Forget bots vanishing after a failed attack. With Captcha - HashCash’s latest feature, every stumble turns into a clue you can track and outsmart. This isn’t just a CAPTCHA—it’s a bot-hunting machine that transforms your Joomla forms into a security goldmine. Imagine knowing who’s attacking, how they’re doing it, and where they’re hitting—all without bothering your users. That’s Detection Profiling, and it’s your key to staying ahead.
The Power of Detection Profiling
How It Works (Quick Recap)
HashCash already stops bots with its invisible, JavaScript-driven proof-of-work puzzle. The new twist? When a bot trips our detection—like faking an event that doesn’t bubble or isn’t trusted—we don’t just block it. We profile it. A CustomEvent fires, loaded with prefixed details: hashcash_ip, hashcash_ua, attack method, target form, and more. One line of code sends this intel to Google Analytics (GA), where the real fun starts.
Setting Up Google Analytics: Step-by-Step
Ready to turn your Joomla site into a bot-tracking powerhouse? Outstanding! Of course, you'll need GA4 to do it, and if you need a plugin to help with that - check out my System - Google Tag Manager plugin. Like all of my Joomla extensions, it's free.
Here’s how to hook HashCash into GA, updated for 2025’s interface:
- Enable Custom Dimensions
- In GA: Admin > Data Display > Custom Definitions > Create Custom Dimension.
- Add these dimensions exactly as shown (Scope: Event, Active: Yes):
- HashCash Bot IP
Description: “IP address of the bot”
Parameter: hashcash_ip - HashCash Bot UA
Description: “User Agent of the bot”
Parameter: hashcash_ua - HashCash Bot Event
Description: “This tells us how the event was triggered. Values should be one of: Event, CustomEvent, or Object”
Parameter: hashcash_event_type - HashCash Bot Target
Description: “This tells us which element was used to trigger the calculation to start. Only the form is allowed to trigger the calculation.”
Parameter: hashcash_target - HashCash Bot Bubbles
Description: “The change event must bubble from the input element to the form. If it didn’t bubble, it’s a bot. True/False value”
Parameter: hashcash_bubbles - HashCash Bot Trusted
Description: “Trusted events are those triggered by form interaction. If the event isn’t trusted, it was manually triggered (100% bot)”
Parameter: hashcash_trusted - HashCash Bot Nonce
Description: "Bot manipulated the hidden nonce field"
Parameter: hashcash_nonce
- HashCash Bot IP
- Set Up the Event
- In GA: Admin > Data Display > Events > Create Event.
- Name: hashcash_bot.
- Conditions: Set “event_name” equals hashcash_bot (matches your gtag("event", "hashcash_bot", detail) call).
- Check “Copy parameters from the source event” (this grabs your hashcash_ prefixed data automatically—no mapping needed).
- Save it. Your prefixed parameters keep everything tidy and conflict-free.
- Add It as a Key Event
- In GA: Admin > Data Display > Key Events.
- Click “New key event.”
- Enter the event name: hashcash_bot.
- Save. GA sets it up automatically as a key event for priority tracking in reports.
- Add the Listener Code
- Slip this into your site (via a custom JS module or template override):
window.addEventListener("plg_captcha_hashcash", function(e) {
var detail = e.detail;
function gtag() {
window.dataLayer.push(arguments);
}
gtag("event", "hashcash_bot", detail);
}); - If GA’s tracking code is live (via your template or a plugin), this pushes the data automatically.
- Slip this into your site (via a custom JS module or template override):
- Test the Setup
- Using a standard Joomla contact form (with Captcha - HashCash installed, configured, enabled, and activated in Global Configuration), trigger bot detection like this:
document.getElementById('contact-form').dispatchEvent(new CustomEvent('change')); - This fakes a bot action by firing a change event directly on the form (no bubbling, not trusted—pure bot bait).
- Warning: Your CPU will spike as HashCash’s bot trap kicks in (if the “Punish Bots” option is enabled). Refresh the page or close it to stop the spike.
- In GA: Realtime > Events. Look for hashcash_bot and check the properties (e.g., hashcash_ip, hashcash_ua).
- Using a standard Joomla contact form (with Captcha - HashCash installed, configured, enabled, and activated in Global Configuration), trigger bot detection like this:
- Build a Custom Report
- In GA: Reports > Library (at the very bottom of the menu, almost a footer) > Create new report > Create detail report > choose the first option “Blank.”
- Title: “HashCash Bot Tracking.”
- Type: Explorer.
- Metrics: Event Total.
- Dimensions: hashcash_ip, hashcash_event_type, hashcash_target.
- Filter: Include Event Category = hashcash_bot.
- Save it. Now you’ve got a bot-tracking hub.
Seeing the Magic: What You’ll Discover
Day one: A bot at 123.45.67.89 tries a non-trusted CustomEvent on your contact form—GA logs it. Day two: Same IP, new UA, hitting your bug report page with no bubbling. By week’s end, you’ve got a hit list: IPs to block, forms to reinforce, and a playbook of bot failures (non-trusted? Wrong target?). It’s not just data—it’s ammo. Crank up HashCash’s difficulty or let Splorkwizzle the Quack tally the wins.
Why It Matters
This isn’t just a CAPTCHA—it’s a security sidekick that sharpens with every attack. Prove your site’s locked tight, spot threats early, and rest easy knowing you’re not just stopping bots—you’re tracking them like a pro. With HashCash and GA, you’re the one flipping on the lights.
