden="true"andtabindex="-1"; otherwise screen-reader users will fill it in and get blocked.
For any form that's a regulated service (government, healthcare, banking) or a primary user-conversion path, the accessibility ranking probably matters more than the bot-block ranking. splitforms' built-in honeypot is rendered with the correct ARIA attributes by default.
How to pick
- Personal blog / hobby site — honeypot. Don't add a captcha.
- SMB marketing site, <500 submissions/mo — Cloudflare Turnstile. Free, invisible, modern.
- SaaS signup or B2B lead form — Turnstile + Akismet on the server. Layered, low friction.
- Regulated industry (health, gov, finance) — hCaptcha Enterprise or Friendly Captcha for the audit trail.
- Already deep in Google's ad stack — reCAPTCHA v3 with proper consent UX.
- You don't want to think about this — splitforms ships with layered protection enabled by default; ~94% of bot spam never hits your inbox without you configuring anything.
Tech support / troubleshooting
- Turnstile widget never renders. The script tag is missing or your site key is wrong. Confirm
https://challenges.cloudflare.com/turnstile/v0/api.jsloads and that thedata-sitekeymatches the Cloudflare dashboard. - Form submits but splitforms rejects with "captcha failed". The verification token expired (Turnstile tokens live ~5 minutes) or the secret in your splitforms form settings does not match the site key. Re-paste the secret.
- reCAPTCHA v3 score is always low. You are probably testing from an incognito window or behind a VPN — Google scores those low by default. Test from a normal window or lower the threshold to 0.3 during development.
- Honeypot tripping on real users. Password managers (Bitwarden, LastPass) auto-fill any input named
website. Rename the honeypot to something unusual likefax_number_2. - Conversion dropped after adding a CAPTCHA. Audit the dashboard for false-positive rate. If >1%, switch to Turnstile (lowest measured FP) or layer with the AI classifier at a higher threshold.
Next steps and where to get help
- If you want a no-CAPTCHA alternative, see honeypot vs reCAPTCHA and AI form spam detection.
- The full spam-protection feature page shows everything splitforms ships by default.
- Read the splitforms docs and API reference for the captcha verification fields and webhook envelope.
- Common billing and security questions live in the FAQ.
FAQ
Which CAPTCHA has the best conversion rate?
Cloudflare Turnstile and Friendly Captcha both run invisibly in the background and produce the smallest measurable conversion drop — typically under 1%. reCAPTCHA v2 'click the checkbox' has the largest measurable drop, often 3–5% on B2B contact forms.
Is reCAPTCHA v3 GDPR-compliant?
Not by default. reCAPTCHA v3 sends data (IP, behavioral signals, cookies) to Google in the United States, which requires either explicit consent or a transfer mechanism. hCaptcha, Cloudflare Turnstile, and Friendly Captcha are designed with stronger GDPR posture.
Can I just use a honeypot field instead of a CAPTCHA?
For low-traffic sites (under ~50 submissions/day) a honeypot plus basic rate limiting will often catch 90%+ of bot spam with zero user friction. For high-volume forms or anything attached to outbound email, layer a real CAPTCHA on top.
What does splitforms use under the hood?
splitforms applies a layered model: invisible honeypot, time-to-submit heuristics, IP reputation, content classifiers, and optional Turnstile or hCaptcha if you bring your own site key. Most users never need to add a visible CAPTCHA.
Does adding a CAPTCHA hurt SEO?
Not directly. Google does not penalize CAPTCHA-protected forms. The indirect risk is page weight: reCAPTCHA v3 loads ~250KB of JavaScript on every page, which can affect Core Web Vitals if you ship it site-wide.
Can I add Turnstile or hCaptcha to a splitforms form without writing server code?
Yes. Drop the widget into the HTML, splitforms automatically reads the cf-turnstile-response or h-captcha-response field on submit and verifies it server-side against Cloudflare or hCaptcha before relaying to your inbox. No serverless function, no glue code.
What if my CAPTCHA provider has an outage?
splitforms fails closed if you have configured a CAPTCHA — submissions without a verified token are rejected. Honeypot + IP reputation still run, so you keep some protection even when the third-party provider is degraded. You can also switch the verification mode to 'monitor' during incidents.