hCaptcha for WordPress

Disgrifiad

hCaptcha is a drop-in replacement for reCAPTCHA that puts user privacy first.

Need to keep out bots? hCaptcha protects privacy while offering better protection against spam and abuse. Help build a better web.

How hCaptcha Works

The purpose of a CAPTCHA is to distinguish between people and machines via a challenge-response test, and thus increase the cost of spamming or otherwise abusing websites by keeping out bots.

To use this plugin, just install it and enter your sitekey and secret in the Settings -> hCaptcha menu after signing up on hCaptcha.com.

hCaptcha Free lets websites earn rewards while blocking bots and other forms of abuse when a user needs to prove their humanity.

hCaptcha Pro goes beyond the free hCaptcha service with advanced machine learning to reduce the challenge rate, delivering high security and low friction along with more features like UI customization.

Privacy Notices

hCaptcha is designed to comply with privacy laws in every country, including GDPR, LGPD, CCPA, and more.

With the default configuration, this plugin does not:

  • track users by stealth;
  • write any user personal data to the database;
  • send any data to external servers;
  • use cookies.

Once you activate this plugin, the hCaptcha-answering user’s IP address and browser data may be sent to the hCaptcha service on pages where you have activated hCaptcha protection. However, hCaptcha is designed to minimize data used, process it very close to the user, and rapidly discard it after analysis.

For more details, please see the hCaptcha privacy policy at:

Forms and Plugins Supported

  • Login Form
  • Register Form
  • Lost Password Form
  • Comment Form
  • bbPress New Topic Form
  • bbPress Reply Form
  • BuddyPress Create Group Form
  • Buddypress Registration Form
  • Contact Form 7
  • Divi Contact Form
  • Divi Login Form
  • Elementor Pro Form
  • Gravity Forms
  • Jetpack Forms
  • Mailchimp for WP Form
  • MemberPress Register Form
  • Ninja Forms
  • Subscriber Form
  • Ultimate Member Login Form
  • Ultimate Member Lost Password Form
  • Ultimate Member Register Form
  • WooCommerce Login Form
  • WooCommerce Registration Form
  • WooCommerce Lost Password Form
  • WooCommerce Checkout Form
  • WooCommerce Order Tracking Form
  • WooCommerce Wishlist
  • WP Fluent Forms
  • WPForms Lite
  • wpForo New Topic Form
  • wpForo Reply Form

Please note

NOTE: This is a community-developed plugin. All integrations were submitted by developers who didn’t want to wait for a particular plugin to add native hCaptcha support.

For feature requests and issue reports, please
open a pull request.

We also suggest emailing the authors of plugins you’d like to support hCaptcha: it will usually take them only an hour or two to add native support. This will simplify your use of hCaptcha, and is the best solution in the long run.

Some plugins listed have been superseded by native support, and are included only for legacy purposes.

You should always use native hCaptcha support if available for your plugin.
Please check with your plugin author if native support is not yet available.

Instructions for popular native integrations are below:

Gosod

Sign up at hCaptcha.com to get your sitekey and secret, then:

  1. Install hCaptcha either via the WordPress.org plugin repository (best) or by uploading the files to your server. (Upload instructions)
  2. Activate the hCaptcha plugin through the ‘Plugins’ menu in WordPress
  3. Enter your site key and secret in the Settings -> hCaptcha menu in WordPress
  4. Enable desired Integrations

Cwestiynau Cyffredin

How do I use the hCaptcha plugin?

The hCaptcha plugin supports WordPress core and many plugins with forms automatically. You should select the supported forms on the hCaptcha plugin settings page.

For non-standard cases, you can use the [hcaptcha] shortcode provided by the plugin.

For example, we support Contact Forms 7 automatically. However, sometimes a theme can modify the form. In this case, you can manually add the [cf7-hcaptcha] shortcode to the CF7 form.

You don’t support plugin X. How can I get support for it added?

Open a PR on GitHub: or just email the authors of plugin X. Adding hCaptcha support is typically quite a quick task for most plugins.

Does the [hcaptcha] shortcode have arguments?

The shortcode adds not only the hCaptcha div to the form, but also a nonce field. You can set your own nonce action and name. For this, use arguments in the shortcode:

[hcaptcha action="my_hcap_action" name="my_hcap_name"]

and in the verification:

$result = hcaptcha_request_verify( 'my_hcap_action', 'my_hcap_name' );

See also the section “How to automatically verify an arbitrary form”

How to add hCaptcha to an arbitrary form

First, add the hCaptcha snippet to the form.

If you create the form as an HTML block in the post content, just insert the shortcode [hcaptcha] inside it. It may look like this:

<form method="post">
    <input type="text" name="test_input">
    <input type="submit" value="Send">
    [hcaptcha]
</form>

If you create the form programmatically, insert the following statement inside it:

echo do_shortcode( '[hcaptcha]' );

Secondly, verify the result of hCaptcha challenge.

$result = hcaptcha_request_verify();

if ( 'success' !== $result ) {
// Block processing of the form.
}

How to automatically verify an arbitrary form

Arbitrary user forms can be verified easily. Just add auto="true" or auto="1" to the shortcode:

[hcaptcha auto="true"]

and insert this shortcode into your form.

Auto-verification works with forms sent by POST on frontend only. Also, it works only with forms in the post content, but we have plans to extend the functionality.

How to block hCaptcha on specific page?

hCaptcha starts early, so you cannot use standard WP functions to determine the page. For instance, to block it on my-account page, add this code to your theme’s functions.php file:

/**
* Filter hCaptcha activation flag.
*
* @param bool $activate Activate flag.
*
* @return bool
  */
  function my_hcap_activate( $activate ) {
  $url = isset( $_SERVER['REQUEST_URI'] ) ?
  filter_var( wp_unslash( $_SERVER['REQUEST_URI'] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ) :
  '';

  if ( '/my-account/' === $url ) {
  return false;
  }

  return $activate;
  }

add_filter( 'hcap_activate', 'my_hcap_activate' );

How to show hCaptcha widget instantly?

The plugin loads the hCaptcha script with a delay until user interaction: mouseenter, click, scroll or touch. This significantly improves Google Pagespeed Insights score.

To load the hCaptcha widget instantly, you can use the following filter:

/**
* Filters delay time for hCaptcha API script.
*
* Any negative value will prevent API script from loading at all,
* until user interaction: mouseenter, click, scroll or touch.
* This significantly improves Google Pagespeed Insights score.
*
* @param int $delay Number of milliseconds to delay hCaptcha API script.
*                   Any negative value means delay until user interaction.
*/
function my_hcap_delay_api( $delay ) {
  return 0;
}

add_filter( 'hcap_delay_api', 'my_hcap_delay_api' );

How to set hCaptcha language programmatically?

hCaptcha defaults to using the user’s language as reported by the browser. However, on multilingual sites you can override this to set the hCaptcha language to match the current page language. For this, you can use the following filter:

/**
* Filters hCaptcha language.
*
* @param string $language Language.
*/
function my_hcap_language( $language ) {
  // Detect page language and return it.
  $page_language = 'some lang'; // Detection depends on the multilingual plugin used.

  return $page_language;
}

add_filter( 'hcap_language', 'my_hcap_language' );

How to whitelist certain IPs

You can use the following filter:

/**
* Filter user IP to check if it is whitelisted.
* For whitelisted IPs, hCaptcha will not be shown.
*
* @param bool   $whitelisted Whether IP is whitelisted.
* @param string $ip          IP.
*
* @return bool
*/
function my_hcap_whitelist_ip( $whitelisted, $ip ) {

  // Whitelist local IPs.
  if ( false === $ip ) {
    return true;
  }

  // Whitelist some other IPs.
  if ( '1.1.1.1' === $ip ) {
    return true;
  }

  return $whitelisted;
}

add_filter( 'hcap_whitelist_ip', 'my_hcap_whitelist_ip', 10, 2 );

Why isn’t my WPForms Lite installation working?

Please make sure you have removed the reCAPTCHA keys under WPForms > Settings > reCAPTCHA to avoid a conflict.

Where can I get more information about hCaptcha?

Please see our website.

Adolygiadau

Medi 13, 2022
hCaptcha can be included into WPForms easily. Only the Site Key and Secret Key are needed which are available after the registration on the hCaptcha website. The verification via images in e.g. contact forms could be made easier for people with eye issues.
Awst 29, 2022
Estaría bueno tuviera soporte para el formulario de Kadence blocks, por ahora me sirve para el login y comentarios, pero no para el formulario de contacto. Y no quiero usar el recaptcha de google. Cuando tenga soporte para Kadence blocks vuelvo y cambio la valoración.
Hello, `For hCaptcha, this case law is relevant: European Court of Justice on the Privacy Shield In July 2020, the European Court of Justice came to the conclusion: the Privacy Shield is invalid. This means for practice: site operators can no longer use it as a legal basis to send personal data to the USA. The judges attributed this primarily to the fact that surveillance programs are used in the U.S. that are not limited to the absolutely necessary extent. And: European users cannot take legal action against U.S. providers should they misuse their data. European Court of Justice on the use of cookies Site operators require user consent if they want to use non-essential cookies. Users must be able to actively express this consent via opt-in. This was determined by the ECJ in October 2019 (Case C-673/17). Federal Supreme Court on the use of cookies Tracking cookies need explicit permission from users. The box for consent may not be pre-ticked in the process. Site operators can therefore only obtain legally compliant consent by opt-in. This was the conclusion reached by the Federal Court of Justice (BGH) on May 28, 2020 (I ZR 7/16). unfortunately, this is not applicable in germany. Thanks
Gorffennaf 31, 2022
I was really excited about this alternative idea for preventing spam and bots. I was so eager to make it work that I implemented it across two different websites and had terrible experiences with both. I spent hours setting it up, testing, and troubleshooting why it always (ALWAYS!) returns "Invalid CAPTCHA" on forms, including the WordPress login page (be careful), after correctly solving each CAPTCHA. It causes way too many problems to deal with for pennies. Wordfence is installed on both websites this was tested on. I don't know if that's the problem, but I did try disabling compatibility with reCAPTCHA within hCAPTCHA's settings and the reCAPTCHA settings within Wordfence's settings to no avail.
Gorffennaf 13, 2022
Excellent plug in, works with WP Forms Lite and was almost plug and play, took 30 seconds to sign up and the secret keys are given to you right away to get started. Had a working Captcha on my site in 1 minute!
Read all 26 reviews

Contributors & Developers

“hCaptcha for WordPress” is open source software. The following people have contributed to this plugin.

Cyfranwyr

“hCaptcha for WordPress” has been translated into 7 locales. Thank you to the translators for their contributions.

Translate “hCaptcha for WordPress” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Cofnod Newid

1.19.0

  • Fixed grey left sidebar issue on Elementor edit page.

1.18.0

  • Tested with WooCommerce 6.8.
  • Added Divi Comment Form support.
  • Fixed WPForms Login form support.
  • Fixed not valid CSS to prevent a black box issue.
  • Fixed invalid hCaptcha error after correction of wrong input on Checkout page.
  • Fixed hCaptcha functionality on Elementor Pro edit page when hCaptcha is off for logged-in users.

1.17.0

  • Tested with WooCommerce 6.6.
  • Added support for Ultimate Member plugin (Login, Register, LostPassword forms).
  • Fixed weird black bordered rectangle to the left of hCaptcha challenge.

1.16.0

  • Tested with WordPress 6.0.
  • Tested with WooCommerce 6.5.

  • = 1.15.0 =

  • Tested with WooCommerce 6.4.
  • Added Gravity Forms support.
  • Added filter to whitelist IPs.
  • Added support for multiple Ninja forms on a single page.

1.14.0

  • Tested with WooCommerce 6.2.
  • Added support for PHP 8.1.
  • Added support for Divi Login form.
  • Added hCaptcha language filter.
  • Changed nonce verification. Now nonce is verified for logged-in users only.

1.13.4

  • Tested with WooCommerce 6.1.
  • Added support for hCaptcha in Elementor Popup.
  • Fixed WooCommerce login when hCaptcha for WP login is active.
  • Fixed issue with Safari version < 14.

1.13.3

  • Tested with WodPress 5.9 and WooCommerce 6.0.
  • Added support for WP Fluent Forms.
  • Fixed regex for non-standard Order Tracking form.

1.13.2

  • Added support for non-standard WC Order Tracking form.
  • Fixed fatal error with Elementor Pro 3.5.

1.13.1

  • Fixed Divi Contact form in frontend builder.
  • Fixed WooCommerce login form.
  • Fixed css and js to pass W3C validation.
  • Fixed issue with Safari and invisible hCaptcha on auto-verify form.
  • Fixed issue with login via XML-RPC.

1.13.0

  • Added support for Divi Contact form.
  • Added support for Elementor Pro form.
  • Added support for MemberPress Register form.
  • Added support for WooCommerce Order Tracking form.
  • Fixed layout on the WP login form.
  • Fixed issue with insertion of hCaptcha not only to Jetpack forms.
  • Fixed regex bug in auto verify feature, which prevented registering of forms.

1.12.0

  • Added Invisible hCaptcha feature.
  • Added delayed rendering of hCaptcha to improve Google PageSpeed Insights score.
  • hCaptcha moved inside of Jetpack block form, before submit button.
  • Fixed fatal error with Divi theme.
  • Fixed – only 1 Contact Form 7 was working on the page.
  • Nonce is now checked with Contact Form 7.

1.11.0

  • Added auto-verification of an arbitrary form.

1.10.3

  • Fixed issue with Ninja Forms – hCaptcha is not shown.
  • Tested with WordPress 5.8 and WooCommerce 5.5

1.10.2

  • Fixed issue with CF7 – hCaptcha is not shown.

1.10.0

  • Fixed issue with WC login form when WP login form option is on.
  • Added feature to turn off the plugin for logged in users.
  • Added hook to disable the plugin on specific pages.
  • Added feature to run hCaptcha script and styles on pages where it is used only.

1.9.2

  • Fixed issue with WooCommerce on my-account page – captcha was requested even if solved properly.

1.9.1

  • Fixed issue with Contact Form 7 – reset hCaptcha widget when form is not validated.

1.9.0

  • Tested with WordPress 5.7 and WooCommerce 5.0

1.8.0

  • Added option to disable reCAPTCHA Compatibility (use if including both hCaptcha and reCAPTCHA on the same page)

1.7.0

  • 100% covered by WordPress integration tests.
  • Tests run on CI with PHP 5.6 – 8.0, latest WordPress core and latest related plugins.

1.6.4

  • Make any Jetpack contact form working with Block Editor
  • Tested with WooCommerce 4.7

1.6.3

  • Don’t require challenge for admin comment reply

1.6.2

  • WPForms Pro support

1.6.1

  • WPCS coding standards and docs update

1.6.0

  • Tested with WordPress 5.5 and WooCommerce 4.4

1.5.4

  • Added WPForms Lite support

1.5.3

  • WooCommerce Wishlists bug fix
  • text domain updated: better i18n support

1.5.2

  • CF7 bug fix: enforce validation

1.5.1

  • Update docs

1.5.0

  • Refactor to improve code hygiene, fixes for latest Ninja Forms.

1.4.2

  • Fixed comment issue, added WooCommerce Wishlists

1.4.1

  • Updated testing information, improve docs.

1.3

  • Automatic addition of hCaptcha button to Contact Form 7 forms when enabled.

1.2

  • Update to Contact Form 7 support. Adds compatibility for version 5.1.3.

1.1

  • Minor bugfixes

1.0

  • Plugin Created