If you run a WordPress contact form, a WooCommerce store, or any site that quietly added reCAPTCHA years ago and forgot about it, you may have missed the most consequential change in the product's history. Google has been migrating reCAPTCHA into the Google Cloud platform, and with that migration came a new billing model. Per Google Cloud's own tier comparison and billing documentation, the free allowance is now 10,000 assessments per month. The old de facto allowance was one million.
That is not a price increase. It is a 99% reduction in what "free" means—and for a long tail of small sites, it converts a fire-and-forget security widget into a monthly line item or a forced migration project.
What Actually Changed
1. Assessments Are the New Billing Unit
Under the Cloud model, every call that produces a verdict—each token verification, each score evaluation—is an assessment. The free tier covers 10,000 of them per month; beyond that, you pay per assessment on a usage-based schedule. The subtle trap: assessments count executions, not successful form submissions. A v3 integration that runs on every page load can burn through 10,000 assessments with a few hundred daily visitors—long before anyone submits anything.
2. Classic Keys Are Being Retired
The standalone reCAPTCHA service (the one configured at google.com/recaptcha with "classic" site keys) is being wound down in favor of Google Cloud-managed keys. Industry coverage throughout 2025 warned site owners that the standalone admin surface and classic key workflow were on a shutdown path into 2026, with existing keys expected to be migrated or to stop functioning. Google's own reCAPTCHA FAQ now frames everything in terms of Cloud projects and migrated keys. If your keys predate the Cloud console, assume they are on borrowed time and verify their status now rather than during an outage.
3. Terms of Service Moved Too
The move to Cloud also swapped the legal framework: sites now operate under Google Cloud terms, which affect data processing language that matters for GDPR reviews. If your privacy policy cites the old reCAPTCHA terms, it is stale. Our article on GDPR and CAPTCHA privacy concerns covers why verification vendors keep ending up in compliance reviews.
Will You Actually Get a Bill? Run This Audit
Most site owners do not know their assessment volume, and guessing badly in either direction is expensive. Spend thirty minutes on this audit:
- Count executions, not submissions. Find every page where the reCAPTCHA script runs. v3 integrations commonly execute on page load, sometimes on multiple actions per page. Multiply by your monthly traffic to estimate assessments.
- Check the admin/Cloud console. Migrated keys report usage in the Google Cloud console; the metrics page tells you your real monthly assessment count and how close to 10,000 you are.
- Identify wasted assessments. Running v3 on every page "for signals" was a popular pattern when assessments were free. Under metered billing, executing only on the actions you actually protect (login, signup, checkout, contact) can cut volume by 90% or more.
- Decide your lane. Under 10,000 assessments after cleanup: stay free, but set a usage alert. Over it: compare the paid tiers against the cost of switching providers—including the engineering time both paths consume.
Migration Path 1: Stay with Google, Move to Cloud Keys
If your volume is low or you depend on reCAPTCHA-specific features, the supported path is migrating classic keys into a Google Cloud project. The mechanics are straightforward—create or select a Cloud project, migrate the key, attach billing—but three operational details bite people:
- You need a billing account even to stay free. Exceeding the free tier without billing attached does not produce a bill; it produces failed verifications. Decide which failure mode you prefer and configure accordingly.
-
Plugins lag. WordPress, Magento,
and Drupal modules built for classic
siteverifycalls may need updates for Cloud-style keys. Test on staging—an invalid-key failure on a login form locks real users out, a scenario painful enough that we wrote a separate guide to recovering from reCAPTCHA admin lockouts. - Set quota alerts on day one. Usage-based billing plus a bot wave equals a surprise invoice. Cloud monitoring alerts on assessment volume are free insurance.
Migration Path 2: Leave
The pricing change triggered a visible migration wave. WordPress form vendors now ship Cloudflare Turnstile integrations as the default recommendation, and the comparison content across the industry—including our own CAPTCHA provider comparison—reflects a market that no longer assumes Google by default. Turnstile is free and integrates in an afternoon, though it brings its own failure modes (see our guide to Turnstile error codes). hCaptcha offers a free tier with a privacy-focused pitch. Behavioral systems like rCAPTCHA drop the challenge model entirely and verify users through natural interaction analysis—an approach that avoids both per-assessment metering anxiety and challenge-widget breakage, though every provider switch still demands the same staging-first testing discipline.
Whichever direction you choose, the worst option is the default one: doing nothing with classic keys and finding out about the shutdown from your own broken login form.
People Also Ask: reCAPTCHA Pricing FAQ
Is reCAPTCHA still free?
Yes, up to 10,000 assessments per month under the Google Cloud model. Above that, usage-based pricing applies. The old informal allowance of one million free verifications no longer exists for new Cloud-managed usage.
What counts as an assessment?
Each scored evaluation—every token verification or score request—counts, regardless of whether a form was submitted or the user turned out to be human. v3 integrations that execute on every page load consume assessments on every page load.
What happens to my old classic reCAPTCHA keys?
Google is consolidating everything onto Google Cloud-managed keys and winding down the standalone service. Check your keys in the Cloud console, migrate them deliberately, and do not wait for them to stop working—plugin compatibility issues are much easier to debug on staging than during an outage.
Should I switch to a different CAPTCHA instead of paying?
If your volume is modest and your integration is simple, migrating to Cloud keys and trimming wasted assessments may keep you comfortably free. If you are well past 10,000 assessments or were already unhappy with puzzle friction and privacy questions, the pricing change is a natural moment to evaluate Turnstile, hCaptcha, or behavioral verification like rCAPTCHA. Compare total cost: subscription or usage fees plus the engineering time to switch and test.
Conclusion
The reCAPTCHA pricing change is less about the money and more about the end of an assumption: bot protection as a free, permanent, set-and-forget utility. The new reality is metered, billed, and subject to platform migrations—which means it now deserves the same lifecycle attention as any other paid dependency. Audit your assessment volume, migrate or switch deliberately, set alerts, and write down what you chose and why. Your future self, reading a deprecation email two years from now, will be grateful.