GDPR-compliant ReCaptcha for all forms and logins


Protect all your forms and logins against spam and brute-force attacks. The plugin is invisible and compliant to GDPR (RGPD, DSGVO).
It has a lot of options on the one hand and comes with a well balanced default configuration. Thus it starts working very well, as soon as it is activated.

Key features

  • Blocks spam on all(!) public forms, comments and logins
  • Invisible. No user-input required
  • Still receive 100 percent of the real requests
  • Compliant to GDPR (respectively DSGVO, RGPD)
  • The Plugin is for free
  • No tracking, no cookies, no sessions
  • No external ressources
  • Easy to use
  • SEO-friendly
  • Only necessary code
  • Optionally messages can be flagged instead of blocking them

Examples WordPress

  • Login Form
  • Registration Form
  • Password Reset Form
  • Comments Form

Examples WooCommerce

  • Checkout
  • Login Form
  • Registration Form
  • Password Reset Form
  • Comments form
  • Product Evaluation Form

Examples other Plugins

  • Forminator
  • Thrive Architect & Thrive Apprentice
  • WPForms
  • Fluent Forms
  • Contact Form 7
  • Gravity Forms
  • Formidable Forms
  • Elementor Pro Forms
  • Mailchimp for WordPress Forms
  • BuddyPress Registration Form
  • bbPress Create Topic & Reply Forms
  • Ultimate Member Forms
  • wpDiscuz Custom Comments Form
  • Easy Digital Downloads Forms
  • Paid Memberships Pro Forms
  • MemberPress Forms
  • WP-Members Forms
  • WP User Frontend Forms
  • CheckoutWC & Flux Checkout
  • Divi Forms
  • Ninja Forms
  • Jetpack Forms
  • Everest Forms

Thank you!

I hope you enjoy using the CAPTCHA plugin! If you are happy with it, I would be glad to get your review and probably a coffee too.


  1. Install and activate the plugin via WordPress Plugins page. Done!
  2. Optionally: After activation, you can adjust precisely how messages shall be blocked, flagged or saved in plugin’s settings menu.
  3. You should take a look into the message inbox. As many system functions act like bots, it may happen that they are blocked too. From the inbox and from the spam inbox you can jsut whitelist them with one click respectively.


Submissions are incorrectly treated as spam

  1. The problem occasionally occurs right after installation due to caching. In such cases, the necessary JavaScript for proof-of-work isn’t loaded as intended. To resolve this, clear the cache on your webserver (WordPress caching is typically managed by plugins, which offer an option to clear the cache) and in your browser.
  2. JavaScript might crash due to incompatibility between this plugin and another one you’re using. If you notice this, please report it to me. I usually address such issues within the same day. Additionally, it’s crucial to ensure that JavaScript is functioning correctly on all your pages, even without this plugin. In most browsers, you can identify JavaScript errors by pressing F12 on your page and navigating to the console. Here, you can observe what’s happening on your page.
  3. Generally, I recommend running the plugin in Explicit mode 🎯 as it’s more efficient and avoids compatibility problems. Please refer to the “help” section for this option.

Neither messages, nore spam is shown in the inbox

  1. Activate the Analysis mode 🔍, submit the form and look for the message that has been saved for the new submission. Open the message Check enhance the spam check scope for this type of submission. In general I recommend to run the plugin in the Explicit mode 🎯 and to do so with all types of submissions that you which to be considered for the spam check.
    If none of these: If you recognize this behaviour, I would be glad if you gave me a notice in the support forum and usually I would ad specific support for your form-builder.

Problems with WooCommerce/ Jetpack activation

If you face problems with the activation of Jetpack this may occur during the handshake-procedure of jetpack. This procedure acts like a bot, when it passes a passphrase from a certain IP adress to an automatically generated form on your site.
In order to get this fixed, you need either to disable the option 🖥️ Apply on REST-API, or to whitelist the respective form that is used to exchange the passphrase.
Usually you need to process the following steps for whitelisting:
1. Check the spam folder for the respective message that has been blocked
2. Copy the site-adress “from_site”
3. Paste the site-adress into the option 📄 Site-Whitelist on the properties site
4. Press save
Usually you need to whitelist two different sites to connect jetpack:
1. To connect the site: your-domnain-without-protocol/?rest_route=/jetpack/v4/verify_registration/
2. To connect your user: your-domnain-without-protocol/?rest_route=/jetpack/v4/remote_authorize/
Generally, I recommend running the plugin in Explicit mode 🎯 as it’s more efficient and avoids such compatibility problems. Please refer to the “help” section for this option.

Problems with activation/ installation of other plugins

If you face problems with other plugins (i.e. during plugin installation/ activation) this may occur during handshake-procedures, or during maintenance of your plugin from the vendor. These procedures usually act like bots, as they pass a code or contents via certain automatically generated forms on your site.
In order to get this fixed you can either disable the option 🖥️ Apply on REST-API, or whitelist the IP address of your vendor, or you can whitelist the page which contains the maintenance form. In order to check whether such a problem occurs you can check the spam folder of this plugin. Here you find the site adress that you can use for whitelisting as “from_site” too
Generally, I recommend running the plugin in Explicit mode 🎯 as it’s more efficient and avoids such compatibility problems. Please refer to the “help” section for this option.

Webhooks from Thrive automation don’t work properly when the plugin is activated

You need to whitelist the respective webhooks ( those which the respective service is using to call your site) with the option 📄 Site-Whitelist. Do not forget to cut the protocoll (i.e. “http” and “https”).
Note: As Thrive doesn’t use the standard WordPress-REST-route, just deactivating the option 🖥️ Apply on REST-API will not work.
Generally, I recommend running the plugin in Explicit mode 🎯 as it’s more efficient and avoids those compatibility problems. Please refer to the “help” section for this option.

Any Webhooks or API-calls do not work

You need to whitelist the respective webhooks ( those which the respective service is using to call your site) with the option 📄 Site-Whitelist. Do not forget to cut the protocoll (i.e. “http” and “https”).
Alternatively you can deactivate the option 🖥️ Apply on REST-API if your services is using the standard WordPress-REST route.
Generally, I recommend running the plugin in Explicit mode 🎯 as it’s more efficient and avoids those compatibility problems. Please refer to the “help” section for this option.

Problems with Borlabs Script Blocker

When you use the Borlabs Script Blocker to scan for JavaScripts, the scan doesn’t work properly, as it doesn’t show any JavaScripts. Just deactivate this plugin for the scan and activate it again after the scan.

Can’t get my problems fixed

  1. Important messages could be shown in browser console (F12) on problematic page
  2. Whenever you post something to the support forum, try to hand over all details
  3. If the recaptcha doesn’t work on any form, give me a notice and I will try to fix that

How to disable this plugin?

  • Use standard WordPress plugins page for deactivation and deletion of the plugin
  • When deactivating the plugin you will be asked for the reason. If you face any problems I would be glad if you report to it me as detailed as possible. Usually I will fix them quickly. If you give me contcat details, I may inform you as soon as it is fixed.


10 Noyabr 2023
The plugin does exactly what it is supposed to do!And if there are issues the developer is really helpful 🙂
06 Noyabr 2023
It took us a little while to set up the explicit mode to work the exact way we wanted, but thanks to the support of Matthias, we now seem to be having the ultimate anti spam solution. I can't wait to test this on more websites and I'm sure that a lot more people will fall in love with this plugin very soon. 🙂
24 Oktyabr 2023
Blocked hundreds of spam WooCommerce orders, and the plugin continues to be actively monitored and improved. I'm sure it will continue to get even better. Great work.
Read all 17 reviews

Contributors & Developers

“GDPR-compliant ReCaptcha for all forms and logins” is open source software. The following people have contributed to this plugin.


“GDPR-compliant ReCaptcha for all forms and logins” has been translated into 3 locales. Thank you to the translators for their contributions.

Translate “GDPR-compliant ReCaptcha for all forms and logins” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • CSS file for message page


  • CSS was not loaded on message page


  • Improved plugin-performance
  • Whitelistings now can be filtered in “Explicit mode” too


  • Option “Apply when logged in” removed for compatibility reasons. If you face problems with compatibility, please use the explicit mode
  • Option “Excluded roles” removed for compatibility reasons. If you face problems with compatibility, please use the explicit mode


  • Loading-Spinner for inboxes added
  • Filter for Analytic Box added
  • Usability for explicit mode improved
  • Bug with nested fields for subject fields solved


  • Critical fix of a database error


  • Explicit mode enhanced
  • Message patterns, now can be specified more precisely
  • General recommendation to run on Explicit mode


  • New mode “Analysis mode” to save all types of message in a new inbox “Analytic Box”
  • New function to save message patterns, to enhance the scope of the spam protection. The message patterns can be saved from the respective messages in the “Analytic box”
  • The whitelisting of ajax-action is now possible on all inboxes
  • Visitor IPs can be saved (warning: If you enable this option, this is not compliant to GDPR)
  • Bug fix: Passwords from fields with nested fieldnames (i.e. Elementor) where saved in clear with the messages. This issue is fixed now.


  • Non-ajax-calls are only recognized if they stick to WP-standard for submissions
  • Option added to modify the error message for identified spam
  • Useful errormessage-format for wpDiscuz


  • wordfence_syncAttackData-issue fixed


  • Compatibility issues with divi fixed
  • New function to whitelist submission-types directly from the spam-inbox


  • Compatibility-issue with Wordfence fixed
  • Better WooCommerce-suport


  • Bug with wp-cron.php fixed


  • Wordfence and other plugins backoffice-actions whitelisted
  • Option for whitelisting ajax-calls enhanced with widlcard-capabilities


  • WP-Cron whitelisted


  • Submissions will now be saved for empty post-requests as well


  • New options to delete messages after a certain period of time automatically
  • New option to whitelist specific user roles from the processing when logged in
  • Adjusted error message for Elementor Forms Pro


  • Beware: If you update an existing release, test it. Some properties may be adjusted as the processing of post-requests has changed fundamentally and is alot more restrictive now. Absolutely every post-request will be considered from now on.
  • If you are using wpforms and just flag spam, you have to change the flagging rules. Please see the respective hints for the option “Fieldname:prefix to flag spam”
  • Whitelisting for ajax-requests added (called “actions” in the plugins properties-menü) + actions are saved with messages, such that they can be copied for whitelisting
  • Explicit mode added: If this mode is activated the spam protection is only applied on explicitly listed ajax-actions. The processing of ordenary post-requests is not affected from that option
  • Many performance improvements
  • The plugin now directly catches all post-requests in the earliest phase of WordPress processing and exits the processing as soon as spam is identified. Therefore the server-capacity for spam-submissions is reduced by the plugin to the lowest possible minimum.
  • Timestamp for message entries corrected
  • Problems with application on interim-login fixed
  • Bug with Site-Whitelisting fixed


  • Deprecated usage of dynamic options replaced
  • Deprecated Filter_Sanitize_String replaced
  • Menu position warning fixed


  • Option to filter WooCommerce shopping carts adjusted


  • Added support for flagging messages for forminator and WPForms
  • Added Whitelisting for sites
  • Added option to disable/ enable REST API – support / may solve several compatibility issues with other plugins that do handshakes, or are maintained from the plugin vendor via REST API
  • Added option to filter WooCommerce shopping carts from beeing saved
  • Added a possibility to integrate this plugin into certain form builders via the new method spam_check( $fields )


  • Dashboad-widget can be seen only by administrators now
  • Support for WP forms added
  • Warning-Bug solved


  • Dashboard widged for the inbox added (has to be activated in the administration area)
  • Style for the administration area renewed
  • New option to disable/able the spam protection for logged-in users
  • Support for Thrive Apprentice added
  • Removed CF7 support-option, as CF7 is supported anyway
  • Order auf messages in the inbox changed (now starting with the most current one)


  • Bug with blocked entries solved


  • Support for Forminator added
  • Optimized namespaces in JavaScript for better plugin-compatibility


  • Support for Thrive Architect / Thrive Automation added


  • New feature to whitelist IPs, that shall be ignored and not beeing blocked from the plugin
  • Errors with PHP version 5.6+ fixed


  • Hash-puzzles are saved in the database right now
  • Raised efficiency of the server-side spam-check


  • Better resilience of the plugin
  • Javascript know is directly echoed from PHP, to save loading time


  • Special thanks to the user vptcnt
  • Error 500 which appeard due to empty line reading in the stamp-log-file resolved


  • Spam-check procedure optimized


  • Complete code-rebuild
  • Shopping carts and all other elements from Woocommerce are now working with the plugin
  • Better integration of Elementor
  • Popup-Bug for login-screen solved
  • Plugin performance optimized
  • The proof-of-work-check now happens before form submission via ajax. Thus collision with other plugins is minimized


  • Elementor support added


  • Problems with multiple forms on one page solved
  • DOM-Integrity problem with non-unique IDs solved


Erroneous behaviour of the inbox with renamed WordPress-table-prefixes fixed


Empty JavaScript file deleted and not loaded anymore, to avoid loading the file uneccesary in the admin menu


Settings menu beautified


New: GDPR-compliant ReCaptcha for all forms has been released!