GDPR Cookieless CAPTCHA for WooCommerce & Forms – captchaapi.eu
Protects WooCommerce (login, registration, lost password, checkout), Contact Form 7, WPForms, Fluent Forms, Formidable Forms, Forminator, Gravity Forms and Elementor Forms – cookieless, EU-hosted, no cookie banner required.
A privacy-first alternative to reCAPTCHA: captchaapi.eu stops form spam without making your visitors click traffic lights. A free tier with commercial use allowed gets you started. The work happens in the background: the visitor’s browser solves a small proof-of-work puzzle while they fill in the form, and a token rides along with the submission. There is nothing to solve and nothing to see.
When a form is submitted, your server confirms that token with captchaapi.eu over a single request, secured by your secret key. It is the same model every hosted CAPTCHA uses, and it keeps the secret on your server, never in the browser.
Privacy by design
- No cookies, and nothing to add to a cookie banner.
- No tracking and no visitor profile. The IP address is used only for rate limiting and abuse detection, then dropped; it is never written to a database.
- Hosted only in the EU, in Nuremberg, Germany. No data leaves the EU.
- No images and no puzzles to solve. The check runs in the background, so it works the same for every visitor, including people who find image challenges difficult or browse with a screen reader.
- A free tier, with commercial use allowed.
Forms and plugins it protects
WordPress core:
- Login (wp-login.php)
- Registration
- Lost password
- Comments
WooCommerce:
- Login
- Registration
- Lost password
- Checkout
Form plugins:
- Contact Form 7
- WPForms
- Fluent Forms
- Formidable Forms
- Forminator
- Gravity Forms
- Elementor Forms
Each form can be turned on or off from the settings screen. The WooCommerce and form-plugin options appear only when that plugin is active.
How it works
- The widget loads on the pages with a protected form and solves a proof-of-work puzzle in a Web Worker.
- On submit, it attaches the resulting token to the form.
- The plugin confirms the token with captchaapi.eu using your secret key and rejects the submission if the service does not accept it.
Each token verifies exactly once – the service enforces single use – so the plugin keeps no local replay table and nothing to clean up on a schedule.
You need an account
This plugin connects to the captchaapi.eu service. Create a project at https://captchaapi.eu to get a site key and a secret key. A free tier is available.
External services
This plugin connects to captchaapi.eu, a third-party CAPTCHA service, to protect your forms from spam. It is required for the plugin to function.
On any public page that contains a protected form, the plugin loads the service’s widget script (captcha.js) from your configured captchaapi.eu endpoint. The visitor’s browser then communicates with the captchaapi.eu API to perform a proof-of-work challenge and obtain a token that is attached to the form on submit. This happens for every visitor who loads a protected form.
To issue and validate a token the service receives your public site key, the proof-of-work result, and – as with any HTTP request – the visitor’s IP address. The IP address is used for rate limiting and abuse/bot detection (including a coarse, IP-derived country) and is processed transiently: a hashed form and aggregate counters are held briefly in a cache. No raw IP address and no per-visitor record are written to a database. The service sets no cookies. Data is processed on servers in the EU (Nuremberg, Germany).
When a protected form is submitted, your server sends the token to the captchaapi.eu /verify endpoint, authenticated with your secret key, and trusts the service’s accept-or-reject answer. The secret key stays on your server and is never sent to the browser.
- Service provider: captchaapi.eu
- Terms of Service: https://captchaapi.eu/legal/terms
- Privacy Policy: https://captchaapi.eu/legal/privacy