Block spam,
not customers.
Two layers of invisible security, CSRF protection and Google reCAPTCHA v3, keep bots out without adding friction for real customers.
Bot defence that customers never see.
CSRF tokens block forged submissions. reCAPTCHA v3 silently scores every visitor. Real bookings flow through; bots get blocked.
Double protection, zero hassle
CSRF protection verifies every form submission comes from a real visitor on your site. Google reCAPTCHA v3 runs invisibly in the background to detect bots. Neither requires customers to solve puzzles or check boxes.
Invisible bot detection
Google reCAPTCHA v3 works silently, no checkboxes, no image puzzles, no interruptions. Suspected bots are blocked from submitting forms while real customers proceed without knowing it's there.
Hide the reCAPTCHA badge
Prefer a cleaner look? Turn on 'Hide reCAPTCHA Badge' to remove the floating Google badge from your website. Just remember to mention reCAPTCHA in your privacy policy as required by Google's Terms of Service.
CSRF protection on by default
A unique security token is created for each visitor session and verified with every form submission. Forged submissions from external sources are silently blocked. This is turned on by default and should stay on for all live websites.
Three steps. Spam-proof booking.
CSRF is on out of the box. Add reCAPTCHA keys when you're ready, and you're done.
CSRF is already on
CSRF protection is enabled by default. It creates a unique security token per visitor session and checks every form submission. No setup needed.
Get your reCAPTCHA keys
Register your site at the Google reCAPTCHA admin console. Choose reCAPTCHA v3, add your domain, and copy the Site Key and Secret Key.
Enter keys and enable
Go to Front-End Steps > Security & Integration, click Google reCAPTCHA, paste your keys, and turn on Enable Protection. Spam blocking starts immediately.
Included on every plan.
Spam protection is core storefront functionality, available from Essentials onwards.
Included
Included
Included
Common questions.
Can I use reCAPTCHA v2 (the checkbox or image puzzle)?
No. RepairPlugin uses Google reCAPTCHA v3 exclusively. Keys from v2 won't work, make sure you select v3 when registering your site with Google.
Do I need to clear my cache after turning on security features?
No. Changes take effect immediately after saving. No page reload or cache clear is needed on the admin side.
Is CSRF protection on by default?
Yes. CSRF protection is turned on by default and should stay on for all live websites. Only turn it off for debugging purposes.
What forms are protected?
Both features cover booking forms, offer request forms, and other RepairPlugin submission points.
Read the full guide.
CSRF token reference, reCAPTCHA v3 setup, key registration, and badge visibility controls, straight from the help centre.
Pair it with these.
Shortcodes
Embed the full booking flow, search bar, and pricing tables on any WordPress page.
Learn moreLayout & navigation
Skip single-option steps, go full-width on mobile, and control SEO heading tags.
Learn moreBranding, logo & color
Match your booking flow to your brand with logo upload, theme color, and 32 built-in fonts.
Learn moreTurn visitors into customers.
Join 583+ repair shops already fixing their massive drop-offs.
Easy to install and live on your WordPress site in minutes.