If you run forms on a Grav site, you've almost certainly used Google reCAPTCHA. It's been built into the Form plugin for years. You sign up with Google, grab your two keys, paste them into the plugin config, and the spam mostly dries up. Free, simple, done.

Google changed that. reCAPTCHA isn't the free default anymore, and that turned out to be a good excuse to look at everything else the Form plugin can do now. The short answer is: a lot more than it used to, including a self-hosted option we built ourselves that I'm pretty happy with.

What Google Changed

reCAPTCHA moved onto Google Cloud, and the free allowance dropped from a million checks a month to 10,000. Go past that and you pay: $8 a month covers up to 100,000 checks, and it's about $1 per 1,000 after that. Every existing key has to be migrated to a Google Cloud project with billing attached by the end of 2025, and the fancier fraud-detection bits are paid-only now. It's all on Google's pricing page.

Ten thousand checks sounds like plenty until you've got a busy contact form and a comment box, and then it goes fast. This isn't a catastrophe. reCAPTCHA still works fine. But "set it and forget it for free" is over.

One Field, Several Providers

In the Grav 2.0 Form plugin, a captcha is one field with a provider behind it:

fields:
  captcha:
    type: captcha
    provider: cap

Change the provider and you change the captcha. Keys and options go in the plugin config (form.yaml, or the plugin settings in the admin). Four providers ship built in. Two run entirely on your own server, two lean on an outside service, and that difference matters a lot more than it used to.

Cap, and Why We Built Our Own

Cap is the one I'm most pleased with. It's new in Form 9.0, and it's a proof-of-work captcha, which is a different animal from the rest.

The trick with proof-of-work is that instead of making a person pick out crosswalks, you make their browser do a little math. Cap hands the browser a batch of small SHA-256 puzzles. Cheap for one real visitor, expensive for a bot blasting your form a thousand times over. The browser solves them in the background, and by default the whole thing is invisible. No checkbox, no images, nothing to click. You can switch on a checkbox if you'd rather show something.

This is where it got interesting for us. Cap is a great open-source project, but its server runs on Node.js. Asking a typical Grav user to stand up and babysit a Node service next to their flat-file PHP site was never going to fly, and it throws away the best part of Cap. So we wrote our own server in PHP.

cap-php is our from-scratch PHP port of the Cap server, open source under Apache 2.0. It's wire-compatible with the official Cap widget, it's around 500 lines of code, and it needs nothing beyond the JSON and hashing functions PHP already has.

So the whole captcha runs inside Grav. Challenge server, validation, all of it, in PHP, on the host you already have. No Node. No second service. No dashboard, no keys, no monthly bill. You turn it on and it works:

cap:
  mode: invisible
  storage: grav-cache
  challenge_difficulty: 4

fields:
  captcha:
    type: captcha
    provider: cap

Cap needs PHP 8.1 or newer, which Grav 2.0 already requires. For most sites it's the first one I'd reach for: free, private, self-hosted, and invisible, so nobody has to prove they're human by clicking on fire hydrants.

Basic Captcha, the Self-Hosted Classic

Want something visible and self-hosted without the proof-of-work machinery? Basic Captcha is still here. It draws a little image or math puzzle on your server, "what's 7 + 4", count the dots, that kind of thing. No outside service, no external JavaScript. It's not fancy, but it's been quietly doing the job for years:

basic_captcha:
  type: math

Cloudflare Turnstile, a Managed Service That's Free

If you'd rather let someone else run the captcha, Cloudflare Turnstile is the obvious reCAPTCHA swap. It's been in the Form plugin since 8.0. It's free, privacy-minded, and mostly invisible to visitors. You'll need a Cloudflare account and a site and secret key, the same setup reCAPTCHA always had:

turnstile:
  site_key: "your-site-key"
  secret_key: "your-secret-key"

fields:
  captcha:
    type: captcha
    provider: turnstile

This is where I'd point you if Cap's self-hosted approach isn't your thing and you want a name brand handling it.

Google reCAPTCHA, Still Here

Google reCAPTCHA still works, all of it: v2 checkbox, v2 invisible, and v3 scoring. If you're already running it and you're well under 10,000 checks a month, there's no fire to put out today. Just go in clear-eyed about the Google Cloud migration and the new limits:

recaptcha:
  version: 2-checkbox
  site_key: "your-site-key"
  secret_key: "your-secret-key"

Honeypot, Free and Frictionless

The honeypot isn't really a captcha, but turn it on anyway. It's an invisible field a real person never sees and never fills in. Plenty of dumb bots fill in everything they find, and when this one comes back with a value, the submission gets tossed. It costs your visitors nothing and pairs with any of the above:

fields:
  website_url:
    type: honeypot

So Which One?

My short answer: use Cap. Invisible, self-hosted, free, and it tracks nobody. Drop a honeypot alongside it and most sites are sorted.

Past that:

• Want someone else to run it? Turnstile, free and privacy-friendly.
• Already invested in reCAPTCHA and under the limits? Stay put, just mind the migration.
• Want a plain visible puzzle with no moving parts? Basic Captcha.

You want...	Use	Third party?
Invisible, private, free, no setup	Cap	No, runs on your server
A visible puzzle, self-hosted	Basic Captcha	No
A free managed service	Turnstile	Yes, Cloudflare
To keep what you have	reCAPTCHA	Yes, Google (now paid past 10k)
Frictionless bonus protection	Honeypot	No

Switching Is One Field

Switching captcha doesn't mean rebuilding your form. Change the provider on one field, set a few keys in config, done. reCAPTCHA to Cap is literally provider: recaptcha becoming provider: cap. The old shorthand types (type: recaptcha, type: basic-captcha) still work too, so existing forms keep running while you make up your mind.

Wrapping Up

For most of Grav's life, picking a captcha wasn't really a decision. reCAPTCHA was free and built in, so that's what you used. Google ended that, but it pushed us somewhere better: a captcha that's genuinely yours, running on your own site, costing nothing and phoning nobody. Between Cap, Turnstile, Basic Captcha, reCAPTCHA, and the honeypot, you can pick the one that actually fits your site.

If you're not sure which is right for you, come ask in Discord at chat.getgrav.org. And if you've had reCAPTCHA running on autopilot, take a look before that migration deadline makes the choice for you.

Andy