Captcha - HashCash for WordPress

How It Works

When someone loads your form, their browser automatically solves a small cryptographic puzzle in the background while they fill it out. Real users never notice it — the calculation finishes before they click Submit. Spam bots, on the other hand, have to solve that puzzle too, and they can’t move fast enough to keep up. No blurry images to decipher, no “click all the traffic lights” games, no Google watching your visitors — just invisible protection that works.

Suspicious behavior? HashCash can quietly increase the puzzle difficulty to a level that’s computationally unsolvable. The bot spins forever. Your users never know anything happened. Best of all, it happens on someone else’s system.

What You Get

• Invisible protection — Your users see nothing to solve. A brief “Securing this form…” indicator appears while the calculation runs, then disappears. That’s it, a temporary indication to explain why the submit button is disabled.
• Complete privacy — No external services, no Google, no cookies. GDPR and CCPA compliant by design, not by policy.
• Logged-in users are exempt — Trusted users skip verification entirely. No friction for your members.
• Automatic coverage — Protects WordPress comments, login, registration, lost password, and Contact Form 7 automatically. Install and forget.
• Replay attack prevention — Each proof-of-work is timestamped and expires after 30 minutes, preventing bots from reusing captured solutions.
• Auto-refresh — HashCash silently re-runs the calculation before it expires, so users who leave a form open never hit a validation error on submit.
• Bot punishment mode — Detected bots receive an unsolvable calculation. They spin forever. You do nothing.
• Adjustable security — SHA-256 at level 1 by default for maximum compatibility. Argon2id available for maximum security.
• Zero maintenance — No API keys, no accounts, no subscriptions. Free forever.

Technical Specifications

For developers and the technically curious

The WordPress port introduces Argon2id — the current gold standard for memory-hard cryptographic hashing, winner of the Password Hashing Competition, and the algorithm recommended by OWASP for credential storage. Unlike SHA-256, which can be parallelized cheaply across GPUs, Argon2id requires significant memory bandwidth per hash — making bot farms expensive and slow regardless of hardware budget.

Argon2id is implemented via PHP’s sodium extension (available by default in PHP 7.2+) on the server side, and via a WebAssembly module in the browser worker. No third-party CDN dependency — the WASM module is bundled with the plugin.

Technial Requirements

• WordPress: 5.8 or later
• PHP: 7.4 or later
• PHP sodium extension: Required for Argon2id only (available by default in PHP 7.2+)
• JavaScript: Required. Uses Web Cryptography API and Web Workers.
• HTTPS: Required in production for all hashing algorithms except Argon2id (standard for any modern WordPress install)
• Modern browser: All current browsers supported

Algorithm Options

Advanced Features

• Web Worker implementation — Hashing runs in a dedicated background thread. Zero main-thread impact.
• Delayed calculation — Waits for real user interaction (mouse move, keydown, click) before starting. Bots that submit instantly or wait too long are caught.
• CDP runtime detection — Detects Chrome DevTools Protocol automation signatures used by headless browsers.
• Headless browser fingerprinting — Identifies Playwright, Puppeteer, and HeadlessChrome user agents.
• Configurable difficulty — Levels 1–12. Level 1 (default) is imperceptible. Higher levels increase solve time linearly.
• Smart refresh — Automatically re-mines proof-of-work before expiration. Configurable max age (default 30 minutes).
• Bot punishment mode — Sets difficulty to level 32 for detected bots — computationally unsolvable.
• Nonce mode — Optional additional entropy to complicate automated form replay.
• Shortcode support — for manual placement in any form.

Security Notes

• Self-hosted solution — no third-party attack surface
• Timestamped proof-of-work prevents replay attacks (30-minute expiration window)
• No cookies or external dependencies reduce privacy liability
• Source is unobfuscated and available for security auditing