hCaptcha for WP

For non-standard cases, you can use the [hcaptcha] shortcode provided by the plugin.

For example, we support Contact Forms 7 automatically. However, sometimes a theme can modify the form. In this case, you can manually add the [cf7-hcaptcha] shortcode to the CF7 form.

To make hCaptcha work, the shortcode must be inside the

...

tag.
How do I migrate from reCAPTCHA or Turnstile?
Go to Settings → hCaptcha → Tools and use the Migration Wizard.

It scans your site for existing CAPTCHA providers, shows what can be migrated, and applies the changes in one click.
How do I use the new AI / Abilities features?
hCaptcha exposes selected security actions via the WordPress Abilities API for use with automation tools, WP-CLI, and AI agents, making it suitable for agencies managing multiple WordPress sites. Requires WordPress 6.9 or newer.

The typical workflow consists of two steps: inspect threats and block offenders.

** 1. Inspect recent threat activity **

You can request an aggregated threat snapshot for a given time window.

Using WP-CLI:

wp ability run hcaptcha/get-threat-snapshot --input='{"window":"55d"}' --user=admin

Using REST API (authenticated):

curl --globoff -u "USER:APP_PASSWORD" \
"https://example.com/wp-json/wp-abilities/v1/abilities/hcaptcha/get-threat-snapshot/run?input[window]=55d"

The response includes:
* overall metrics (total requests, failure rate)
* dominant attack signals
* breakdown by error type and form source
* a list of top offenders (if present)

Example (simplified):

{
"metrics": { "total": 353, "failed": 215 },
"signals": { "attack_likelihood": "high" },
"breakdown": {
"errors": { "empty": 160, "spam": 16 },
"offenders": [
{
"offender_id": "a1376a016c4156933c4d49b0bc56fa01",
"type": "ip",
"count": 2
}
]
}
}

** 2. Block abusive offenders **

If an offender appears suspicious, you can block it using its offender_id.

Using WP-CLI:

wp ability run hcaptcha/block-offenders \
--input='{"offender_ids":["a1376a016c4156933c4d49b0bc56fa01"]}' \
--user=admin

Using REST API (authenticated):

curl --globoff -u "USER:APP_PASSWORD" \
"https://example.com/wp-json/wp-abilities/v1/abilities/hcaptcha/block-offenders/run?input[offender_ids][]=a1376a016c4156933c4d49b0bc56fa01"

Example response:

{
"blocked": ["a1376a016c4156933c4d49b0bc56fa01"],
"effective_until": "2026-01-01T22:22:09Z"
}

** What is offender_id? **

offender_id is a stable hash of the IP address.

Raw IP addresses are never exposed to automation clients or AI agents.

This allows privacy-safe analysis and blocking, while still enabling deterministic enforcement.

** Can AI agents use this automatically? **

Yes.
You can point an AI agent to a WordPress site with Abilities enabled and instruct it to:
* discover available abilities
* collect threat statistics
* decide whether activity looks abusive
* block the most active offenders

Internally, the agent performs the same commands shown above (wp ability list, get-threat-snapshot, block-offenders).

** 3. Export plugin settings **

You can export current plugin settings as JSON (optionally including keys) for backup or migration.

Using WP-CLI:

wp ability run hcaptcha/export-settings --include_keys --user=admin

Using REST API (authenticated):

curl --globoff -u "USER:APP_PASSWORD" \
"https://example.com/wp-json/wp-abilities/v1/abilities/hcaptcha/export-settings/run?input[include_keys]=1"

** 4. Import plugin settings **

Import settings from a JSON file path on the server. Use allow_keys to apply the keys block and dry_run to validate without saving.

Using WP-CLI:

wp ability run hcaptcha/import-settings --allow_keys --dry-run=false --user=igor --input_file=1.json

Using REST API (authenticated):

curl --globoff -u "USER:APP_PASSWORD" \
"https://example.com/wp-json/wp-abilities/v1/abilities/hcaptcha/import-settings/run?input[input_file]=%2Fpath%2Fto%2Fhcaptcha-settings.json&input[allow_keys]=1&input[dry_run]=0"

WP-CLI commands for exporting and importing settings
The plugin also adds the wp hcaptcha export and wp hcaptcha import commands.

Export settings

`

wp hcaptcha export --pretty > hcaptcha-settings.json
wp hcaptcha export --include-keys --file=./hcaptcha-settings.json
`

Parameters:
* --include-keys — include the site_key and secret_key values.
* --pretty — pretty-print JSON for readability.
* --file=<path> — write JSON to a file instead of STDOUT.

Import settings

`

wp hcaptcha import ./hcaptcha-settings.json
wp hcaptcha import ./hcaptcha-settings.json --dry-run
wp hcaptcha import ./hcaptcha-settings.json --allow-keys
`

Parameters:
* --dry-run — validate the JSON without saving.
* --allow-keys — allow importing keys from the keys block.
You don't support plugin X. How can I get support for it added?
Open a PR on GitHub: or just email the authors of plugin X. Adding hCaptcha support is typically quite a quick task for most plugins.
Does the [hcaptcha] shortcode have arguments?
Full list of arguments:

[hcaptcha action="my_hcap_action" name="my_hcap_name" auto="true|false" ajax="true|false" force="true|false" theme="light|dark|auto" size="normal|compact|invisible"]

The shortcode adds not only the hCaptcha div to the form but also a nonce field. You can set your own nonce action and name. For this, use arguments in the shortcode:

[hcaptcha action="my_hcap_action" name="my_hcap_name"]

and in the verification:

$result = \HCaptcha\Helpers\API::verify_post( 'my_hcap_name', 'my_hcap_action' );

For the explanation of the auto="true|false" argument, see the section "How to automatically verify an arbitrary form". By default, auto="false".

The argument force="true|false" allows forcing verification of hCaptcha widget before submitting the form. By default, force="false".

The argument size="normal|compact|invisible" allows setting the size of hCaptcha widget. By default, size="normal".
How to add hCaptcha to an arbitrary form
First, add the hCaptcha snippet to the form.

If you create the form as an HTML block in the post content, insert the shortcode [hcaptcha] inside it. It may look like this:

<form method="post">
<input type="text" name="test_input">
<input type="submit" value="Send">
[hcaptcha]
</form>

If you create the form programmatically, insert the following statement inside it:

?>
<form method="post">
<input type="text" name="test_input">
<input type="submit" value="Send">
<?php echo do_shortcode( '[hcaptcha]' ); ?>
</form>
<?php

Secondly, verify the result of hCaptcha challenge.

$result = \HCaptcha\Helpers\API::verify_request();

if ( null !== $result ) {
echo esc_html( $result );
// Block processing of the form.
}

[hcaptcha auto="true"]

and insert this shortcode into your form.

Auto-verification works with forms sent by POST on frontend only. It works with forms in the post content and in widgets.

You can add also force="true" or force="1" argument to prevent sending a form without checking the hCaptcha.

[hcaptcha auto="true" force="true"]

Arbitrary forms can also be verified in ajax via the ajax argument. There is no need to specify auto="true" in this case, as ajax implies auto="true".

[hcaptcha ajax="true"]

How to block hCaptcha entirely on a specific page?
hCaptcha starts early, so you cannot use standard WP functions to determine the page. For instance, to block it on my-account page, add the following code to your plugin's (or mu-plugin's) main file. This code won't work being added to a theme's functions.php file.

/**
* Filter hCaptcha activation flag.
*
* @param bool|mixed $activate The activate flag.
*
* @return bool
*/
function my_hcap_activate( $activate ): bool {
$status = (bool) $status;

$url = isset( $_SERVER['REQUEST_URI'] ) ?
filter_var( wp_unslash( $_SERVER['REQUEST_URI'] ), FILTER_SANITIZE_FULL_SPECIAL_CHARS ) :
'';

if ( '/my-account/' === $url ) {
return false;
}

return $activate;
}

add_filter( 'hcap_activate', 'my_hcap_activate' );

/**
* Block inline styles.
*
* @return void
*/
function hcap_block_inline_styles() {
if ( is_page( 'contact' ) ) {
return;
}

$hcaptcha = hcaptcha();

remove_action( 'wp_head', [ $hcaptcha, 'print_inline_styles' ] );
remove_filter( 'wp_resource_hints', [ $hcaptcha, 'prefetch_hcaptcha_dns' ] );
}

add_action( 'wp_head', 'hcap_block_inline_styles', 0 );

Skipping hCaptcha verification on a specific form
The plugin has a filter to skip adding and verifying hCaptcha on a specific form. The filter receives three parameters: current protection status ('true' by default), source, and form_id.

The source is the plugin's slug (like 'directory/main-plugin-file.php'), the theme name (like 'Avada') or the WordPress core (like 'WordPress').

The form_id is the form_id for plugins like Gravity Forms or WPForms, the post id for comments, or a general name of the form when the form does not have an id (like WordPress core login form).

Filter arguments for some plugins/forms are listed below.

Affiliates
$source: 'affiliates/affiliates.php'
$form_id: 'login' or 'register'

Back In Stock Notifier
$source: 'back-in-stock-notifier-for-woocommerce/cwginstocknotifier.php'
$form_id: product_id

BBPress
$source: 'bbpress/bbpress.php'
$form_id: 'new_topic', 'reply', 'login', 'register' or 'lost_password'

Beaver Builder
$source: 'bb-plugin/fl-builder.php'
$form_id: 'contact' or 'login'

Blocksy
$source: 'blocksy'
$form_id: 'newsletter-subscribe', '$layer["__id"]', or 'product_id

Brizy
$source: 'brizy/brizy.php'
$form_id: 'form'

BuddyPress
$source: 'buddypress/bp-loader.php'
$form_id: 'create_group' or 'register'

Classified Listing
$source: 'classified-listing/classified-listing.php'
$form_id: 'contact', 'login', 'lost_password' or 'register'

Divi
$source: 'Divi'
$form_id: post_id for comment form, 'contact', 'email_optin', or 'login'

Easy Digital Downloads
$source: 'easy-digital-downloads/easy-digital-downloads.php'
$form_id: 'checkout', 'login', 'lost_password' or 'register'

Elementor Pro
$source: 'elementor-pro/elementor-pro.php'
$form_id: Form ID set for the form Content->Additional Options or 'login'

Events Manager
$source: 'events-manager/events-manager.php'
$form_id: event_id

Icegram Express
$source: 'email-subscribers/email-subscribers.php'
$form_id: form_id

Customer Reviews for WooCommerce
$source: 'customer-reviews-woocommerce/ivole.php'
$form_id: review or q&a

Jetpack
$source: 'jetpack/jetpack.php'
$form_id: 'contact_$form_hash'

Kadence Form
$source: 'kadence-blocks/kadence-blocks.php'
$form_id: post_id

Kadence Advanced Form
$source: 'kadence-blocks/kadence-blocks.php'
$form_id: form_id

LearnDash
$source: 'sfwd-lms/sfwd_lms.php'
$form_id: 'login', 'lost_password' or 'register'

LearnPress
$source: 'learnpress/learnpress.php'
$form_id: 'checkout', ''login', or 'register'

Login/Signup Popup
$source: 'easy-login-woocommerce/xoo-el-main.php'
$form_id: 'login', or 'register'

MemberPress
$source: 'memberpress/memberpress.php'
$form_id: 'login' or 'register'

Paid Memberships Pro
$source: 'paid-memberships-pro/paid-memberships-pro.php'
$form_id: 'checkout' or 'login'

Passster
$source: 'content-protector/content-protector.php'
$form_id: area_id

Password Protected
$source: 'password-protected/password-protected.php'
$form_id: 'protect'

Profile Builder
$source: 'profile-builder/index.php'
$form_id: 'login', 'lost_password' or 'register'

Simple Membership
$source: 'simple-membership/simple-wp-membership.php'
$form_id: 'login', 'lost_password' or 'register'

Subscriber
$source: 'subscriber/subscriber.php'
$form_id: 'form'

Support Candy
$source: 'supportcandy/supportcandy.php'
$form_id: 'form'

Theme My Login
$source: 'theme-my-login/theme-my-login.php'
$form_id: 'login', 'lost_password' or 'register'

Tutor LMS
$source: 'tutor/tutor.php'
$form_id: 'checkout', ''login', 'lost_password' or 'register'

Ultimate Addons
$source: 'ultimate-elementor/ultimate-elementor.php'
$form_id: 'login' or 'register'

Ultimate Member
$source: 'ultimate-member/ultimate-member.php'
$form_id: form_id or 'password'

UsersWP
$source: 'userswp/userswp.php'
$form_id: 'forgot', 'login' or 'register'

WooCommerce Germanized
$source: 'woocommerce-germanized/woocommerce-germanized.php'
$form_id: 'return_request'

WooCommerce Wishlist
$source: 'woocommerce-wishlists/woocommerce-wishlists.php'
$form_id: 'form'

wpDiscuz
$source: 'wpdiscuz/class.WpdiscuzCore.php'
$form_id: post_id

WPForms
$source: 'wpforms-lite/wpforms.php' or 'wpforms/wpforms.php'
$form_id: form_id

wpForo
$source: 'wpforo/wpforo.php'
$form_id: 'new_topic' for a new topic form and topicid for a reply form. Topicid can be found in HTML code searching for 'data-topicid' in Elements.

Wordfence Login Security
$source: 'wordfence-login-security/wordfence-login-security.php'
$form_id: 'login'

Wordfence Security
$source: 'wordfence/wordfence.php'
$form_id: 'login'

WordPress Core
$source: 'WordPress'
$form_id: post_id for comment form, 'login', 'lost_password', 'password_protected', or 'register'

WooCommerce
$source: 'woocommerce/woocommerce.php'
$form_id: 'checkout', 'login', 'lost_password', 'order_tracking', or 'register'

Below is an example of how to skip the hCaptcha widget on a Gravity Form with id = 1.

/**
* Filters the protection status of a form.
*
* @param string|mixed $value The protection status of a form.
* @param string[] $source Plugin(s) serving the form.
* @param int|string $form_id Form id.
*
* @return bool
*/
function hcap_protect_form_filter( $value, $source, $form_id ): bool {
$value = (bool) $value;

if ( ! in_array( 'gravityforms/gravityforms.php', $source, true ) ) {
// The form is not sourced by Gravity Forms plugin.
return $value;
}

if ( 1 !== (int) $form_id ) {
// The form has id !== 1.
return $value;
}

// Turn off protection for a Gravity form with id = 1.
return false;
}

add_filter( 'hcap_protect_form', 'hcap_protect_form_filter', 10, 3 );

How can I show the hCaptcha widget instantly?
The plugin loads the hCaptcha script with a delay until user interaction: mouseenter, click, scroll, or touch. This significantly improves Google Pagespeed Insights score.

To load the hCaptcha widget instantly, you can use the following filter:

/**
* Filters delay time for hCaptcha API script.
*
* Any negative value will prevent the API script from loading at all,
* until user interaction: mouseenter, click, scroll, or touch.
* This significantly improves Google Pagespeed Insights score.
*
* @param int|mixed $delay Number of milliseconds to delay hCaptcha API script.
* Any negative value means delay until user interaction.
*/
function my_hcap_delay_api( $delay ): int {
return 0;
}

add_filter( 'hcap_delay_api', 'my_hcap_delay_api' );

How can I load the hCaptcha API script only when a specific element is visible?
To load the hCaptcha API script only when a WordPress comment form is visible, you can use the followign filter:

/**
* Filters delay API selector.
*
* When set, the hcaptcha.js script will be loaded only when the specified element is visible.
* This can improve page load performance by deferring the API script until it's necessary.
*
* @param string|mixed $delay_api_selector CSS selector of the element to observe.
*/
add_filter( 'hcap_delay_api_selector', static function ( $delay_api_selector ) {
$delay_api_selector = (string) $delay_api_selector;

if ( is_admin() ) {
return $delay_api_selector;
}

return '.comment-form';

} );
How to set hCaptcha language programmatically?
hCaptcha defaults to using the user's language as reported by the browser. However, on multilingual sites you can override this to set the hCaptcha language to match the current page language. For this, you can use the following filter:

/**
* Filters hCaptcha language.
*
* @param string|mixed $language Language.
*/
function my_hcap_language( $language ): string {
$language = (string) $language;

// Detect page language and return it.
$page_language = 'some lang'; // Detection depends on the multilingual plugin used.

return $page_language;
}

add_filter( 'hcap_language', 'my_hcap_language' );

How to denylist certain IPs
You can use the following filter. It should be added to your plugin's (or mu-plugin's) main file. This filter won't work being added to a theme's functions.php file.

/**
* Filter the user IP to check if it is denylisted.
* For denylisted IPs, any form submission fails.
*
* @param bool|mixed $denylisted Whether IP is denylisted.
* @param string $ip IP.
*
* @return bool
*/
function my_hcap_denylist_ip( $denylisted, $ip ): bool {
$denylisted = (bool) $denylisted;

// Denylist some IPs.
if ( '8.8.8.8' === $ip ) {
return true;
}

return $denylisted;
}

add_filter( 'hcap_blacklist_ip', 'my_hcap_denylist_ip', 10, 2 );

How to allowlist certain IPs
You can use the following filter. It should be added to your plugin's (or mu-plugin's) main file. This filter won't work being added to a theme's functions.php file.

/**
* Filter user IP to check if it is allowlisted.
* For allowlisted IPs, hCaptcha will not be shown.
*
* @param bool|mixed $allowlisted Whether IP is allowlisted.
* @param string $ip IP.
*
* @return bool
*/
function my_hcap_allowlist_ip( $allowlisted, $ip ): bool {
$allowlisted = (bool) $allowlisted;

// Allowlist local IPs.
if ( false === $ip ) {
return true;
}

// Allowlist some other IPs.
if ( '1.1.1.1' === $ip ) {
return true;
}

return $allowlisted;
}

add_filter( 'hcap_whitelist_ip', 'my_hcap_allowlist_ip', 10, 2 );

You can customize this by returning it to the previous location in the admin Settings section or tweaking its appearance.

To do this, use the following filter to your plugin's (or mu-plugin's) main file. This code won't work being added to a theme's functions.php file.

/**
* Filter the settings system initialization arguments.
*
* @param array|mixed $args Settings system initialization arguments.
*/
function hcap_settings_init_args_filter( $args ): array {
$args = (array) $args;

$args['mode'] = 'tabs';

return $args;
}

add_filter( 'hcap_settings_init_args', 'hcap_settings_init_args_filter' );

$args array has the following fields:

mode: 'pages' or 'tabs' (default 'pages') — the appearance of the admin menu;
parent: a string — the parent menu item. Default '' for 'pages' mode and 'options-general.php' for 'tabs' mode;
position: a number — the position of the menu item. Default 58.990225 for 'pages' mode. It Has no effect on 'tabs' mode;

security@hcaptcha.com

A clear description of the vulnerability
Steps to reproduce
Proof-of-concept or exploit code (if available)
Affected versions

We will review your report and respond as quickly as possible.
Where can I get more information about hCaptcha?
Please see our website.
How can I rerun the setup wizard?
You can rerun the setup flows from the General settings page by adding a parameter to the URL:

&onboarding — starts the Onboarding Wizard
&auto-setup — performs the Recommended Setup