Crovly – Proof of Work Captcha & Spam Protection

Crovly is a privacy-first captcha service powered by Proof of Work. Unlike traditional captchas that rely on image puzzles (easily solved by AI) or invasive tracking, Crovly makes the visitor’s browser do computational work to prove it’s not a bot.

How it works:

1. Your visitor’s browser solves a small cryptographic puzzle (Proof of Work)
2. Browser fingerprint and environment signals are collected (as a hash — no personal data stored)
3. Behavioral analysis detects automated patterns (mouse, keyboard, scroll)
4. A composite score determines if the visitor is human

Key features:

• Privacy-friendly — No cookies, no cross-site tracking
• No image puzzles — Invisible to legitimate users
• Resistant to AI vision attacks — Proof of Work cannot be solved by image recognition
• IP binding — Tokens are bound to the solver’s IP address
• Adaptive difficulty — Suspicious visitors receive harder challenges
• 22+ integrations — Works with major WordPress form plugins
• Lightweight — Widget is under 25KB gzipped, zero dependencies, 42 languages

Supported integrations:

• WordPress login, registration, lost password, comments
• WooCommerce (checkout, login, register, lost password, pay for order)
• Contact Form 7
• WPForms
• Gravity Forms
• Elementor Pro Forms
• Ninja Forms
• Fluent Forms
• Formidable Forms
• Forminator
• Jetpack Contact Form
• Divi (contact form, login)
• BuddyPress (registration, activity)
• bbPress (topics, replies)
• Ultimate Member (login, register, password reset)
• MemberPress (checkout, login)
• Paid Memberships Pro
• Easy Digital Downloads
• Mailchimp for WordPress
• GiveWP
• wpDiscuz
• wpForo
• WordPress Multisite signup

Shortcode & PHP support:

Use [crovly] shortcode in any page or post, or call crovly_render() and crovly_verify() in your theme templates.

External services

This plugin relies on the Crovly captcha service to function. It connects to two external endpoints:

1. Crovly Widget CDN (get.crovly.com)

The plugin loads the JavaScript widget from https://get.crovly.com/widget.js on any page that contains a protected form. The widget runs Proof of Work in the visitor’s browser and collects a hashed browser fingerprint.

• When: Loaded on frontend pages that display a protected form (login, register, comment, checkout, etc.)
• What is sent: Standard HTTP request headers (IP address, user agent). No personal data.
• Terms of Service: https://crovly.com/terms
• Privacy Policy: https://crovly.com/privacy

2. Crovly Verification API (api.crovly.com)

When a visitor submits a protected form, the plugin sends the generated captcha token to https://api.crovly.com/verify-token for server-side verification.

• When: On form submission of any form protected by Crovly.
• What is sent: The captcha token (opaque string), the visitor’s IP address (for IP binding), and your Secret Key (for authentication).
• What is received: A success/failure response indicating whether the token is valid.
• Terms of Service: https://crovly.com/terms
• Privacy Policy: https://crovly.com/privacy

Both services are operated by Crovly. No data is shared with third parties. The plugin does not set cookies or track visitors across sites.