Why anyone still using reCAPTCHA in 2026 should switch
reCAPTCHA was the default for a decade because there was nothing better. In 2026 there is. The honest reasons to replace it:
- It annoys real users. Image-grid conversion drop is typically 3–10% on contact and signup forms.
- It barely stops modern bots. Solving APIs crack reCAPTCHA v2 for $0.001–$0.003 per token.
- Privacy/GDPR exposure. It reads cookies and fingerprints, feeding Google's analytics graph.
- It's slow. ~250KB of script plus a round-trip on every protected page.
Replacements range from free no-UI (honeypot, splitforms AI) to enterprise-grade. The rest of this post says which fits.
At-a-glance comparison
| Tool | Free tier | Cheapest paid | Visible to user | Best for |
|---|---|---|---|---|
| splitforms AI spam | 1,000 subs/mo | $5/mo (5,000) | Never | Form backends — zero integration |
| Cloudflare Turnstile | Unlimited, free | — | Rarely | Everything else |
| Honeypot field | Free forever | — | Never | Casual form spam |
| hCaptcha | 1M req/mo | $99/mo Pro | Often | Enterprise wanting paid support |
| Friendly Captcha | Trial only | €9/mo | Invisible | EU privacy-strict sites |
| MTCaptcha | 50/mo | $159/mo | Visible | Compliance-heavy industries |
| Procaptcha | Free public node | Custom | Visible | Web3/decentralized sites |
| GeeTest | 500/day trial | $300+/mo | Often (slider) | Asian markets / login flows |
| Arkose Labs | None | ~$1,500+/mo | Often | Fraud teams at scale |
| Anti-Bot.io | 10k req/mo | $29/mo | Invisible | API-first projects |
Stop here and you have the answer: form backend with built-in spam filtering, fall back to Turnstile for generic CAPTCHA. Reviews below explain the nuance.
How we picked
Each tool ran behind a contact form, signup, and comment box on a ~40k-visits/month site. Scoring:
- User friction. How often a real visitor sees a challenge.
- Bot catch rate. % of obvious spam still landing in the inbox.
- Privacy. Where data goes. Cookies, fingerprinting, GDPR posture.
- Integration cost. Minutes to first protected form.
- Total cost at 5–10k interactions/month.
Nothing sponsored. Where a tool legitimately beats splitforms on something, I say so.
1. splitforms' built-in AI spam classification — best for form backends
Best for: anyone whose CAPTCHA exists to filter contact-form spam.
Most people add reCAPTCHA because they're tired of junk submissions. If that's the whole problem, you don't need a CAPTCHA — you need a form backend that filters before delivery. splitforms runs every submission through an AI classifier, drops the bad ones, and emails only the good ones. No script tag, no challenge, no cookie banner update.
Free tier: 1,000 submissions/month, AI classification, built-in botcheck honeypot, free webhooks, custom SMTP. Pro is $5/mo for 5,000; the $59 4-year plan averages $1.23/mo. reCAPTCHA Enterprise still ships an image grid.
What it's not: a generic JS CAPTCHA for a login page — it only protects forms submitted through splitforms. For everything else, see #2. Methodology in our AI form spam detection writeup.
Verdict: If your CAPTCHA problem is form spam, this removes the question entirely.
2. Cloudflare Turnstile — best for everything else
Best for: logins, signups, paywalls, comment boxes — anywhere you can't front with a form backend.
Cloudflare's direct reCAPTCHA replacement, unlimited-free. It almost never shows a visible challenge — runs invisible browser checks and issues a token. Suspicious scores fall back to a one-click checkbox, not an image grid.
Pricing: free, no caps, no card. Two-line integration: a script tag plus a cf-turnstile div, then a server-side POST to siteverify.
Beats splitforms built-in for non-form pages. splitforms wins for splitforms-managed forms. Stack them on high-traffic signups — Turnstile client-side, splitforms AI server-side.
Verdict: For a generic invisible CAPTCHA, install Turnstile this afternoon.
3. Honeypot fields — free, no UI, surprisingly effective
Best for: casual form spam, sites that can't afford a third-party script.
A honeypot is a hidden field real users never see; naive bots fill every input and trip it. Reject non-empty submissions. It still catches most automated form spam in 2026 because cheap headless scripts don't parse CSS.
splitforms ships one built-in — add a botcheck hidden checkbox and submissions with it set drop silently. Zero JS, zero third party. Tradeoff: a targeted attacker inspecting your DOM will skip it. For that, layer Turnstile or AI on top.
Full tradeoffs in our honeypot vs reCAPTCHA writeup. Honeypot as default first line; add more only when spam slips through.
Verdict: Free, accessibility-safe, catches 80–95% of casual bots. Default for any form.
4. hCaptcha
Best for: enterprise teams wanting paid SLA and a visible challenge as deterrent.
hCaptcha is the closest functional clone of reCAPTCHA v2 — same image-grid format, same drop-in flow, same verify pattern. Free tier is 1M req/month, and unlike Google they don't feed ad-targeting models. Pitch: privacy-first plus a publisher revenue program where you earn a few cents per challenge.
Where it lags Turnstile: visible challenges are still the norm. Their "invisible" mode often surfaces a challenge on VPNs, Tor, or aggressive ad-blockers. Pricing scales free → $99/mo Pro → enterprise.
I'd pick hCaptcha over reCAPTCHA every time, but Turnstile over hCaptcha for any new install unless you need the paid support tier.
Verdict: Reasonable familiar replacement. Wrong pick if user friction is your main concern.
5. Friendly Captcha
Best for: EU sites needing explicit GDPR-friendly, no-cookie attestation.
German vendor using proof-of-work crypto instead of behavior fingerprinting. The browser solves a small puzzle in the background; nothing about the user is tracked. Zero cookies, zero fingerprinting, full GDPR clearance. Genuinely invisible — no checkbox, just a small progress bar.
Pricing starts at €9/mo (about 5,000 puzzles), scaling to €199/mo. No permanent free tier, only a trial — the sticking point for indie devs.
Catch rate is solid for non-targeted spam (proof-of-work makes mass-spamming CPU-expensive); determined attackers can still pay solving services. The privacy story is the reason to pick this — for healthcare/legal/government EU forms where the DPA matters.
Verdict: Best privacy story in the category. Overkill when Turnstile is free.
6. MTCaptcha
Best for: regulated industries needing SOC 2 / HIPAA-ready vendor docs.
Positions itself as the compliance-friendly choice. SOC 2 Type II reports, BAA-signing for HIPAA, EU-only data residency. The UI is traditional — visible checkbox with adaptive difficulty that escalates to image puzzles on high risk scores.
Free tier is 50 puzzles/month (barely a demo). Paid starts at $159/mo Pro. You only pay it because compliance procurement requires it. Catch rate is comparable to hCaptcha — fine, not exceptional.
Wildly overspecified for a regular contact form. For a hospital intake form or financial advisor lead capture where security asks "does the CAPTCHA vendor sign a BAA?", the paperwork is ready.
Verdict: Buy when procurement requires it, not on technical merit.
7. Procaptcha (Prosopo)
Best for: web3-native sites that want decentralized infrastructure.
Runs on a decentralized provider network built on Substrate/Polkadot. Pitch: no single company controls challenge data or can shut you off. Public providers free; private providers paid with SLAs.
Practically, it works fine — visible image puzzles, standard verify endpoint. Latency is slightly higher because requests hop through provider nodes. Integration shape matches everything else.
Narrow audience: DEXs, NFT marketplaces, DAO tooling where "no Big Tech dependencies" is the brand promise. For a regular contact form, the decentralization premium buys you nothing.
Verdict: Niche win for web3 alignment. Not worth the latency outside that.
8. GeeTest
Best for: gaming, ticketing, and sites with significant Asian-market traffic.
Dominant CAPTCHA in China and big in Korea/Japan. Signature is the slider-puzzle challenge — harder for automated solvers than image grids. Also offers behavior-based invisible scoring.
Catch rate is strong, particularly against credential-stuffing aimed at gaming logins and limited-edition drops. Pricing is opaque; public tiers start around $300/mo. Free trial is 500 challenges/day.
If your traffic is primarily Asian or you're fighting bots in NFT mints, concert tickets, or MMO logins, GeeTest is best-in-class. For a Western contact form, it's expensive slider friction visitors will resent.
Verdict: Excellent in the right vertical. Wrong tool for general form spam.
9. Arkose Labs
Best for: fraud teams at fintech, ticketing, and large SaaS facing targeted account takeover.
Enterprise heavyweight. Unique challenges — match objects, rotate animals, dice-sum problems — designed to defeat solving farms because the visual domain rotates often. Behind the scenes is a fraud-scoring engine that triggers harder challenges only on high-risk sessions.
Procurement-grade. No public pricing, no self-serve signup, no free tier. Real deployments start in the low four figures per month on annual contracts.
For 99% of readers this is the wrong tool. If your security team flagged credential stuffing on a login endpoint, this is the category you're shopping in.
Verdict: Best-in-class for adversarial fraud. Inappropriate for ordinary form spam.
10. Anti-Bot.io
Best for: API-first projects wanting bot scoring as a verification API, not a UI widget.
Server-side bot-detection API. You send a request fingerprint (IP, headers, behavior signals you collect) and they return a risk score. No widget on your page; you decide what to do with the score.
Free tier 10,000 requests/month, paid from $29/mo. Integration is one HTTP call. Downside: you collect and forward the signal yourself — no drop-in script. Well-suited to API gateways, mobile apps, and headless flows.
For a typical website contact form, Turnstile gives a similar outcome with less work. For programmatic API endpoints, Anti-Bot.io is the better shape.
Verdict: Good niche tool for headless flows. Not for ordinary web forms.
Which one should you actually pick?
By use case:
- Contact/signup/newsletter form, small-mid site. splitforms. AI built in, 1,000/mo free, no CAPTCHA needed.
- Login, paywall, comment box. Cloudflare Turnstile. Free, invisible, two-line install.
- Belt-and-suspenders on splitforms forms. Add Turnstile client-side, keep splitforms AI server-side.
- EU site, residency + paperwork. Friendly Captcha.
- SOC 2 / HIPAA procurement. MTCaptcha.
- Asian-market traffic / ticketing. GeeTest.
- Fintech credential stuffing. Arkose Labs.
- Headless / API / mobile. Anti-Bot.io.
Notice what's missing: reCAPTCHA. There's no 2026 use case where it beats the options above. The only reason it's still everywhere is inertia.
How to migrate off reCAPTCHA
Replacing reCAPTCHA usually takes under an hour per site:
- Find every reference with
grep -r "g-recaptcha\|recaptcha/api.js\|grecaptcha" . - For form-only protection: sign up at splitforms, swap
actiontohttps://splitforms.com/api/submit, add anaccess_keyhidden input, remove the reCAPTCHA tags. See our migration guide or grab a pre-wired contact form. - For Turnstile: register at dash.cloudflare.com/turnstile, swap the script tag, swap
g-recaptchaforcf-turnstile, point your server verify tochallenges.cloudflare.com/turnstile/v0/siteverify. - Update CSP + consent banner. Remove
google.com/recaptcha; add the new vendor if needed. - Test and monitor. Watch spam for a week. If junk slips through honeypot, add Turnstile or AI on top.
Sample replacement form using splitforms (no JS CAPTCHA needed):
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input type="text" name="name" required />
<input type="email" name="email" required />
<textarea name="message" required></textarea>
<input type="checkbox" name="botcheck" style="display:none" tabindex="-1" />
<button type="submit">Send</button>
</form>Framework starters at /forms/nextjs, /forms/react, /forms/astro, /forms/vue.
Further reading and help
- Depth on the simplest option: honeypot vs reCAPTCHA.
- How splitforms' AI classifier works: AI form spam detection.
- Browse every spam-and-security post: splitforms blog.
- API contract and security details: /docs, /api-reference.
- Plan, residency, and security FAQs: /faq.
- Ready to drop reCAPTCHA? Grab a free splitforms access key.
FAQ
Why are people moving away from reCAPTCHA in 2026?
Three reasons: v2 image grids drop conversion 3–10% on real users; reCAPTCHA pipes behavior to Google, a GDPR liability for EU sites; and solving APIs crack v2 tokens for fractions of a cent each, so the friction now mostly hurts humans while bots pay through. Cheaper, less invasive options like Turnstile and honeypot match or beat its catch rate.
Is the honeypot technique still effective in 2026?
Yes for the bulk of form spam. Most spam still comes from headless scripts that fill every visible AND hidden field, so they trip honeypot instantly. It won't stop a targeted attacker inspecting your DOM, but a single hidden checkbox catches 80–95% of automated junk. Pair it with one server-side check (AI, rate limit) and you cover the rest without showing a challenge to a real user.
Cloudflare Turnstile vs hCaptcha — which should I use?
Turnstile if you want truly invisible most of the time, free unlimited usage, and don't need paid support. hCaptcha if you want an enterprise vendor with paid SLA, dataset earnings, and aggressive CAPTCHA fallback. For 90% of contact forms Turnstile wins — almost never shows a visible challenge, no usage cap, integrates in two lines.
Will any of these break accessibility?
Honeypots and invisible Turnstile are accessibility-safe — nothing surfaces to assistive tech. Visible image challenges (reCAPTCHA v2, hCaptcha visible, GeeTest sliders) are hostile to screen readers and low-vision users. If WCAG matters, default to invisible methods. splitforms' AI classifier requires zero user interaction so it's automatically accessible.
Do I still need a CAPTCHA if I'm using splitforms?
Usually no. splitforms runs every submission through AI spam classification, rate-limits per IP, and supports a built-in botcheck honeypot. For a normal contact form, that's enough — no third-party CAPTCHA needed. Add Turnstile only if you see sustained targeted bot pressure on logins or high-traffic signups.
What about reCAPTCHA v3 — isn't it invisible already?
v3 is invisible but it returns a score (0.0–1.0) and you have to decide what to do with low-score submissions. That decision is the hard part: block at 0.5 and reject legit users on weird networks; block at 0.1 and bots slip through. v3 also still phones home to Google. Turnstile gives a pass/fail token without the tuning game or the analytics pipeline.
Are paid CAPTCHA vendors like Arkose Labs worth it?
Only at scale. Arkose and GeeTest are built for fraud teams at fintech, ticketing, and gaming dealing with credential-stuffing. Pricing starts in the low four figures per month with annual commit. For a contact form or newsletter signup, you're paying enterprise rates for a problem you don't have. Stick with free options unless you're seeing targeted financial fraud.
How fast can I switch from reCAPTCHA?
Honeypot: 30 seconds — add one hidden input. Turnstile: 5 minutes — swap the script tag and the verify call. splitforms built-in: zero minutes if you already use splitforms. Migrating a whole codebase is mostly grep-and-replace: find every g-recaptcha reference plus the server-side verify, swap them, deploy.