The plugin automatically injects a math question into your forms — users simply solve a calculation like “7 + 3 = ?” before they can submit. The submit button stays disabled until the correct answer is entered.

MW Math CAPTCHA for Joomla 5 & 6 -- Complete Feature List

Version: 4.1.0 | Author: Mertsch-Web | License: GNU GPL v2+

1. CAPTCHA Form Protection

| Feature | Description | Default |
|---|---|---|
| Protect frontend login | Show a math CAPTCHA on the frontend login (comusers and modlogin module) | Yes |
| Protect backend login | Show a math CAPTCHA on the administrator login (/administrator/) | No |
| Protect registration | Show a math CAPTCHA on user registration | Yes |
| Protect contact forms | Show a math CAPTCHA on Joomla contact forms (com_contact) | Yes |
| Double-injection protection | Prevents the CAPTCHA from being injected multiple times into the same form | Automatic |
| mod_login detection | Detects login modules in template positions and injects the CAPTCHA there as well | Automatic |

2. Math Challenge Configuration

| Feature | Description |
|---|---|
| Difficulty level | Three levels: Easy (1-10), Medium (5-50), Hard (10-100) |
| Addition (+) | Addition challenges as CAPTCHA type |
| Subtraction (-) | Subtraction challenges — larger number first (no negative results) |
| Multiplication (x) | Multiplication challenges with adjusted number ranges per difficulty |
| Operation selection | Any combination of the three operations can be enabled via checkboxes |
| Random selection | On each page load, a random challenge is generated from the enabled operations |

3. Time Lock (Brute-Force Protection)

| Feature | Description | Default |
|---|---|---|
| Enable time lock | Locks the user after too many failed attempts | No |
| Max failed attempts | Configurable from 1 to 100 | 5 |
| Lock duration | Options: 1 min, 5 min, 10 min, 30 min, 60 min | 5 min |
| Lock display | Red warning message with remaining lock time inside the CAPTCHA widget | Automatic |
| Automatic reset | Failure counter is reset after a correct answer | Automatic |
| Session-based | Lock applies per browser session | Automatic |

4. SQL Injection & LFI Protection

| Feature | Description | Default |
|---|---|---|
| SQL injection detection | Checks GET, POST, and COOKIE data against 17 SQLi patterns (UNION SELECT, INSERT INTO, DROP TABLE, SLEEP, BENCHMARK, etc.) | Yes |
| Local File Inclusion detection | Checks against 12 LFI patterns (directory traversal, /etc/passwd, php:// wrappers, null bytes, double-encoding, etc.) | Yes |
| Recursive input scanning | Nested array values are scanned as well | Automatic |
| 403 blocking | Suspicious requests are blocked immediately with HTTP 403 | Automatic |
| Logging | Optionally logs blocked requests to Joomla logs (administrator/logs/) with IP, attack type, method, and timestamp | No |

5. Third-Party Extensions

| Feature | Description |
|---|---|
| Rule-based injection | Inject the CAPTCHA via rules (component + view + task) into any Joomla extension forms |
| User-friendly UI | Visual editor with + button, three input fields (component, view, task), and a delete button per rule |
| Inline explanation | Detailed explanation with real examples (VirtueMart, RSForm, JoomShopping) directly in the backend |
| Automatic matching | Matches URL parameters (option, view, task) and injects the CAPTCHA before the submit button |
| JSON storage | Rules are stored as JSON — backward compatible with the old pipe format |

6. Premium Features (Paid)

| Feature | Description |
|---|---|
| Custom security questions | Define your own question/answer pairs instead of auto-generated math challenges |
| Visual question editor | UI with + button, numbered rows, question and answer fields, and delete button |
| Preferred usage | If custom questions are defined, they are used instead of math challenges |
| Hide branding | Disable the “Math CAPTCHA by Mertsch-Web” notice in the widget |
| showon control | Premium fields appear in the backend only when a valid premium code is entered |
| Stripe purchase button | Direct purchase button in the Info tab for the premium code (EUR 19.99 one-time) |
| Backward compatibility | Supports both the new JSON format and the old question-pipe-answer format |

7. CAPTCHA Widget (Frontend Display)

| Feature | Description |
|---|---|
| Modern design | Rounded box with icon, highlighted math question, and a styled input field |
| Dark mode support | Automatically adapts to dark browser/system themes via prefers-color-scheme |
| Responsive | Max width 420px, adapts to mobile devices |
| Accessibility | ARIA labels, aria-hidden for decorative elements, inputmode="numeric", placeholder texts |
| Numeric keyboard | Shows the numeric keyboard on mobile devices (inputmode="numeric") |
| Spinner suppression | No browser spinners on number input (WebKit/Firefox) |
| Branding link | Optional “Math CAPTCHA by Mertsch-Web” link to the plugin (can be disabled with Premium) |
| Help text | Explanation text below the input field |

8. Validation & Error Messages

| Feature | Description |
|---|---|
| Empty input | “Please solve the math challenge before submitting.” |
| Wrong answer | “The answer to the math challenge is incorrect. Please try again.” |
| Session expired | “Your session has expired. Please reload the page.” |
| Time lock active | “You are locked for about X minute(s). Please try again later.” |
| New challenge on error | A new challenge is generated automatically after a wrong answer |
| Session cleanup | After a correct answer, all CAPTCHA session data is removed |

9. Backend Configuration

| Feature | Description |
|---|---|
| 7 configuration tabs | Form Protection, Math Challenges, Info & Premium, Time Lock, Security, Third-Party |
| Vendor information | Developer, website, support email, version, and license shown in the Info tab |
| Premium purchase button | Green Stripe button with price directly in the Info tab |
| Dynamic showon fields | Premium fields appear only after valid code; time lock fields only after enabling |
| Custom form fields | Three custom Joomla field types: premiuminfo, customquestions, thirdpartyrules |

10. Multilingual Support

| Feature | Description |
|---|---|
| German (de-DE) | Complete German translation (ini + sys.ini) |
| English (en-GB) | Complete English translation (ini + sys.ini) |
| Automatic loading | Language files are loaded automatically via $autoloadLanguage = true |
| CDATA install description | HTML-formatted description on first install (no language key required) |

11. Update System

| Feature | Description |
|---|---|
| Joomla update server | Automatic update checks via XML update server |
| Joomla 5 compatibility | targetplatform 5.[0-9], PHP >= 8.1 |
| Joomla 6 compatibility | targetplatform 6.[0-9], PHP >= 8.2 |
| Upgrade method | method="upgrade" — updates an existing installation without data loss |
| Stable tag | Only stable releases are offered |

12. Technical Details

| Property | Value |
|---|---|
| Plugin type | System plugin (early execution) |
| Events | onAfterInitialise, onAfterRender |
| GDPR compliant | No external services, no cookies, no tracking data |
| Dependencies | No external libraries — Joomla core APIs only |
| Website | der-it-blog.de |
| Support | info@mertsch-web.de |
```