Why reCAPTCHA Isn’t Working on Your WordPress Form

Struggling with setting up Google reCAPTCHA? This short guide covers the most common causes of Google reCAPTCHA problems with quick fixes and links to the official docs for deeper detail. Or, if you’re just fed up with trying to figure out why reCAPTCHA isn’t working, we’ll also highlight two free and easy to use alternatives available in Ninja Forms: hCaptcha and Cloudflare Turnstile. Whatever your preference, a working captcha is right around the corner!

Quick fixes when reCAPTCHA isn’t working

Below are the issues we see most often, how to spot them, and the fastest path to a fix. Each item links to Google’s official documentation for full steps.

1) “Invalid domain for site key” or your domain is not allowed

You might see:

ERROR for site owner: Invalid domain for site key

Localhost is not in the list of supported domains

Symptoms: You see an error like “ERROR for site owner: Invalid domain for site key,” the widget never loads, or it works on one environment but not another.

Fix overview: Make sure the exact domain is on the allowed list for your key. Use separate keys for development and production, and include localhost on your dev key if you need it. If a key looks corrupted or tied to the wrong project, create a new one and reinstall it.

Reference: Google’s troubleshooting guide lists domain allowlists and localhost behavior, plus other common errors.

2) Wrong key type or version mismatch

You might see:

ERROR for site owner: Invalid key type

Invalid site key

Symptoms: You registered a v3 key but embedded a v2 Checkbox widget, or you are mixing Classic, Enterprise, and score‑based keys. The badge may appear but tokens fail, or validation always rejects.

Fix overview: Confirm the key type matches the widget you are loading. If you are using v3, make sure you configured actions and are interpreting scores correctly. If you are on Enterprise, use the Enterprise scripts and endpoints.

• Reference: Google Developer key types and versions overview.

3) Missing or failing server‑side verification

You might see (from the verify API response):

{“success”: false, “error-codes”: [

“missing-input-secret”,

“invalid-input-secret”,

“missing-input-response”,

“invalid-input-response”,

“bad-request”,

“timeout-or-duplicate”

]}

Symptoms: Submissions are always blocked or always pass, or you never see a success despite the checkbox being completed.

Fix overview: Verify the token on your server with your secret key on every submission. Check that you are reading the token from g-recaptcha-response or your callback, then send it to Google’s verify endpoint and handle the JSON response.

Reference: Server verification guide with parameters and examples.

4) reCAPTCHA v3 score too strict

You might see (in your logs or verify response):

{“success”: true, “score”: 0.2, “action”: “form_submit”}

Symptoms: Real users are failing silently. Everything “looks fine” but the form does not submit, or your logs show low scores being rejected.

Fix overview: Start with a moderate threshold such as 0.5 to 0.7, audit your action names, and review scores by page or action to tune. Fall back to a challenge only when scores are low.

Reference: v3 docs explain scores, action names, and tuning.

5) Script errors, timeouts, or the widget being removed

You might see:

reCAPTCHA returned BROWSER_ERROR when creating an assessment

SecurityError: blocked a frame with origin “https://www.google.com” from accessing a frame with origin “<your domain>”

Symptoms: Console shows BROWSER_ERROR, the challenge never appears, or the widget disappears after render. Some users with aggressive blockers cannot load the script.

Fix overview: Ensure the Google script loads on every page where you render the widget, avoid programmatically removing the element after click, and call grecaptcha.reset() if you replace or re‑render the form. Consider a fallback Captcha if a user’s environment blocks Google domains.

Reference: Google’s troubleshooting page covers BROWSER_ERROR, localhost, and widget reset tips:

Fed up with troubleshooting? Two free & easy alternatives in Ninja Forms

If Google reCAPTCHA has you ready to throw in the towel, don’t worry. You have options! Ninja Forms includes two excellent alternatives you can add in minutes. Both are free to use, privacy‑minded, and built for a smoother user experience.

hCaptcha

Ninja Forms partners with hCaptcha for a uniquely seamless integration. You can add the hCaptcha field to any form, connect your free hCaptcha account, and you are protected.

Why people choose hCaptcha:

• Strong bot defense with a focus on privacy
• Accessible challenges and enterprise‑ready controls
• Seamless integration in Ninja Forms with no extra plugin required

Read our quick guide here.

Documentation for setup.

Cloudflare Turnstile

Cloudflare Turnstile verifies users behind the scenes, so most visitors never see a challenge. It is lightweight, privacy friendly, and fast.

Why people choose Turnstile:

• Frictionless for legitimate users
• Privacy friendly verification by Cloudflare
• Simple field in Ninja Forms, add it and publish

Read our quick guide here.

Documentation for setup.

Tune it up or toss it out: you have options if reCAPTCHA isn’t working!

If reCAPTCHA isn’t working, the fixes above usually do the trick: confirm allowed domains, match your key type to the widget, verify tokens on the server, tune v3 scores, and make sure the script can load consistently.

But you would rather skip the trial and error, hCaptcha and Cloudflare Turnstile are both excellent, fully supported options in Ninja Forms.

Install the free Ninja Forms plugin, add your preferred Captcha field, and stop spam today!