rCAPTCHA Blog
reCAPTCHA Not Loading in China: The recaptcha.net Workaround and Its Limits

reCAPTCHA Not Loading in China: The recaptcha.net Workaround and Its Limits

Your signup form works everywhere except for an entire country. Visitors in mainland China see a blank box where the CAPTCHA should be, the submit button never enables, and your support inbox fills with "I can't register" emails you cannot reproduce. Here is why reCAPTCHA breaks behind the Great Firewall, how the official workaround works, and where it still falls short.

rCAPTCHA Team
rCAPTCHA Team
June 9, 2026 · 10 min read

The root cause is simple and completely outside your code: the standard reCAPTCHA integration loads its script from https://www.google.com/recaptcha/api.js, and google.com is blocked in mainland China. The script request never completes, the widget never renders, and any form that requires a reCAPTCHA token becomes unsubmittable. Bug trackers across the ecosystem—Atlassian's ID-6228, Drupal's recaptcha module issue #3323534, and countless OutSystems, Magento, and WordPress threads—document the same failure: "Google reCAPTCHA failed to load" for every visitor in China.

What makes this pain point unusual is that nothing is misconfigured. Your keys are valid, your domain list is right, your CSP is fine. The network between your page and Google simply does not exist for a quarter of the world's internet users.

The Official Workaround: recaptcha.net

Try rCAPTCHA

Experience the technology discussed in this article.

Learn More →

Google's own reCAPTCHA FAQ acknowledges the problem and documents the supported fix: load the script from recaptcha.net instead of google.com. In practice that means changing your script tag to: 

<script src="https://www.recaptcha.net/recaptcha/api.js" async defer></script>

For reCAPTCHA v3 and Enterprise integrations the same substitution applies to the api.js?render=... URL. Three implementation details determine whether this actually works for you:

  • Change every load point. Audit themes, plugins, tag managers, and bundled libraries—if even one path still references www.google.com/recaptcha, Chinese visitors on that page stay broken.
  • Update your CSP. If you allowlist script and frame sources, add www.recaptcha.net (and keep the Google entries for everyone else).
  • Do not hack internal globals. Some integrations try to force the API base by overriding window['__recaptcha_api']. As maintainers note in community patches, that variable is unsupported and can break with any release. Use the documented domain switch only.

Why the Workaround Still Fails Sometimes

Here is the part most tutorials skip: recaptcha.net is a mitigation, not a guarantee. Reports from teams operating in China—including integration fixes like logto's recaptcha.net patch and China-focused web performance analyses—describe the workaround as inconsistent. The first script loads from the accessible domain, but parts of the verification flow can still reference Google infrastructure that the firewall filters, and cross-border latency makes the challenge slow even when it succeeds. The result is a spectrum: some Chinese networks complete verification fine, others time out intermittently, and a stubborn remainder never finishes.

Operationally, treat China traffic as a verification environment you cannot fully control, and design for graceful degradation:

  1. Monitor from inside, not outside. Synthetic checks from US or EU regions will never catch this failure. Use an in-country testing service or real-user monitoring segmented by region to see what Chinese visitors actually experience.
  2. Detect script load failure in your page. If the reCAPTCHA script fails to load within a few seconds, surface a useful path—an alternative verification method, an email contact, or a queue for manual review—rather than a permanently disabled submit button.
  3. Scope your dependency. If China is a meaningful market, consider whether each form truly needs a Google dependency, or whether a regional alternative or different verification model serves those flows better.

The Bigger Lesson: Verification as a Single Point of Failure

The China case is the most dramatic example of a general architectural truth: when your form's usability depends on a third-party script loading from a single vendor's infrastructure, every network between your user and that vendor becomes part of your uptime. Corporate firewalls that block Google telemetry, privacy networks, restrictive ISPs, and national filtering all produce the same symptom—a form that silently cannot be submitted, and a user who blames you, not the verification vendor.

Mitigations follow from treating verification like any other critical dependency. Load it asynchronously and detect failure. Keep a fallback path for users the widget cannot serve. And when evaluating providers, ask where their scripts and verification endpoints are reachable from—not just how accurate their bot detection is. Lightweight behavioral approaches such as rCAPTCHA, which verify users by analyzing interaction on the page rather than round-tripping through a heavyweight challenge ecosystem, reduce the surface area that can be blocked—though any third-party script, ours included, still deserves the same load-failure handling. For related friction scenarios, see our guides to fixing CAPTCHA verification errors and breaking CAPTCHA loops.

People Also Ask: reCAPTCHA in China FAQ

Does Google reCAPTCHA work in China?

Not reliably. The default integration loads from google.com, which is blocked in mainland China, so the widget usually fails to render at all. Google's documented workaround—loading from recaptcha.net—restores service for many visitors but is reported to be inconsistent across Chinese networks and ISPs.

How do I switch reCAPTCHA to recaptcha.net?

Replace https://www.google.com/recaptcha/api.js with https://www.recaptcha.net/recaptcha/api.js everywhere the script is loaded, including plugins and tag managers, and add www.recaptcha.net to your Content Security Policy. Server-side siteverify calls run from your infrastructure and normally need no change.

Why does recaptcha.net still fail for some Chinese users?

Parts of the verification flow can still depend on Google-hosted resources, and cross-border traffic in China suffers heavy latency and intermittent filtering. The workaround improves availability; it does not make reCAPTCHA a domestic Chinese service. In-country monitoring is the only way to know your real success rate.

What should sites with significant China traffic use instead?

Options include regionally available CAPTCHA providers, SMS or email verification for Chinese flows, or behavioral verification systems with lighter, more portable client footprints. The right answer depends on your risk profile—the wrong answer is leaving a Google-only dependency in front of users who cannot reach Google.

Conclusion

"reCAPTCHA not loading in China" is not a bug you can fix so much as a geography you must engineer around. Switch to the documented recaptcha.net domain, update every load point and your CSP, and avoid unsupported internal overrides. Then accept the workaround's limits: monitor from inside China, fail visibly instead of silently, and keep a verification path that works when the widget does not. A form that a quarter of the connected world cannot submit is not a security success—it is a quiet outage with excellent bot protection.

Sources & Further Reading

rCAPTCHA Blog
rCAPTCHA Blog

Insights on web security and bot detection

More from this blog →

Explore Our Network

rCAPTCHA - Bot Detection MagicAuth - Passwordless Rewarders - Earn Rewards Free Scrum Poker

Part of the Journaleus Network

Responses

No responses yet. Be the first to share your thoughts!