Tired of frustrating, unreadable CAPTCHAs that leave users scratching their heads? Captcha - HashCash is a groundbreaking Joomla plugin that redefines form validation without the hassle. Unlike traditional CAPTCHAs that rely on third-party services, mangled text, or complex puzzles - HashCash offers an entirely self-hosted, invisible, JavaScript-based memory-hard proof-of-work (PoW) solution that requires nothing from your users but a modern browser; no external services, no extra cookies, making it a perfect fit for GDPR and EU e-Privacy Directive compliance. Say goodbye to deciphering distorted words, solving math problems, or matching photos; your visitors won’t even know it’s there!
The Invisible Shield Against Bots
Originally proposed by Adam Back in 2002, HashCash leverages a brilliant concept: proof-of-work, a computational challenge that demands a complex calculation embedded in your form, one so computationally intensive (requiring hundreds or thousands of attempts to solve) that bots or malicious scripts would waste prohibitive amounts of processor time trying to crack it.
When a user arrives at your form, the calculation runs silently in the background, completed automatically via JavaScript. The server then verifies the solution with a single, lightning-fast check, if correct, the user proceeds; if not, the submission fails. Bots relying on Python scripts or basic automation? They’re out of luck; they must use a JavaScript-enabled browser to pass, making form abuse a thing of the past.
Seamless and User-Friendly
The beauty of HashCash lies in its invisibility. Your users won’t see or interact with it. It happens effortlessly behind the scenes, ensuring a frictionless experience. Whether they’re submitting a contact form, registering, or reporting a bug, they’ll enjoy a smooth process while your site remains protected. Want to see it in action? Visit our bug reporting page (link below). While you won’t notice the CAPTCHA itself, watch your process monitor (e.g., top in Linux) to catch a CPU spike as the calculation runs!
Layers of Protection
- Choose your hashing level
- SHA-256
- SHA-384
- SHA-512
- PBKDF2 for enhanced GPU resistance
- PBKDF2+64kb Memory Loop for even greater GPU resistance
- (Optional & Silent) Tor node blocking via Console - Tor Nodes
- (Optional & Silent) Realtime DNSBL integration
HashCash - Simple, Powerful Configuration
Setting up "Captcha - HashCash" couldn't be easier. Open the plugin, choose your desired hashing algorithm (SHA-256 for speed, PBKDF2 for memory-hard GPU resistance), and set the difficulty level, ranging from 1 (minimum) to 5 (maximum), to balance security and performance. For an extra layer of protection, enable the optional delayed calculation feature: the script waits until the user interacts with the form, foiling bots that rush submissions or linger too long. Bots waiting for the CAPTCHA? They'll wait forever. Bots submitting too quickly? They'll miss the mark. With PBKDF2 options, advanced bots face sequential computations that turn their GPU advantage into a bottleneck, eating up precious time and processor cycles per challenge. The 64KB memory loop option consumes memory in those GPU cycles as well, further reducing GPU advantage.
Privacy-First Design for GDPR Compliance
In an era of stringent privacy regulations like the GDPR and EU e-Privacy Directive, "Captcha - HashCash" stands out as an ideal solution. Traditional CAPTCHAs often rely on external services (e.g., Google reCAPTCHA), which can introduce third-party cookies and tracking mechanisms, potential headaches for website owners aiming to comply with EU laws. HashCash eliminates these concerns entirely. By operating solely within your site’s JavaScript environment, it avoids external dependencies and prevents additional cookies from being placed on user systems. This self-contained approach not only enhances user trust but also simplifies compliance with privacy standards, making it a go-to choice for privacy-conscious developers and businesses.
Captcha - Hashcash is Trusted Worldwide
These markers show datacenters where Captcha - Hashcash installations have been detected in the past 2 weeks.
Cutting-Edge Captcha Technology (2002 meets 2025)
Powered by the Web Cryptography API and Subtle.Crypto, "Captcha - HashCash" harnesses modern JavaScript capabilities to deliver a lightweight, efficient solution. No third-party dependencies, no server strain - just robust, autonomous protection for your Joomla forms via this time-tested proof-of-work mechanism. The new PBKDF2 options add memory-hardness, leveraging HMAC-SHA-256 iterations to slow parallel GPU attacks while keeping legitimate users moving - a true 2025 innovation on Adam Back's 2002 vision.
Protect your Joomla forms effortlessly with "Captcha - HashCash". The painless, invisible CAPTCHA that keeps bots at bay while delighting your users by not forcing them to do tricks like a trained animal.
Advanced HashCash Features
They abuse your site, now you can abuse their bot. While monitoring for abnormal activity, the plugin CAN alter the calculation if a bot is detected. This alteration causes the solution to be impossible. The bot will calculate FOREVER, and if by magic - the bot manages to achieve the answer, the answer will be wrong. This feature is turned OFF by default so you can decide if you want to do this.
Enhanced GPU Resistance with PBKDF2
For sites facing sophisticated botnets, PBKDF2 introduces memory-hard, sequential hashing that turns GPU parallelization against attackers. Unlike SHA algorithms, which bots solve in microseconds on high-end hardware, PBKDF2's chained iterations (10,000+) require several seconds per challenge on GPUs, making bulk spam economically unviable. Admins can select it alongside SHA options, with tunable iterations for custom security levels, all while preserving the invisible, user-friendly experience.
The new PBKDF2+64KB mode adds a 64 KB memory loop, forcing bandwidth bottlenecks that push GPU solve times to 8–18 seconds, while keeping user delays under 3 seconds. Admins can select it alongside SHA options, with tunable iterations for custom security levels, all while preserving the invisible, user-friendly experience.
Fully Secure
In order to use this plugin - your website MUST run in a secure context. That is, your testing must occur on localhost - and your live site MUST have an SSL certificate. If you're running a site without a certificate, this plugin won't work (outside of localhost).
2006 CVE - is Not This Extension
Avoiding misunderstandings, this extension has never been found to have any vulnerability. This CVE from 2006 is NOT plg_captcha_hashcash (this plugin).
CVE-2006-3750 is for a different Joomla extension.
Fancy a Demo?
Visit the Contact Us link in the footer! There is, of course, nothing to see except a spinning (and disabled) submit button until you interact with the form.
HashCash Features
- Self-Hosted: No subscriptions, no services, no API keys, no cookies, GDPR-compliant.
- Configurable Difficulty: Adjust the calculation intensity from 1 to 4 for optimal security.
- Invisible Protection: No mangled text, math problems, or user interaction, just seamless defense.
- Automatic Completion: Runs silently in the background with JavaScript.
- Bot-Proof Design: Requires a JavaScript-enabled browser, thwarting automated scripts through proof-of-work challenges.
- Delayed Calculation (Optional/Default): Foils bots by timing the calculation to user interaction.
- Modern Tech: Leverages Web Cryptography API for efficient, cutting-edge security.
- Choose Your Hashing Algorithm: SHA-256, SHA-384, SHA-512, PBFDK2 or PBFDK2+64KB (memory-hard GPU resistance).
- Realtime DNSBL: Several blacklist options to choose from.
- Block Tor Nodes: Optionally prevent this kind of anonymity from spamming your forms.
- Privacy-Friendly: No external services or cookies, ensuring GDPR and EU e-Privacy Directive compliance.
- Sequential PBKDF2 Option: Slows GPU bots by seconds per challenge with chained iterations, allowing no parallelization advantage.
Download
Frequently Asked Questions:
What is the Captcha - HashCash plugin?
The Captcha - HashCash plugin is a robust, user-friendly solution designed to protect your Joomla website from spam and abuse by implementing the HashCash proof-of-work system.
How does HashCash work?
HashCash operates on the principle of requiring computational effort to prove that an action (like submitting a form) is genuine. It adds a small delay for users, making automated spam attempts infeasible due to resource exhaustion.
Is this plugin easy to install and configure?
Absolutely! Our plugin comes with a straightforward installation process and an intuitive admin interface, allowing you to set up HashCash protection quickly and easily.
Can I customize the appearance of the Captcha?
Given its invisible nature, customizing visual elements isn't applicable. The Captcha - HashCash plugin operates discreetly in the background, focusing on functionality rather than aesthetics.
Does this plugin support multiple forms or just one?
This plugin provides comprehensive protection across all forms on your Joomla site with no configuration needed per form, streamlining security management.
How does this plugin ensure security without user interaction?
User interaction is actually the key to enabling the advanced functionality of the plugin. They're just not interacting with the captcha.
What are the system requirements for using this plugin?
The Captcha - HashCash plugin is compatible with Joomla 3.x and later, requiring PHP 7.2 or higher and basic server configurations typically found in shared hosting environments.
What does the punish feature do?
When a bot is detected (by doing something a human would never do), the bot is presented with an unsolvable hash operation. It will perform the calculation forever, or until someone stops it.
