The Invisible Shield Against Bots

Originally proposed by Adam Back in 2002, HashCash leverages a brilliant concept: proof-of-work, a computational challenge that demands a complex calculation embedded in your form, one so computationally intensive (requiring hundreds or thousands of attempts to solve) that bots or malicious scripts would waste prohibitive amounts of processor time trying to crack it.

When a user arrives at your form, the calculation runs silently in the background, completed automatically via JavaScript. The server then verifies the solution with a single, lightning-fast check—if correct, the user proceeds; if not, the submission fails. Bots relying on Python scripts or basic automation? They’re out of luck—they must use a JavaScript-enabled browser to pass, making form abuse a thing of the past.

Seamless and User-Friendly Captcha

The beauty of "Captcha - HashCash" lies in its invisibility. Your users won’t see or interact with it—it happens effortlessly behind the scenes, ensuring a frictionless experience. Whether they’re submitting a contact form, registering, or reporting a bug, they’ll enjoy a smooth process while your site remains protected. Want to see it in action? Visit our bug reporting page (link below)—while you won’t notice the CAPTCHA itself, watch your process monitor (e.g., top in Linux) to catch a CPU spike as the calculation runs!

Layers of Protection

• Choose your hashing level
  • SHA-256
  • SHA-384
  • SHA-512
  • PBKDF2 for enhanced GPU resistance
  • PBKDF2+64KB Memory Loop for even greater GPU resistance
• (Optional & Silent) Tor node blocking via Console - Tor Nodes
• (Optional & Silent) Realtime DNSBL integration

Simple, Powerful Configuration

Setting up "Captcha - HashCash" couldn't be easier. Open the plugin, choose your desired hashing algorithm (SHA-256 for speed, PBKDF2 for memory-hard GPU resistance), and set the difficulty level—ranging from 1 (minimum) to 4 (maximum)—to balance security and performance. For an extra layer of protection, enable the optional delayed calculation feature: the script waits until the user interacts with the form, foiling bots that rush submissions or linger too long. Bots waiting for the CAPTCHA? They'll wait forever. Bots submitting too quickly? They'll miss the mark. With PBKDF2, advanced bots face sequential computations that turn their GPU advantage into a bottleneck, eating up precious time and processor cycles per challenge.

Privacy-First Design for GDPR Compliance

GDPR-Compliant

In an era of stringent privacy regulations like the GDPR and EU e-Privacy Directive, "Captcha - HashCash" stands out as an ideal solution. Traditional CAPTCHAs often rely on external services (e.g., Google reCAPTCHA), which can introduce third-party cookies and tracking mechanisms—potential headaches for website owners aiming to comply with EU laws. HashCash eliminates these concerns entirely. By operating solely within your site’s JavaScript environment, it avoids external dependencies and prevents additional cookies from being placed on user systems. This self-contained approach not only enhances user trust but also simplifies compliance with privacy standards, making it a go-to choice for privacy-conscious developers and businesses.

Cutting-Edge Captcha Technology

2002 meets 2025

Powered by the Web Cryptography API and Subtle.Crypto, "Captcha - HashCash" harnesses modern JavaScript capabilities to deliver a lightweight, efficient solution. No third-party dependencies, no server strain—just robust, autonomous protection for your Joomla forms via this time-tested proof-of-work mechanism. The new PBKDF2 option adds memory-hardness, leveraging HMAC-SHA-256 iterations to slow parallel GPU attacks while keeping legitimate users moving - a true 2025 innovation on Adam Back's 2002 vision.

Protect your Joomla forms effortlessly with "Captcha - HashCash"—the painless, invisible CAPTCHA that keeps bots at bay while delighting your users by NOT making them do tricks like trained animals.

Advanced HashCash Features

They abuse your site, now you can abuse their bot. While monitoring for abnormal activity, the plugin CAN alter the calculation if a bot is detected. This alteration causes the solution to be impossible. The bot will calculate FOREVER, and if by magic - the bot manages to achieve the answer, the answer will be wrong. This feature is turned OFF by default so you can decide if you want to do this.

Enhanced GPU Resistance with PBKDF2

For sites facing sophisticated botnets, PBKDF2 introduces memory-hard, sequential hashing that turns GPU parallelization against attackers. Unlike SHA algorithms, which bots solve in microseconds on high-end hardware, PBKDF2's chained iterations (10,000+) require several seconds per challenge on GPUs, making bulk spam economically unviable. Admins can select it alongside SHA options, with tunable iterations for custom security levels, all while preserving the invisible, user-friendly experience.

The new PBKDF2+64KB mode adds a 64 KB memory loop, forcing bandwidth bottlenecks that push GPU solve times to 8–18 seconds, while keeping user delays under 3 seconds. Admins can select it alongside SHA options, with tunable iterations for custom security levels, all while preserving the invisible, user-friendly experience.

Site Requirements

There is only one - you MUST be running https. The plugin will not operate in insecure contexts. It requires you have a valid SSL certificate. Since they're free these days, this isn't a problem or concern for most sites.

Features

• Self-Hosted: No subscriptions, no services, no API keys, no cookies, GDPR-compliant.
• Configurable Difficulty: Adjust the calculation intensity from 1 to 4 for optimal security.
• Invisible Protection: No mangled text, math problems, or user interaction—just seamless defense.
• Automatic Completion: Runs silently in the background with JavaScript.
• Bot-Proof Design: Requires a JavaScript-enabled browser, thwarting automated scripts through proof-of-work challenges.
• Delayed Calculation (Optional/Default): Foils bots by timing the calculation to user interaction.
• Modern Tech: Leverages Web Cryptography API for efficient, cutting-edge security.
• Bot Countermeasures (Optional): When a bot is detected, the calculation becomes unsolvable.
• Choose Your Hashing Algorithm: SHA-256, SHA-384, SHA-512, PBFDK2, or PBKDF2+64KB Memory Loop (memory-hard GPU resistance).
• Realtime DNSBL: Several blacklist options to choose from, cached responses.
• Block Tor Nodes: Optionally prevent this kind of anonymity from spamming your forms.
• Privacy-Friendly: No external services or cookies, ensuring GDPR and EU e-Privacy Directive compliance.
• Sequential PBKDF2 Option: Slows GPU bots by seconds per challenge with chained iterations, allowing no parallelization advantage.