Adds Argon2id support and smart proof-of-work refresh. Recommended for all users.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.10"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Settings page \u2014 adjust difficulty, algorithm, and behavior options","2":"Form protection in action \u2014 brief indicator, no user interaction required"}},"plugin_section":[],"plugin_tags":[2656,109,362,1152,34331],"plugin_category":[44,54],"plugin_contributors":[267276],"plugin_business_model":[],"class_list":["post-310257","plugin","type-plugin","status-publish","hentry","plugin_tags-anti-spam","plugin_tags-antispam","plugin_tags-captcha","plugin_tags-contact-form-7","plugin_tags-proof-of-work","plugin_category-discussion-and-community","plugin_category-security-and-spam-protection","plugin_contributors-richeyweb","plugin_committers-richeyweb"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/captcha-hashcash.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"\n
https:\/\/www.youtube.com\/watch?v=HbzP1NsaiwI<\/p>\n\n
HashCash<\/strong> stops spam by making the visitor's browser do the work \u2014 not the visitor.<\/p>\n\n While your user fills out a form, HashCash runs a cryptographic proof-of-work calculation silently in the background. By the time they hit Submit, the work is done. No checkbox to click. No images to identify. No third-party service watching over their shoulder.<\/p>\n\n This is the WordPress port of a Joomla plugin with a 12-year track record \u2014 originally released three years before Google launched reCAPTCHA v3. The core idea hasn't changed: spam protection should be invisible to real users and brutal to bots.<\/p>\n\n What makes HashCash different:<\/strong><\/p>\n\n Supported hash algorithms:<\/strong>\n* SHA-256 (default \u2014 fast, broadly compatible)\n* SHA-384 \/ SHA-512\n* PBKDF2\n* PBKDF2 (64KB)\n* Argon2id (recommended for maximum security \u2014 requires PHP sodium extension)<\/p>\n\n Works automatically with:<\/strong>\n* WordPress comment forms\n* WordPress login form\n* WordPress registration form\n* WordPress lost password form\n* Contact Form 7<\/p>\n\n Add to any other form:<\/strong><\/p>\n\n Use the shortcode For support, feature requests, or custom integrations:\nhttps:\/\/www.richeyweb.com\/<\/p>\n\n HashCash for WordPress is maintained by Michael Richey \u2014 author of the original Joomla HashCash plugin, with over 12 years of proof-of-work CAPTCHA development.<\/p>\n\n\n No API keys. No account required. No third-party setup.<\/p>\n\n\n Yes. HashCash requires no third-party service, no API key, and sends no data to external servers. If you're using reCAPTCHA or hCaptcha specifically to avoid tracking your users, HashCash is a direct replacement.<\/p><\/dd>\n While the proof-of-work calculation runs, a brief \"Securing this form...\" message appears and the submit button is temporarily disabled. When the calculation completes \u2014 usually within seconds at default settings \u2014 the button re-enables and the indicator disappears. There is nothing for the user to click, solve, or interact with.<\/p><\/dd>\n No. Logged-in users are exempt from HashCash verification entirely.<\/p><\/dd>\n No. The proof-of-work calculation runs in a Web Worker (a background browser thread) and only starts when the user interacts with the form. Your page load time is not affected.<\/p><\/dd>\n Argon2id is the current gold standard for memory-hard cryptographic hashing \u2014 it's specifically designed to be expensive for bots running at scale while remaining fast enough for individual users. It requires the PHP sodium extension (available by default in PHP 7.2+). If your server supports it, it's the strongest option available. SHA-256 remains the default for maximum compatibility.<\/p><\/dd>\n When suspicious behavior is detected (automated form submission patterns, headless browsers, CDP runtime signatures), HashCash can either silently fail or make the proof-of-work impossible to solve. Punishment mode chooses the latter \u2014 the bot wastes significant compute resources without knowing it was detected, while legitimate users are unaffected.<\/p><\/dd>\n Yes, automatically. If the user is not logged in, HashCash is injected into every CF7 form without any configuration. You can also use the Yes. The indicator is visual feedback only \u2014 it does not interfere with screen readers or keyboard navigation. There is no interactive challenge of any kind.<\/p><\/dd>\n Each proof-of-work calculation is timestamped. On submission, the server verifies that timestamp is within 30 minutes of the current time \u2014 this prevents replay attacks, where a bot captures a valid solution and reuses it repeatedly. HashCash automatically refreshes the calculation before it expires, so users who leave a form open for an extended period never encounter a validation failure on submission.<\/p><\/dd>\n\n
[hashcash]<\/code> to add protection to any form on your site.<\/p>\n\nSupport<\/h3>\n\n
\n
captcha-hashcash<\/code> folder to \/wp-content\/plugins\/<\/code><\/li>\n\n
Does this replace reCAPTCHA \/ hCaptcha?<\/h3><\/dt>\n
What does the user actually see?<\/h3><\/dt>\n
Do logged-in users see the indicator?<\/h3><\/dt>\n
Will it slow down my site?<\/h3><\/dt>\n
What is Argon2id and should I use it?<\/h3><\/dt>\n
What is \"bot punishment mode\"?<\/h3><\/dt>\n
Does it work with Contact Form 7?<\/h3><\/dt>\n
[hashcash]<\/code> shortcode for manual placement.<\/p><\/dd>\nIs it accessible?<\/h3><\/dt>\n
What happens if the proof-of-work expires?<\/h3><\/dt>\n