Enables hCaptcha integration with WordPress and popular plugins.
hCaptcha is a drop-in replacement for reCAPTCHA that puts user privacy first.
Need to keep out bots? hCaptcha protects privacy while offering better protection against spam and abuse. Help build a better web.
The purpose of a CAPTCHA is to distinguish between people and machines via a challenge-response test, and thus increase the cost of spamming or otherwise abusing websites by keeping out bots.
To use this plugin, install it and enter your sitekey and secret in the Settings -> hCaptcha menu after signing up on hCaptcha.com.
hCaptcha Free lets websites block bots and other forms of abuse via humanity challenges.
hCaptcha Pro goes beyond the free hCaptcha service with advanced machine learning to reduce the challenge rate, delivering high security and low friction along with more features like UI customization.
hCaptcha is designed to comply with privacy laws in every country, including GDPR, LGPD, CCPA, and more.
For example, hCaptcha has been certified under ISO 27001 and 27701 and is enrolled in the EU-US, UK-US, and Swiss-US Data Privacy Framework for GDPR compliance.
Details are available at www.hcaptcha.com/certifications and www.hcaptcha.com/gdpr.
With the default configuration, this plugin does not:
Once you activate this plugin, the hCaptcha-answering user’s IP address and browser data may be sent to the hCaptcha service on pages where you have activated hCaptcha protection. However, hCaptcha is designed to minimize data used, process it very close to the user, and rapidly discard it after analysis.
For more details, please see the hCaptcha privacy policy at:
If you enable the optional plugin-local statistics feature, the following additional data will be recorded to your database:
We recommend leaving IP recording off, which will make these statistics fully anonymous.
If this feature is enabled, anonymized statistics on your plugin configuration, not including any end user data, will also be sent to us. This lets us see which modules and features are being used and prioritize development for them accordingly.
NOTE: This is a community-developed plugin. Your PRs are welcome.
For feature requests and issue reports, please
open a pull request.
We also suggest emailing the authors of plugins you’d like to support hCaptcha: it will usually take them only an hour or two to add native support. This will simplify your use of hCaptcha, and is the best solution in the long run.
You may use native hCaptcha support if available for your plugin. Please check with your plugin author if native support is not yet available.
However, the hCaptcha plugin provides a broader set of options and features so that you can use it with any form on your site.
Instructions for popular native integrations are below:
Sign up at hCaptcha.com to get your sitekey and secret, then:
Login page with hCaptcha widget
Login page with hCaptcha challenge
WooCommerce Login/Register page
Contact Form 7 with hCaptcha
Contact Form 7 live form in the admin editor.
General settings page
Integrations settings page
Activating plugin from the Integration settings page
(Optional) Local Forms statistics
(Optional) Local Events statistics
The hCaptcha plugin supports WordPress core and many plugins with forms automatically. You should select the supported forms on the hCaptcha Integrations settings page.
For non-standard cases, you can use the [hcaptcha]
shortcode provided by the plugin.
For example, we support Contact Forms 7 automatically. However, sometimes a theme can modify the form. In this case, you can manually add the [cf7-hcaptcha]
shortcode to the CF7 form.
To make hCaptcha work, the shortcode must be inside the
…
tag.
Open a PR on GitHub: or just email the authors of plugin X. Adding hCaptcha support is typically quite a quick task for most plugins.
Full list of arguments:
[hcaptcha action="my_hcap_action" name="my_hcap_name" auto="true|false" force="true|false" size="normal|compact|invisible"]
The shortcode adds not only the hCaptcha div to the form, but also a nonce field. You can set your own nonce action and name. For this, use arguments in the shortcode:
[hcaptcha action="my_hcap_action" name="my_hcap_name"]
and in the verification:
$result = hcaptcha_request_verify( 'my_hcap_action', 'my_hcap_name' );
For the explanation of the auto=”true|false” argument, see the section “How to automatically verify an arbitrary form”. By default, auto="false"
.
The argument force=”true|false” allows forcing verification of hCaptcha widget before submitting the form. By default, force="false"
.
The argument size=”normal|compact|invisible” allows setting the size of hCaptcha widget. By default, size="normal"
.
First, add the hCaptcha snippet to the form.
If you create the form as an HTML block in the post content, insert the shortcode [hcaptcha]
inside it. It may look like this:
<form method="post"> <input type="text" name="test_input"> <input type="submit" value="Send"> [hcaptcha] </form>
If you create the form programmatically, insert the following statement inside it:
?> <form method="post"> <input type="text" name="test_input"> <input type="submit" value="Send"> <?php echo do_shortcode( '[hcaptcha]' ); ?> </form> <?php
Secondly, verify the result of hCaptcha challenge.
$result = hcaptcha_verify_post(); if ( null !== $result ) { echo esc_html( $result ); // Block processing of the form. }
Arbitrary user forms can be verified easily. Just add auto="true"
or auto="1"
to the shortcode:
[hcaptcha auto="true"]
and insert this shortcode into your form.
Auto-verification works with forms sent by POST on frontend only. It works with forms in the post content and in widgets.
You can add also force="true"
or force="1"
argument to prevent sending a form without checking the hCaptcha.
[hcaptcha auto="true" force="true"]
hCaptcha starts early, so you cannot use standard WP functions to determine the page. For instance, to block it on my-account
page, add the following code to your plugin’s (or mu-plugin’s) main file. This code won’t work being added to a theme’s functions.php file.
/** * Filter hCaptcha activation flag. * * @param bool $activate Activate flag. * * @return bool */ function my_hcap_activate( $activate ) { $url = isset( $_SERVER['REQUEST_URI'] ) ? filter_var( wp_unslash( $_SERVER['REQUEST_URI'] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ) : ''; if ( '/my-account/' === $url ) { return false; } return $activate; } add_filter( 'hcap_activate', 'my_hcap_activate' );
The plugin has a filter to skip adding and verifying hCaptcha on a specific form. The filter receives three parameters: current protection status (‘true’ by default), source and form_id.
The source is the plugin’s slug (like ‘directory/main-plugin-file.php’), the theme name (like ‘Avada’) or the WordPress core (like ‘WordPress’).
The form_id is the form_id for plugins like Gravity Forms or WPForms, the post id for comments or a general name of the form when the form does not have an id (like WordPress core login form).
Filter arguments for some plugins/forms are listed below.
Affiliates
$source: ‘affiliates/affiliates.php’
$form_id: ‘login’ or ‘register’
Back In Stock Notifier
$source: ‘back-in-stock-notifier-for-woocommerce/cwginstocknotifier.php’
$form_id: product_id
BBPress
$source: ‘bbpress/bbpress.php’
$form_id: ‘new_topic’ or ‘reply’
Beaver Builder
$source: ‘bb-plugin/fl-builder.php’
$form_id: ‘contact’ or ‘login’
Brizy
$source: ‘brizy/brizy.php’
$form_id: ‘form’
BuddyPress
$source: ‘buddypress/bp-loader.php’
$form_id: ‘create_group’ or ‘register’
Classified Listing
$source: ‘classified-listing/classified-listing.php’
$form_id: ‘contact’, ‘login’, ‘lost_password’ or ‘register’
Divi
$source: ‘Divi’
$form_id: post_id for comment form, ‘contact’, ’email_optin’, or ‘login’
Download Manager
$source: ‘download-manager/download-manager.php’
$form_id: post_id of download item in the admin
Easy Digital Downloads
$source: ‘easy-digital-downloads/easy-digital-downloads.php’
$form_id: ‘checkout’, ‘login’, ‘lost_password’ or ‘register’
Elementor Pro
$source: ‘elementor-pro/elementor-pro.php’
$form_id: Form ID set for the form Content->Additional Options or ‘login’
Jetpack
$source: ‘jetpack/jetpack.php’
$form_id: ‘contact’
Kadence Form
$source: ‘kadence-blocks/kadence-blocks.php’
$form_id: post_id
Kadence Advanced Form
$source: ‘kadence-blocks/kadence-blocks.php’
$form_id: form_id
LearnDash
$source: ‘sfwd-lms/sfwd_lms.php’
$form_id: ‘login’, ‘lost_password’ or ‘register’
Login/Signup Popup
$source: ‘easy-login-woocommerce/xoo-el-main.php’
$form_id: ‘login’, or ‘register’
MemberPress
$source: ‘memberpress/memberpress.php’
$form_id: ‘login’ or ‘register’
Paid Memberships Pro
$source: ‘paid-memberships-pro/paid-memberships-pro.php’
$form_id: ‘checkout’ or ‘login’
Passster
$source: ‘content-protector/content-protector.php’
$form_id: area_id
Profile Builder
$source: ‘profile-builder/index.php’
$form_id: ‘login’, ‘lost_password’ or ‘register’
Subscriber
$source: ‘subscriber/subscriber.php’
$form_id: ‘form’
Support Candy
$source: ‘supportcandy/supportcandy.php’
$form_id: ‘form’
Theme My Login
$source: ‘theme-my-login/theme-my-login.php’
$form_id: ‘login’, ‘lost_password’ or ‘register’
Ultimate Member
$source: ‘ultimate-member/ultimate-member.php’
$form_id: form_id or ‘password’
UsersWP
$source: ‘userswp/userswp.php’
$form_id: ‘forgot’, ‘login’ or ‘register’
WooCommerce Wishlist
$source: ‘woocommerce-wishlists/woocommerce-wishlists.php’
$form_id: ‘form’
wpDiscuz
$source: ‘wpdiscuz/class.WpdiscuzCore.php’
$form_id: post_id
WPForms
$source: ‘wpforms-lite/wpforms.php’ or ‘wpforms/wpforms.php’
$form_id: form_id
wpForo
$source: ‘wpforo/wpforo.php’
$form_id: ‘new_topic’ for new topic form and topicid for reply form. Topicid can be found in HTML code searching for ‘data-topicid’ in Elements.
Wordfence Login Security
$source: ‘wordfence-login-security/wordfence-login-security.php’
$form_id: ‘login’
Wordfence Security
$source: ‘wordfence/wordfence.php’
$form_id: ‘login’
WordPress Core
$source: ‘WordPress’
$form_id: post_id for comment form, ‘login’, ‘lost_password’, ‘password_protected’, or ‘register’
WooCommerce
$source: ‘woocommerce/woocommerce.php’
$form_id: ‘checkout’, ‘login’, ‘lost_password’, ‘order_tracking’, or ‘register’
Below is an example of how to skip the hCaptcha widget on a Gravity Form with id = 1.
/** * Filters the protection status of a form. * * @param string $value The protection status of a form. * @param string[] $source Plugin(s) serving the form. * @param int|string $form_id Form id. * * @return bool */ function hcap_protect_form_filter( $value, $source, $form_id ) { if ( ! in_array( 'gravityforms/gravityforms.php', $source, true ) ) { // The form is not sourced by Gravity Forms plugin. return $value; } if ( 1 !== (int) $form_id ) { // The form has id !== 1. return $value; } // Turn off protection for Gravity form with id = 1. return false; } add_filter( 'hcap_protect_form', 'hcap_protect_form_filter', 10, 3 );
The plugin loads the hCaptcha script with a delay until user interaction: mouseenter, click, scroll or touch. This significantly improves Google Pagespeed Insights score.
To load the hCaptcha widget instantly, you can use the following filter:
/** * Filters delay time for hCaptcha API script. * * Any negative value will prevent the API script from loading at all, * until user interaction: mouseenter, click, scroll or touch. * This significantly improves Google Pagespeed Insights score. * * @param int $delay Number of milliseconds to delay hCaptcha API script. * Any negative value means delay until user interaction. */ function my_hcap_delay_api( $delay ) { return 0; } add_filter( 'hcap_delay_api', 'my_hcap_delay_api' );
hCaptcha defaults to using the user’s language as reported by the browser. However, on multilingual sites you can override this to set the hCaptcha language to match the current page language. For this, you can use the following filter:
/** * Filters hCaptcha language. * * @param string $language Language. */ function my_hcap_language( $language ) { // Detect page language and return it. $page_language = 'some lang'; // Detection depends on the multilingual plugin used. return $page_language; } add_filter( 'hcap_language', 'my_hcap_language' );
You can use the following filter:
/** * Filter user IP to check if it is whitelisted. * For whitelisted IPs, hCaptcha will not be shown. * * @param bool $whitelisted Whether IP is whitelisted. * @param string $ip IP. * * @return bool */ function my_hcap_whitelist_ip( $whitelisted, $ip ) { // Whitelist local IPs. if ( false === $ip ) { return true; } // Whitelist some other IPs. if ( '1.1.1.1' === $ip ) { return true; } return $whitelisted; } add_filter( 'hcap_whitelist_ip', 'my_hcap_whitelist_ip', 10, 2 );
Starting from 4.1.0, the admin menu was moved to the top level with subpages.
You can customize this by returning it to the previous location in the admin Settings section, or tweak its appearance.
To do this, use the following filter to your plugin’s (or mu-plugin’s) main file. This code won’t work being added to a theme’s functions.php file.
/** * Filter the settings system initialization arguments. * * @param array $args Settings system initialization arguments. */ function hcap_settings_init_args_filter( $args ) { $args['mode'] = 'tabs'; return $args; } add_filter( 'hcap_settings_init_args', 'hcap_settings_init_args_filter' ); $args array has the following fields: mode: 'pages' or 'tabs' (default 'pages') — the appearance of the admin menu; parent: a string — the parent menu item. Default '' for 'pages' mode and 'options-general.php' for 'tabs' mode; position: a number — the position of the menu item. Default 58.990225 for 'pages' mode. It Has no effect on 'tabs' mode;
Please see our website.
hcap_form_args
to allow modifying form arguments.hcap_add_csp_headers
to allow adding Content Security Policy headers.hcap_api_host
, allowing to filter the API host.hcap_api_src
, allowing to filter the API source url with params.hcaptcha_login_data
option size small.hcap_login_limit_exceeded
, allowing to filter the login limit exceeded status.'on'
and WC Login form option was 'off'
.