Title: HashCash – Proof of Work CAPTCHA Author: RicheyWeb Published: June 15, 2026 Last modified: June 15, 2026 --- Search plugins ![](https://s.w.org/plugins/geopattern-icon/captcha-hashcash.svg) # HashCash – Proof of Work CAPTCHA By [RicheyWeb](https://profiles.wordpress.org/richeyweb/) [Download](https://downloads.wordpress.org/plugin/captcha-hashcash.1.0.10.zip) * [Details](https://wordpress.org/plugins/captcha-hashcash/#description) * [Reviews](https://wordpress.org/plugins/captcha-hashcash/#reviews) * [Installation](https://wordpress.org/plugins/captcha-hashcash/#installation) * [Development](https://wordpress.org/plugins/captcha-hashcash/#developers) [Support](https://wordpress.org/support/plugin/captcha-hashcash/) ## Description **HashCash** stops spam by making the visitor’s browser do the work — not the visitor. While your user fills out a form, HashCash runs a cryptographic proof-of-work calculation silently in the background. By the time they hit Submit, the work is done. No checkbox to click. No images to identify. No third-party service watching over their shoulder. This is the WordPress port of a Joomla plugin with a 12-year track record — originally released three years before Google launched reCAPTCHA v3. The core idea hasn’t changed: spam protection should be invisible to real users and brutal to bots. **What makes HashCash different:** * **No third-party services.** No reCAPTCHA, no hCaptcha, no Cloudflare Turnstile. Nothing phones home. * **No tracking, no cookies.** GDPR and CCPA friendly by design, not by policy. * **Nothing for users to solve.** A brief “Securing this form…” indicator appears while the calculation runs — that’s it. No puzzles, no clicks, no friction. * **Logged-in users are exempt.** Trusted users never see the indicator at all. * **Adjustable difficulty.** SHA-256 at level 1 by default for maximum compatibility. Argon2id available for sites that need state-of-the-art memory-hard hashing. * **Bot punishment mode.** Suspicious behavior triggers difficulty so high the proof-of-work becomes computationally unsolvable. The bot spins forever. Legitimate users never notice. * **Automatic protection.** Works out of the box on WordPress comments, login, registration, lost password, and Contact Form 7. No configuration required. **Supported hash algorithms:** * SHA-256 (default — fast, broadly compatible) * SHA-384 / SHA-512 * PBKDF2 * PBKDF2 (64KB) * Argon2id (recommended for maximum security— requires PHP sodium extension) **Works automatically with:** * WordPress comment forms * WordPress login form * WordPress registration form * WordPress lost password form * Contact Form 7 **Add to any other form:** Use the shortcode `[hashcash]` to add protection to any form on your site. ### Support For support, feature requests, or custom integrations: https://www.richeyweb.com/ HashCash for WordPress is maintained by Michael Richey — author of the original Joomla HashCash plugin, with over 12 years of proof-of-work CAPTCHA development. ## Installation 1. Upload the `captcha-hashcash` folder to `/wp-content/plugins/` 2. Activate through the **Plugins** menu in WordPress 3. Go to **Settings HashCash** to review defaults 4. Done. All supported forms are protected automatically. No API keys. No account required. No third-party setup. ## FAQ ### Does this replace reCAPTCHA / hCaptcha? Yes. HashCash requires no third-party service, no API key, and sends no data to external servers. If you’re using reCAPTCHA or hCaptcha specifically to avoid tracking your users, HashCash is a direct replacement. ### What does the user actually see? While the proof-of-work calculation runs, a brief “Securing this form…” message appears and the submit button is temporarily disabled. When the calculation completes— usually within seconds at default settings — the button re-enables and the indicator disappears. There is nothing for the user to click, solve, or interact with. ### Do logged-in users see the indicator? No. Logged-in users are exempt from HashCash verification entirely. ### Will it slow down my site? No. The proof-of-work calculation runs in a Web Worker (a background browser thread) and only starts when the user interacts with the form. Your page load time is not affected. ### What is Argon2id and should I use it? Argon2id is the current gold standard for memory-hard cryptographic hashing — it’s specifically designed to be expensive for bots running at scale while remaining fast enough for individual users. It requires the PHP sodium extension (available by default in PHP 7.2+). If your server supports it, it’s the strongest option available. SHA-256 remains the default for maximum compatibility. ### What is “bot punishment mode”? When suspicious behavior is detected (automated form submission patterns, headless browsers, CDP runtime signatures), HashCash can either silently fail or make the proof-of-work impossible to solve. Punishment mode chooses the latter — the bot wastes significant compute resources without knowing it was detected, while legitimate users are unaffected. ### Does it work with Contact Form 7? Yes, automatically. If the user is not logged in, HashCash is injected into every CF7 form without any configuration. You can also use the `[hashcash]` shortcode for manual placement. ### Is it accessible? Yes. The indicator is visual feedback only — it does not interfere with screen readers or keyboard navigation. There is no interactive challenge of any kind. ### What happens if the proof-of-work expires? Each proof-of-work calculation is timestamped. On submission, the server verifies that timestamp is within 30 minutes of the current time — this prevents replay attacks, where a bot captures a valid solution and reuses it repeatedly. HashCash automatically refreshes the calculation before it expires, so users who leave a form open for an extended period never encounter a validation failure on submission. ### Is this related to the original HashCash email anti-spam system? Yes. HashCash as a concept dates to 1997 — it was originally designed to combat email spam using proof-of-work. This plugin applies the same principle to web forms, using modern cryptographic algorithms where the original used SHA-1. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “HashCash – Proof of Work CAPTCHA” is open source software. The following people have contributed to this plugin. Contributors * [ RicheyWeb ](https://profiles.wordpress.org/richeyweb/) [Translate “HashCash – Proof of Work CAPTCHA” into your language.](https://translate.wordpress.org/projects/wp-plugins/captcha-hashcash) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/captcha-hashcash/), check out the [SVN repository](https://plugins.svn.wordpress.org/captcha-hashcash/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/captcha-hashcash/) by [RSS](https://plugins.trac.wordpress.org/log/captcha-hashcash/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.2 * Argon2id support added — state-of-the-art memory-hard hashing via PHP sodium extension * Smart proof-of-work refresh — automatically re-mines before expiration * Improved bot detection — CDP runtime detection, headless browser fingerprinting * Contact Form 7 automatic integration #### 1.0.1 * Bug fix: shortcode name attribute #### 1.0.0 * Initial WordPress release * Ported from Joomla HashCash (12-year track record) * SHA-256, SHA-384, SHA-512, PBKDF2 support * Automatic protection for comments, login, registration, lost password * Bot punishment mode * Adjustable difficulty (1–12) ## Meta * Version **1.0.10** * Last updated **2 days ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **7.0** * PHP version ** 7.4 or higher ** * Tags * [anti-spam](https://wordpress.org/plugins/tags/anti-spam/)[antispam](https://wordpress.org/plugins/tags/antispam/) [captcha](https://wordpress.org/plugins/tags/captcha/)[contact form 7](https://wordpress.org/plugins/tags/contact-form-7/) [Proof of Work](https://wordpress.org/plugins/tags/proof-of-work/) * [Advanced View](https://wordpress.org/plugins/captcha-hashcash/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/captcha-hashcash/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/captcha-hashcash/reviews/) ## Contributors * [ RicheyWeb ](https://profiles.wordpress.org/richeyweb/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/captcha-hashcash/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://www.paypal.com/donate/?hosted_button_id=BTL9WZ8NU56RC)