{"id":325675,"date":"2026-06-19T07:12:52","date_gmt":"2026-06-19T07:12:52","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/cap-captcha\/"},"modified":"2026-06-19T07:12:22","modified_gmt":"2026-06-19T07:12:22","slug":"privacy-captcha-for-cap","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/privacy-captcha-for-cap\/","author":6326268,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"6.5","requires_php":"8.3","requires_plugins":null,"header_name":"Privacy CAPTCHA for Cap","header_author":"Zirkel Design","header_description":"Privacy-friendly spam protection for WordPress comments, login, registration, WooCommerce checkout, and Gravity Forms, powered by your own Cap (trycap.dev) server.","assets_banners_color":"31b07d","last_updated":"2026-06-19 07:12:22","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/zirkeldesign\/privacy-captcha-for-cap","header_author_uri":"https:\/\/zirkel.design","rating":0,"author_block_rating":0,"active_installs":0,"downloads":26,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"d.sturm","date":"2026-06-19 07:12:22"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3578211,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3578211,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256},"icon.svg":{"filename":"icon.svg","revision":3578211,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3578211,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3578211,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[362,107,34331,599,286],"plugin_category":[44,45,54],"plugin_contributors":[256580],"plugin_business_model":[],"class_list":["post-325675","plugin","type-plugin","status-publish","hentry","plugin_tags-captcha","plugin_tags-comments","plugin_tags-proof-of-work","plugin_tags-spam","plugin_tags-woocommerce","plugin_category-discussion-and-community","plugin_category-ecommerce","plugin_category-security-and-spam-protection","plugin_contributors-dsturm-1","plugin_committers-dsturm"],"banners":{"banner":"https:\/\/ps.w.org\/privacy-captcha-for-cap\/assets\/banner-772x250.png?rev=3578211","banner_2x":"https:\/\/ps.w.org\/privacy-captcha-for-cap\/assets\/banner-1544x500.png?rev=3578211","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/privacy-captcha-for-cap\/assets\/icon.svg?rev=3578211","icon":"https:\/\/ps.w.org\/privacy-captcha-for-cap\/assets\/icon.svg?rev=3578211","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Privacy CAPTCHA for Cap<\/strong> integrates <a href=\"https:\/\/trycap.dev\/\">Cap<\/a> \u2014 a self-hosted, privacy-friendly, proof-of-work CAPTCHA \u2014 into the parts of WordPress that attract the most spam: comments, login, user registration, WooCommerce checkout, and Gravity Forms.<\/p>\n\n<p>Unlike third-party CAPTCHAs (reCAPTCHA, hCaptcha, Turnstile), Cap runs the proof-of-work entirely in the visitor's browser and verifies the token against your own Cap server. No data leaves your infrastructure.<\/p>\n\n<blockquote>\n  <p><strong>Unofficial integration.<\/strong> Cap is an independent open-source project by tiagozip (https:\/\/trycap.dev\/, Apache-2.0). This plugin is a third-party integration and is <strong>not affiliated with, endorsed by, or sponsored by<\/strong> the Cap project. \"Cap\" refers to that project solely to describe what this plugin works with.<\/p>\n<\/blockquote>\n\n<h4>Features<\/h4>\n\n<ul>\n<li><strong>First-class Gravity Forms field<\/strong> \u2014 drag a \"Privacy CAPTCHA for Cap\" into any form from the Advanced Fields group. Per-field display-mode override.<\/li>\n<li><strong>WordPress comments, wp-login, registration<\/strong> integrations \u2014 togglable from one settings page.<\/li>\n<li><strong>WooCommerce checkout<\/strong> integration \u2014 only loads when WooCommerce is active.<\/li>\n<li><strong>Three display modes<\/strong>: inline widget, floating popover, or fully programmatic (auto-solves silently).<\/li>\n<li><strong>Fully self-hosted assets<\/strong> \u2014 the proof-of-work WebAssembly module, the cap-widget script, and the pako decompression library all ship inside the plugin and are served locally, so no jsdelivr or other third-party CDN is contacted at runtime. DSGVO\/GDPR-clean by default.<\/li>\n<li><strong>WP 6.5+ native script-module API<\/strong> for proper ES-module loading.<\/li>\n<li><strong>i18n-ready<\/strong> with German translations bundled.<\/li>\n<li><strong>Theme-friendly CSS<\/strong> built on Gravity Forms Orbital tokens with <code>--cap-captcha-*<\/code> overrides.<\/li>\n<li><strong>Filter hooks<\/strong> for asset URLs, button classes, i18n strings, and the display mode.<\/li>\n<\/ul>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>WordPress 6.5 or later<\/li>\n<li>PHP 8.3 or later<\/li>\n<li>A reachable Cap server (see https:\/\/trycap.dev\/)<\/li>\n<li>Gravity Forms 2.5+ (only if you enable the Gravity Forms integration)<\/li>\n<li>WooCommerce (only if you enable the WooCommerce integration)<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>privacy-captcha-for-cap<\/code> folder to <code>\/wp-content\/plugins\/<\/code>.<\/li>\n<li>Activate the plugin via the <em>Plugins<\/em> menu in WordPress.<\/li>\n<li>Go to <strong>Settings \u2192 Privacy CAPTCHA for Cap<\/strong> and enter your Cap endpoint URL, site key, and secret key.<\/li>\n<li>Tick the integrations you want to enable.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20this%20an%20official%20cap%20plugin%3F\"><h3>Is this an official Cap plugin?<\/h3><\/dt>\n<dd><p>No. Cap is an independent open-source project by tiagozip (https:\/\/trycap.dev\/), licensed under Apache-2.0. This plugin is an unofficial third-party integration and is not affiliated with or endorsed by the Cap project. We reference the \"Cap\" name only to indicate which software this plugin works with.<\/p><\/dd>\n<dt id=\"where%20do%20i%20get%20a%20cap%20endpoint%2C%20site%20key%20and%20secret%3F\"><h3>Where do I get a Cap endpoint, site key and secret?<\/h3><\/dt>\n<dd><p>You provision those in your self-hosted Cap server. See the Cap documentation at https:\/\/trycap.dev\/.<\/p><\/dd>\n<dt id=\"where%20is%20the%20wasm%20loaded%20from%3F\"><h3>Where is the WASM loaded from?<\/h3><\/dt>\n<dd><p>By default: from the copy bundled inside this plugin at <code>wp-content\/plugins\/privacy-captcha-for-cap\/assets\/wasm\/cap_wasm_bg.wasm<\/code>. You can optionally switch to your own Cap server's <code>\/assets\/cap_wasm_bg.wasm<\/code> endpoint under <strong>Settings \u2192 Privacy CAPTCHA for Cap \u2192 Privacy<\/strong>. Either way the file is served from your own infrastructure \u2014 no third-party CDN is contacted.<\/p><\/dd>\n<dt id=\"why%20is%20a%20%60.wasm%60%20file%20bundled%2C%20and%20where%20does%20it%20come%20from%3F\"><h3>Why is a `.wasm` file bundled, and where does it come from?<\/h3><\/dt>\n<dd><p>The bundled <code>assets\/wasm\/cap_wasm_bg.wasm<\/code> is the WebAssembly module the Cap widget uses to run the proof-of-work challenge in the visitor's browser. Bundling it locally is the privacy-friendly default: it means no third-party CDN (jsdelivr) is contacted at page load, so visitor IPs are never shared (DSGVO\/GDPR-clean).<\/p>\n\n<p>It is the unmodified upstream file from the <code>@cap.js\/wasm<\/code> npm package (Apache-2.0), part of the open-source Cap project. The plugin does not alter it. Its source and build live in the Cap repository at https:\/\/github.com\/tiagozip\/cap, and the vendoring step is reproducible via <code>scripts\/build-assets.mjs<\/code> (<code>bun run build<\/code>), which copies the file verbatim and <code>bun run build:check<\/code> verifies it matches upstream.<\/p><\/dd>\n<dt id=\"can%20i%20store%20the%20secret%20outside%20the%20database%3F\"><h3>Can I store the secret outside the database?<\/h3><\/dt>\n<dd><p>Yes. Define <code>CAP_CAPTCHA_SECRET_KEY<\/code> in <code>wp-config.php<\/code> and the plugin will use it instead of the value saved in <code>wp_options<\/code>.<\/p><\/dd>\n<dt id=\"what%20is%20%22fail-open%22%20mode%3F\"><h3>What is \"fail-open\" mode?<\/h3><\/dt>\n<dd><p>When enabled, the plugin lets submissions through if the Cap server is unreachable. Off by default \u2014 only turn it on if temporary outages must not block legitimate users (logins, checkouts).<\/p><\/dd>\n<dt id=\"does%20the%20bundled%20%60cap-widget%60%20script%20make%20any%20external%20requests%3F\"><h3>Does the bundled `cap-widget` script make any external requests?<\/h3><\/dt>\n<dd><p>No third-party CDN requests. All widget assets are bundled and served from this plugin, including the <code>pako<\/code> decompression library (<code>assets\/js\/vendor\/pako_inflate.min.js<\/code>), which older browsers without the native <code>DecompressionStream<\/code> API load locally instead of from jsdelivr. The only network requests the widget makes are to your own Cap endpoint to fetch and verify challenges.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>Gravity Forms field (inline \/ floating \/ programmatic display).<\/li>\n<li>Comments, login, registration, WooCommerce integrations.<\/li>\n<li>Fully self-hosted assets \u2014 WASM module, cap-widget script, and pako library all bundled and served locally; no third-party CDN is contacted at runtime. DSGVO-clean by default.<\/li>\n<li>WP 6.5 native script-module loading.<\/li>\n<li>Top-level Settings \u2192 Privacy CAPTCHA for Cap page with integration toggles, WASM source choice (this plugin or your own Cap server), fail-open switch.<\/li>\n<li>German translations.<\/li>\n<\/ul>","raw_excerpt":"Privacy-friendly spam protection for comments, login, registration, WooCommerce, and Gravity Forms, powered by your own Cap server.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/325675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=325675"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/dsturm"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=325675"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=325675"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=325675"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=325675"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=325675"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=325675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}