Migrate from reCAPTCHA to CaptchaLa
Drop-in replacement in under 10 minutes. Keep your forms, swap the verification provider. Works with vanilla HTML, WordPress, Flarum and any backend.
代码改动长这样
<div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>
<script src="https://www.google.com/recaptcha/api.js" async defer></script><button id="login-btn">Sign in</button>
<script src="https://cdn.captcha-cdn.net/captchala-loader.js"></script>
<script>
loadCaptchala(() => Captchala.init({ appKey: 'YOUR_APP_KEY', action: 'login' })
.onSuccess(res => onToken(res.token))
.bindTo('#login-btn'));
</script>const res = await fetch('https://www.google.com/recaptcha/api/siteverify', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
secret: process.env.RECAPTCHA_SECRET,
response: req.body['g-recaptcha-response'],
}),
})
const data = await res.json()
if (!data.success) return res.status(400).json({ error: 'bot' })const res = await fetch('https://apiv1.captcha.la/v1/validate', {
method: 'POST',
headers: {
'X-App-Key': process.env.CAPTCHALA_APP_KEY,
'X-App-Secret': process.env.CAPTCHALA_APP_SECRET,
'Content-Type': 'application/json',
},
body: JSON.stringify({ pass_token: req.body['captchala-token'] }),
})
const { data } = await res.json()
if (!data || !data.valid) return res.status(400).json({ error: 'bot' })迁移步骤
- 1
Sign up & grab your App Key + Secret
Create a free CaptchaLa account, add a site, and copy the App Key (public) and App Secret (server-side). No card required.
- 2
Swap the widget tag in your form
Replace the reCAPTCHA div and script src with the CaptchaLa equivalents. The tag class changes from g-recaptcha to captchala, data-sitekey becomes data-app-key, and the script URL points to our CDN.
- 3
Update the form submission field name
reCAPTCHA injects a hidden field named g-recaptcha-response. CaptchaLa uses captchala-token. If your form handler reads the field by name, rename the constant; otherwise the hidden input flows through automatically.
- 4
Update server-side verification
Point the verify request at apiv1.captcha.la/v1/validate with app credentials in headers (X-App-Key / X-App-Secret) and pass_token in a JSON body. The response shape returns the same valid flag (data.valid) as reCAPTCHA, so existing branching code stays.
- 5
Roll out gradually
Most teams ship to one form (often the lowest-traffic one — newsletter signup or contact) first, watch conversion and challenge rate for a few hours, then expand. There's no minimum and no contract, so canarying is free.
更快:用插件
WordPress + WooCommerce
Install the CaptchaLa plugin from the WordPress directory, paste your App Key + Secret, and the plugin handles login, registration, comments, WooCommerce checkout and CF7/Gravity/WPForms in one place.
View integration →Flarum
Install the CaptchaLa extension via Composer, enable it in admin, and it covers registration, login, password reset and post replies.
View integration →常见问题
Do I need to migrate all forms at once?
No. The two systems coexist on the same site — they don't share state or cookies. Migrate one form at a time.
What about reCAPTCHA Enterprise's risk scores? Do scores transfer?
Scores don't transfer (they're vendor-internal), but CaptchaLa returns its own risk score in the verify response. The numeric range and decision logic are documented; teams typically map their existing score threshold (e.g. 0.5) to ours within an hour.
Will my Google Site Verification or other Google integrations break?
No. reCAPTCHA is separate from Search Console / Site Verification / Analytics. Removing the reCAPTCHA tag has no effect on any other Google service.
Is there a migration script for sites with many embedded reCAPTCHA tags?
We don't ship one (the find-and-replace is one regex per repo, and every codebase's templating differs). The 10-line shell snippet most teams use is in the docs.