WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Privacy CAPTCHA for Cap

Privacy CAPTCHA for Cap

By Daniel Sturm
Download

Description

Privacy CAPTCHA for Cap integrates Cap — a self-hosted, privacy-friendly, proof-of-work CAPTCHA — into the parts of WordPress that attract the most spam: comments, login, user registration, WooCommerce checkout, and Gravity Forms.

Unlike third-party CAPTCHAs (reCAPTCHA, hCaptcha, Turnstile), Cap runs the proof-of-work entirely in the visitor’s browser and verifies the token against your own Cap server. No data leaves your infrastructure.

Unofficial integration. Cap is an independent open-source project by tiagozip (https://trycap.dev/, Apache-2.0). This plugin is a third-party integration and is not affiliated with, endorsed by, or sponsored by the Cap project. “Cap” refers to that project solely to describe what this plugin works with.

Features

  • First-class Gravity Forms field — drag a “Privacy CAPTCHA for Cap” into any form from the Advanced Fields group. Per-field display-mode override.
  • WordPress comments, wp-login, registration integrations — togglable from one settings page.
  • WooCommerce checkout integration — only loads when WooCommerce is active.
  • Three display modes: inline widget, floating popover, or fully programmatic (auto-solves silently).
  • Fully self-hosted assets — the proof-of-work WebAssembly module, the cap-widget script, and the pako decompression library all ship inside the plugin and are served locally, so no jsdelivr or other third-party CDN is contacted at runtime. DSGVO/GDPR-clean by default.
  • WP 6.5+ native script-module API for proper ES-module loading.
  • i18n-ready with German translations bundled.
  • Theme-friendly CSS built on Gravity Forms Orbital tokens with --cap-captcha-* overrides.
  • Filter hooks for asset URLs, button classes, i18n strings, and the display mode.

Requirements

  • WordPress 6.5 or later
  • PHP 8.3 or later
  • A reachable Cap server (see https://trycap.dev/)
  • Gravity Forms 2.5+ (only if you enable the Gravity Forms integration)
  • WooCommerce (only if you enable the WooCommerce integration)

Installation

  1. Upload the privacy-captcha-for-cap folder to /wp-content/plugins/.
  2. Activate the plugin via the Plugins menu in WordPress.
  3. Go to Settings Privacy CAPTCHA for Cap and enter your Cap endpoint URL, site key, and secret key.
  4. Tick the integrations you want to enable.

FAQ

Is this an official Cap plugin?

No. Cap is an independent open-source project by tiagozip (https://trycap.dev/), licensed under Apache-2.0. This plugin is an unofficial third-party integration and is not affiliated with or endorsed by the Cap project. We reference the “Cap” name only to indicate which software this plugin works with.

Where do I get a Cap endpoint, site key and secret?

You provision those in your self-hosted Cap server. See the Cap documentation at https://trycap.dev/.

Where is the WASM loaded from?

By default: from the copy bundled inside this plugin at wp-content/plugins/privacy-captcha-for-cap/assets/wasm/cap_wasm_bg.wasm. You can optionally switch to your own Cap server’s /assets/cap_wasm_bg.wasm endpoint under Settings Privacy CAPTCHA for Cap Privacy. Either way the file is served from your own infrastructure — no third-party CDN is contacted.

Why is a `.wasm` file bundled, and where does it come from?

The bundled assets/wasm/cap_wasm_bg.wasm is the WebAssembly module the Cap widget uses to run the proof-of-work challenge in the visitor’s browser. Bundling it locally is the privacy-friendly default: it means no third-party CDN (jsdelivr) is contacted at page load, so visitor IPs are never shared (DSGVO/GDPR-clean).

It is the unmodified upstream file from the @cap.js/wasm npm package (Apache-2.0), part of the open-source Cap project. The plugin does not alter it. Its source and build live in the Cap repository at https://github.com/tiagozip/cap, and the vendoring step is reproducible via scripts/build-assets.mjs (bun run build), which copies the file verbatim and bun run build:check verifies it matches upstream.

Can I store the secret outside the database?

Yes. Define CAP_CAPTCHA_SECRET_KEY in wp-config.php and the plugin will use it instead of the value saved in wp_options.

What is “fail-open” mode?

When enabled, the plugin lets submissions through if the Cap server is unreachable. Off by default — only turn it on if temporary outages must not block legitimate users (logins, checkouts).

Does the bundled `cap-widget` script make any external requests?

No third-party CDN requests. All widget assets are bundled and served from this plugin, including the pako decompression library (assets/js/vendor/pako_inflate.min.js), which older browsers without the native DecompressionStream API load locally instead of from jsdelivr. The only network requests the widget makes are to your own Cap endpoint to fetch and verify challenges.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Privacy CAPTCHA for Cap” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Privacy CAPTCHA for Cap” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.0

  • Initial release.
  • Gravity Forms field (inline / floating / programmatic display).
  • Comments, login, registration, WooCommerce integrations.
  • Fully self-hosted assets — WASM module, cap-widget script, and pako library all bundled and served locally; no third-party CDN is contacted at runtime. DSGVO-clean by default.
  • WP 6.5 native script-module loading.
  • Top-level Settings Privacy CAPTCHA for Cap page with integration toggles, WASM source choice (this plugin or your own Cap server), fail-open switch.
  • German translations.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Support

Got something to say? Need help?

View support forum