{"id":325675,"date":"2026-06-19T07:12:52","date_gmt":"2026-06-19T07:12:52","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/cap-captcha\/"},"modified":"2026-06-26T09:19:52","modified_gmt":"2026-06-26T09:19:52","slug":"privacy-captcha-for-cap","status":"publish","type":"plugin","link":"https:\/\/ast.wordpress.org\/plugins\/privacy-captcha-for-cap\/","author":6326268,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.2.0","stable_tag":"1.2.0","tested":"7.0","requires":"6.5","requires_php":"8.3","requires_plugins":null,"header_name":"Privacy CAPTCHA for Cap","header_author":"Zirkel Design","header_description":"Privacy-friendly spam protection for WordPress comments, login, registration, WooCommerce checkout, and Gravity Forms, powered by your own Cap (trycap.dev) server.","assets_banners_color":"","last_updated":"2026-06-26 09:19:52","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/zirkeldesign\/privacy-captcha-for-cap","header_author_uri":"https:\/\/zirkel.design","rating":0,"author_block_rating":0,"active_installs":0,"downloads":96,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"d.sturm","date":"2026-06-19 07:12:22"},"1.1.0":{"tag":"1.1.0","author":"d.sturm","date":"2026-06-26 09:18:06"},"1.2.0":{"tag":"1.2.0","author":"d.sturm","date":"2026-06-26 09:19:52"}},"upgrade_notice":[],"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.1.0","1.2.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[262246],"plugin_tags":[362,107,34331,599,286],"plugin_category":[44,45,54],"plugin_contributors":[256580],"plugin_business_model":[],"class_list":["post-325675","plugin","type-plugin","status-publish","hentry","plugin_section-dashboard-widgets","plugin_tags-captcha","plugin_tags-comments","plugin_tags-proof-of-work","plugin_tags-spam","plugin_tags-woocommerce","plugin_category-discussion-and-community","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-dsturm-1","plugin_committers-dsturm"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/privacy-captcha-for-cap.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"\n

Privacy CAPTCHA for Cap<\/strong> integrates Cap<\/a> \u2014 a self-hosted, privacy-friendly, proof-of-work CAPTCHA \u2014 into the parts of WordPress that attract the most spam: comments, login, user registration, WooCommerce checkout, and Gravity Forms.<\/p>\n\n

Unlike third-party CAPTCHAs (reCAPTCHA, hCaptcha, Turnstile), Cap runs the proof-of-work entirely in the visitor's browser and verifies the token against your own Cap server. No data leaves your infrastructure.<\/p>\n\n

\n

Unofficial integration.<\/strong> Cap is an independent open-source project by tiagozip (https:\/\/trycap.dev\/, Apache-2.0). This plugin is a third-party integration and is not affiliated with, endorsed by, or sponsored by<\/strong> the Cap project. \"Cap\" refers to that project solely to describe what this plugin works with.<\/p>\n<\/blockquote>\n\n

Features<\/h4>\n\n
    \n
  • First-class Gravity Forms field<\/strong> \u2014 drag a \"Privacy CAPTCHA for Cap\" into any form from the Advanced Fields group. Per-field display-mode override.<\/li>\n
  • Contact Form 7<\/strong> integration \u2014 protects every CF7 form automatically.<\/li>\n
  • WordPress comments, wp-login, registration<\/strong> integrations \u2014 togglable from one settings page.<\/li>\n
  • WooCommerce<\/strong> integration \u2014 checkout plus the My Account login, registration, and lost-password forms, each its own toggle. Only loads when WooCommerce is active.<\/li>\n
  • Dashboard widget<\/strong> \u2014 at-a-glance Cap server stats (challenges, verified, failed, hourly chart) right on the WordPress dashboard.<\/li>\n
  • Granular per-surface toggles<\/strong> and developer filters<\/strong> (cap_captcha_protect<\/code>) to enable\/disable protection on any form, even conditionally.<\/li>\n
  • Three display modes<\/strong>: inline widget, floating popover, or fully programmatic (auto-solves silently).<\/li>\n
  • Fully self-hosted assets<\/strong> \u2014 the proof-of-work WebAssembly module, the cap-widget script, and the pako decompression library all ship inside the plugin and are served locally, so no jsdelivr or other third-party CDN is contacted at runtime. DSGVO\/GDPR-clean by default.<\/li>\n
  • WP 6.5+ native script-module API<\/strong> for proper ES-module loading.<\/li>\n
  • i18n-ready<\/strong> with German translations bundled.<\/li>\n
  • Theme-friendly CSS<\/strong> built on Gravity Forms Orbital tokens with --cap-captcha-*<\/code> overrides.<\/li>\n
  • Filter hooks<\/strong> for protection gating, asset URLs, button classes, i18n strings, and the display mode.<\/li>\n<\/ul>\n\n

    Requirements<\/h4>\n\n
      \n
    • WordPress 6.5 or later<\/li>\n
    • PHP 8.3 or later<\/li>\n
    • A reachable Cap server (see https:\/\/trycap.dev\/)<\/li>\n
    • Gravity Forms 2.5+ (only if you enable the Gravity Forms integration)<\/li>\n
    • WooCommerce (only if you enable the WooCommerce integration)<\/li>\n<\/ul>\n\n\n
        \n
      1. Upload the privacy-captcha-for-cap<\/code> folder to \/wp-content\/plugins\/<\/code>.<\/li>\n
      2. Activate the plugin via the Plugins<\/em> menu in WordPress.<\/li>\n
      3. Go to Settings \u2192 Privacy CAPTCHA for Cap<\/strong> and enter your Cap endpoint URL, site key, and secret key.<\/li>\n
      4. Tick the integrations you want to enable.<\/li>\n<\/ol>\n\n\n
        \n

        Is this an official Cap plugin?<\/h3><\/dt>\n

        No. Cap is an independent open-source project by tiagozip (https:\/\/trycap.dev\/), licensed under Apache-2.0. This plugin is an unofficial third-party integration and is not affiliated with or endorsed by the Cap project. We reference the \"Cap\" name only to indicate which software this plugin works with.<\/p><\/dd>\n

        Where do I get a Cap endpoint, site key and secret?<\/h3><\/dt>\n

        You provision those in your self-hosted Cap server. See the Cap documentation at https:\/\/trycap.dev\/.<\/p><\/dd>\n

        Where is the WASM loaded from?<\/h3><\/dt>\n

        By default: from the copy bundled inside this plugin at wp-content\/plugins\/privacy-captcha-for-cap\/assets\/wasm\/cap_wasm_bg.wasm<\/code>. You can optionally switch to your own Cap server's \/assets\/cap_wasm_bg.wasm<\/code> endpoint under Settings \u2192 Privacy CAPTCHA for Cap \u2192 Privacy<\/strong>. Either way the file is served from your own infrastructure \u2014 no third-party CDN is contacted.<\/p><\/dd>\n

        Why is a `.wasm` file bundled, and where does it come from?<\/h3><\/dt>\n

        The bundled assets\/wasm\/cap_wasm_bg.wasm<\/code> is the WebAssembly module the Cap widget uses to run the proof-of-work challenge in the visitor's browser. Bundling it locally is the privacy-friendly default: it means no third-party CDN (jsdelivr) is contacted at page load, so visitor IPs are never shared (DSGVO\/GDPR-clean).<\/p>\n\n

        It is the unmodified upstream file from the @cap.js\/wasm<\/code> npm package (Apache-2.0), part of the open-source Cap project. The plugin does not alter it. Its source and build live in the Cap repository at https:\/\/github.com\/tiagozip\/cap, and the vendoring step is reproducible via scripts\/build-assets.mjs<\/code> (bun run build<\/code>), which copies the file verbatim and bun run build:check<\/code> verifies it matches upstream.<\/p><\/dd>\n

        Can I store the secret outside the database?<\/h3><\/dt>\n

        Yes. Define CAP_CAPTCHA_SECRET_KEY<\/code> in wp-config.php<\/code> and the plugin will use it instead of the value saved in wp_options<\/code>.<\/p><\/dd>\n

        What is \"fail-open\" mode?<\/h3><\/dt>\n

        When enabled, the plugin lets submissions through if the Cap server is unreachable. Off by default \u2014 only turn it on if temporary outages must not block legitimate users (logins, checkouts). It applies only when Cap genuinely can't be reached; a CAPTCHA the server actively rejects is always blocked. You can set fail-open per form<\/strong> (e.g. open for logins, closed for contact forms) under the global toggle, and any submission accepted this way is flagged for review (Gravity Forms entries, WooCommerce orders, comments, and new users get a cap_captcha_fail_open<\/code> marker; orders also get a note).<\/p><\/dd>\n

        Does the bundled `cap-widget` script make any external requests?<\/h3><\/dt>\n

        No third-party CDN requests. All widget assets are bundled and served from this plugin, including the pako<\/code> decompression library (assets\/js\/vendor\/pako_inflate.min.js<\/code>), which older browsers without the native DecompressionStream<\/code> API load locally instead of from jsdelivr. The only network requests the widget makes are to your own Cap endpoint to fetch and verify challenges.<\/p><\/dd>\n

        Can I turn protection on or off per form in code?<\/h3><\/dt>\n

        Yes. Every surface passes through the cap_captcha_protect<\/code> filter \u2014 ($enabled, $context)<\/code> returning a boolean \u2014 before the widget renders and before a submission is verified. For example, to skip the CAPTCHA for logged-in users everywhere: add_filter('cap_captcha_protect', fn($on, $ctx) => is_user_logged_in() ? false : $on, 10, 2);<\/code>. There is also a per-surface filter, e.g. cap_captcha_protect_woocommerce_login<\/code>. Context ids: gravity_forms, contact_form_7, comments, login, registration, woocommerce_checkout, woocommerce_login, woocommerce_registration, woocommerce_lost_password.<\/p><\/dd>\n

        Can I keep the CAPTCHA off a specific Contact Form 7 or Gravity Forms form?<\/h3><\/dt>\n

        Yes \u2014 useful for legally required or accessibility-sensitive forms. For Contact Form 7<\/strong>, set the mode to Manual<\/em> (Settings \u2192 Form placement) and add the [cap_captcha]<\/code> tag only to the forms you want protected; or, in Automatic<\/em> mode, add cap_captcha: off<\/code> to a form's Additional Settings to skip just that one. For Gravity Forms<\/strong>, each form has a Privacy CAPTCHA<\/em> setting (Default \/ Always \/ Never) so you can exclude individual forms even when \"protect all\" is on.<\/p><\/dd>\n

        Are there developer hooks \/ filters?<\/h3><\/dt>\n

        Yes. The main ones:<\/p>\n\n

          \n
        • cap_captcha_protect<\/code> \u2014 master gate for every surface: ($enabled, $context)<\/code> returning a boolean. Runs before the widget renders and before a submission is verified.<\/li>\n
        • cap_captcha_protect_{context}<\/code> \u2014 per-surface gate, e.g. cap_captcha_protect_woocommerce_login<\/code>.<\/li>\n
        • cap_captcha_fail_open<\/code> \u2014 ($open, $context)<\/code> the resolved fail-open decision for a surface; plus a cap_captcha_fail_open_pass<\/code> action when a submission is accepted via fail-open.<\/li>\n
        • cap_captcha_widget_src<\/code>, cap_captcha_floating_src<\/code>, cap_captcha_programmatic_src<\/code>, cap_captcha_style_src<\/code> \u2014 override the script\/style URLs (return ''<\/code> for the style to disable bundled CSS).<\/li>\n
        • cap_captcha_wasm_url<\/code>, cap_captcha_pako_url<\/code> \u2014 override the WASM \/ pako URLs (default to the bundled copies).<\/li>\n
        • cap_captcha_i18n<\/code> \u2014 override the widget's data-cap-i18n-*<\/code> strings.<\/li>\n
        • cap_captcha_floating_button_classes<\/code>, cap_captcha_floating_position<\/code>, cap_captcha_floating_autosubmit_src<\/code> \u2014 floating-mode tweaks.<\/li>\n
        • cap_captcha_display_mode<\/code> \u2014 override the resolved display mode for a specific Gravity Forms field.<\/li>\n<\/ul>\n\n

          The full, annotated list with examples is in README.md.<\/p><\/dd>\n\n<\/dl>\n\n\n

          1.2.0<\/h4>\n\n
            \n
          • Added: per-form fail-open \u2014 let logins through during a Cap outage while still requiring a valid proof on contact forms (or any mix). Set it per surface, or keep the global default.<\/li>\n
          • Added: submissions accepted during a Cap outage are now flagged for review (Gravity Forms entries, WooCommerce orders, comments, and new users get a \"fail-open\" marker; orders also get a note).<\/li>\n
          • Improved: a CAPTCHA that the Cap server actively rejects is always blocked \u2014 fail-open only applies when Cap genuinely can't be reached.<\/li>\n<\/ul>\n\n

            1.1.0<\/h4>\n\n
              \n
            • Added: Contact Form 7 integration with placement control \u2014 automatic on all forms, or manual via the [cap_captcha] tag (so you can keep the CAPTCHA off legally required or accessibility-sensitive forms).<\/li>\n
            • Added: Gravity Forms automatic protection \u2014 global \"protect all\" plus a per-form Default \/ Always \/ Never override, alongside the existing field.<\/li>\n
            • Added: WooCommerce My Account login, registration, and lost-password forms (each its own toggle, alongside checkout).<\/li>\n
            • Added: dashboard widget showing your Cap server stats at a glance.<\/li>\n
            • Added: granular per-surface toggles and a cap_captcha_protect<\/code> developer filter to control protection on any form, even conditionally.<\/li>\n
            • Fixed: the Login integration no longer interferes with WooCommerce My Account logins.<\/li>\n<\/ul>\n\n

              1.0.0<\/h4>\n\n
                \n
              • Initial release.<\/li>\n
              • Gravity Forms field (inline \/ floating \/ programmatic display).<\/li>\n
              • Comments, login, registration, WooCommerce integrations.<\/li>\n
              • Fully self-hosted assets \u2014 WASM module, cap-widget script, and pako library all bundled and served locally; no third-party CDN is contacted at runtime. DSGVO-clean by default.<\/li>\n
              • WP 6.5 native script-module loading.<\/li>\n
              • Top-level Settings \u2192 Privacy CAPTCHA for Cap page with integration toggles, WASM source choice (this plugin or your own Cap server), fail-open switch.<\/li>\n
              • German translations.<\/li>\n<\/ul>","raw_excerpt":"Privacy-friendly spam protection for comments, login, registration, WooCommerce, and Gravity Forms, powered by your own Cap server.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/325675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=325675"}],"author":[{"embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/dsturm"}],"wp:attachment":[{"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=325675"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=325675"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=325675"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=325675"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=325675"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ast.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=325675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}