Cloudflare moves from Google reCAPTCHA to hCaptcha


6 minutes reading

CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are designed to identify humans from bots and to protect websites from spam, phishing, and hacker attacks. They use an advanced risk analysis engine and adaptive challenges to keep automated software from connecting with abusive intents to a website. In simple words – you can use CAPTCHA to control who has access over different areas of or your entire website – legitimate visitors or web robots.

The global web-infrastructure and website-security company Cloudflare is utilizing CAPTCHA as part of a huge security package available for all users of their services. Until now, Cloudflare was utilizing Google as a provider for the CAPTCHA service, however recently they announced interesting news – they are moving away from Google reCAPTCHA to hCaptcha due to pricing and privacy concerns.

How does CAPTCHA get triggered and how can you control it when using the Cloudflare service?

Cloudflare provides a large variety of services and features separated in a few plans which every customer can choose from when adding a domain to Cloudflare. No matter what Cloudflare plan you are utilizing, what they all have in common is the CAPTCHA protection that can be displayed to a visitor due to one of the following reasons:

  • The IP address of the visitor has a low reputation making it suspicious for the Cloudflare service. The reputation of an IP address depends on whether or not it has been part of malicious activities previously. If a visitor on your website is displayed with CAPTCHA verification you might want to check their IP address against the Project Honeypot distributed system for identifying spammers and spambots. Please note that if no malicious activities are detected from the visitor’s IP address for a period of two weeks, CloudFlare will stop challenging the visitor with the CAPTCHA verification.
  • You might have blocked the country from which the visitor is accessing your website. This is typically done in the Firewall section of the Cloudflare service and if that is the case removing the block will prevent your visitor from being challenged with the CAPTCHA verification.
  • The actions of your visitor on your website triggered a WAF (Web Application Firewall) rule.  As we have mentioned, Cloudflare provides a large variety of services for your website. One of which is the Web Application Firewall that guards your website against common exploits and attacks. The way how this service works is that it matches all web requests send to your website against a list of rules. If the request triggers no match the same is considered as legitimate, however, is the request matches some rule, the visitor sending the request is challenged with CAPTCHA verification.

As you can see all of the reasons are related to limiting the possibility of your website being exploited or in other words the CAPTCHA service is set to protect it.

In order to pass the CAPTCHA verification the visitor will have to complete one of the following actions:

  • Successful completion of the CAPTCHA verification – Depending on the type of challenge the visitor will have to follow the instructions in order for the CAPTCHA verification to be completed successfully and the requested web resource to be displayed.
  • Request the website owner to unblock their IP address – If the IP address has been blocked the only possible way of the visitor reaching your website is to have their IP address unblocked.
  • Scan their computer for viruses and malicious scripts that might be triggering the CAPTCHA verification.

Now that you understand how important the CAPTCHA verification is for your website let’s dig into the different reasons of why CloudFlare decided that Google reCAPTCHA is not the right service for protecting your website.

Why CloudFlare decided to move away from Google reCAPTCHA?

Since its earliest days, Cloudflare used to rely on Google reCAPTCHA as Google provided reCAPTCHA for free in exchange for simple data collection. However, the changes in Google’s terms at the beginning of 2020 lead them to the conclusion they need to start searching for a more suitable replacement.

Considering the number of users who rely on Cloudflare’s services, we at HostArmada strive to keep our customers informed and prepared for such significant changes that might directly affect them. Therefore, we have decided to bring a little light on the matter by outlining the main reasons why you should consider hCaptcha as a suitable alternative to Google reCAPTCHA not only when it comes to the usage of CloudFlare provided services but also when using CAPTCHA for protecting the forms of your busy websites.

Business Model

At the beginning of this year, Google announced that they are going to start charging for reCAPTCHA customers who exceed one million queries per month (or 1,000 API calls per second). Cloudflare, with its enormous traffic volumes and the high number of users utilizing its free services, concluded that this change would significantly impact their expenses. Analyzing their usage statistics, Cloudflare concluded that for a period of one week nearly 40-60% of the total CAPTCHAs served were generated by their free customers.  In their blog post, Mattew Prince said

In our case, that would have added millions of dollars in annual costs just to continue to use reCAPTCHA for our free users. That was finally enough of an impetus for us to look for a better alternative.

After all, reCAPTCHA is been used on nearly every non-legitimate request made to a website that is being routed through Cloudflare.

Privacy and Blocking

Cloudflare also shared that they had some concerns regarding Google’s Privacy Policy. As we previously mentioned, Google collects users’ data, which seems to worry some of CloudFlare’s customers. Comparted to reCAPTCHA, hCaptcha collects significantly less information. According to Cloudflare hCaptcha gathers only a small portion of required personal data and they do not sell it. Whereas, Google is targetting users with advertisements.

Another driving factor for their decision is the fact that Google’s services are blocked in certain regions, such as China. China accounts for 25% of Internet users, and some of them were unable to access Cloudflare’s powered websites due to triggering the reCAPTCHA. This is a major inconvenience for CloudFlare and its customers as it is not a stable solution. In comparison to Google reCAPTCHA, hCaptcha is not restricted and during the tests, Cloudflare did not detect any issue.

Cloudflare mentioned that over the past few years their privacy and blocking concerns were enough for considering moving along with another provider, however, it was difficult to initiate such a major change.


After evaluating several CAPTCHA vendors, Cloudflare came to the conclusion that hCaptcha supported by the AI and machine learning company  Intuition Machines Inc. will be the most suitable alternative of Google reCAPTCHA. They pointed out a few advantages hCaptcha has, such as minimum data collection, excellent speed and solve rate performance, solutions for visually impaired and challenged users, accessibility in regions where Google is blocked, Privacy Pass support, which reduces the number of CAPTCHA challenges, and more.

The general business model of hCaptcha is to charge customers that need image classification data and pay publishers to install their CAPTCHA. However, Cloudflare stated that instead of charging hCaptcha, they would be paying them in order to invest in their services and due to the massive traffic generation. While Cloudflare will be paying hCaptcha, the amount of their cost will be significantly reduced compared to Google’s rates.

Furthermore, Cloudflare stated that they have more flexibility and better communication in terms of responsiveness with hCaptcha.

In conclusion, Cloudflare stated they are continually working on minimizing and eventually completely eliminating the number of CAPTCHAs served to their customers. Taking into account, how many people find the CAPTCHA verification challenging and difficult to solve, dropping them will lead to a significant difference in users’ experience. We are going to closely follow this topic and update you with the exciting news as soon as such emerge. Stay tuned!