PHPackages wabeo/gaitcha-for-wp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. wabeo/gaitcha-for-wp Abandoned → [willybahuaud/gaitcha-for-wp](/?search=willybahuaud%2Fgaitcha-for-wp)Wordpress-plugin[Security](/categories/security) wabeo/gaitcha-for-wp ==================== Gaitcha captcha integration for WordPress v1.1.0(2mo ago)60[1 issues](https://github.com/willybahuaud/gaitcha-for-wp/issues)GPL-2.0-or-laterPHPPHP >=7.4 Since Mar 9Pushed 1mo agoCompare [ Source](https://github.com/willybahuaud/gaitcha-for-wp)[ Packagist](https://packagist.org/packages/wabeo/gaitcha-for-wp)[ RSS](/packages/wabeo-gaitcha-for-wp/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (1)Versions (4)Used By (0) Gaitcha for WordPress ===================== [](#gaitcha-for-wordpress) A behavioral captcha that stays on your server. Most captcha solutions send your visitors' data to a third-party service — every interaction, every page load, every form submission. Gaitcha does the opposite: it runs entirely on your WordPress install, scores human behavior through fine-grained analysis (mouse trajectory, speed patterns, keyboard timing, touch dynamics), and never phones home. It works with a single checkbox. No puzzles, no image grids, no "select all the traffic lights". The trick is in *how* the user reaches and checks that box — mouse trajectory, speed variation, keyboard timing, touch patterns. Humans hesitate, overshoot, decelerate. Bots don't. The behavioral log is scored server-side using HMAC-signed tokens. No session, no database query, no external API. Stateless and lightweight. What it blocks -------------- [](#what-it-blocks) Gaitcha catches the vast majority of automated submissions: scripted bots, headless browsers, form stuffers, and credential sprayers. The scoring engine analyzes 10+ behavioral signals simultaneously — faking all of them at once in a human-like way is a hard problem. It won't stop a determined attacker running a full browser with manual-like automation (but at that point, rate limiting is your friend, not a captcha). Supported Form Plugins ---------------------- [](#supported-form-plugins) - [WS Form Pro](https://wsform.com/) - [Contact Form 7](https://contactform7.com/) - [Formidable Forms](https://formidableforms.com/) - [Gravity Forms](https://www.gravityforms.com/) - [WPForms](https://wpforms.com/) - [Fluent Forms](https://fluentforms.com/) - [Ninja Forms](https://ninjaforms.com/) - [Elementor Pro Forms](https://elementor.com/) Connectors are loaded conditionally — only when the corresponding form plugin is active. Native WordPress Forms ---------------------- [](#native-wordpress-forms) Gaitcha can also protect the built-in WordPress forms — no form plugin needed: - **Login** (`wp-login.php`) - **Registration** - **Lost password** - **Comments** Each one is toggled independently from **Settings > Gaitcha**. All disabled by default, so nothing changes until you opt in. Requirements ------------ [](#requirements) - WordPress 6.0+ - PHP 7.4+ Installation ------------ [](#installation) 1. Download the latest release ZIP from [GitHub Releases](https://github.com/willybahuaud/gaitcha-for-wp/releases) 2. In WordPress admin, go to **Plugins > Add New > Upload Plugin** 3. Upload the ZIP and activate That's it. The plugin generates a cryptographic secret on activation. No API key, no account needed. A settings page is available under **Settings > Gaitcha** for optional configuration — widget theme and native form protections. The defaults work out of the box. ### Auto-updates [](#auto-updates) The plugin checks GitHub Releases for new versions and integrates with the WordPress update system. Updates show up in **Dashboard > Updates** like any other plugin. Settings -------- [](#settings) Go to **Settings > Gaitcha** in the WordPress admin. Two sections: **Theme** — controls the widget appearance. - `light` (default) — light background, dark text - `dark` — dark background, light text - `auto` — follows the visitor's OS preference via `prefers-color-scheme` The theme applies to all Gaitcha widgets across every connector. **Native form protections** — toggle Gaitcha on WordPress built-in forms (login, registration, lost password, comments). All off by default. Usage ----- [](#usage) Each form plugin gets a **Gaitcha** field type in its builder. Add it to your form, publish, done. On the frontend: 1. The form loads normally — no captcha visible 2. As soon as the user moves the mouse, touches the screen, or presses a key, a checkbox fades in 3. The user checks the box — behavioral data is collected silently in the background 4. On submit, the server scores the behavior and accepts or rejects ### Contact Form 7 [](#contact-form-7) Use the `[gaitcha]` form tag, or click the **gaitcha** button in the editor toolbar. Optional custom label: `[gaitcha "I'm human"]` ### Elementor Pro Forms [](#elementor-pro-forms) Add a **Gaitcha** field to your form widget in the Elementor editor. It follows the handler pattern (like Honeypot) — no separate field class. The widget handles AJAX submission and resets automatically on validation errors. ### Other form plugins [](#other-form-plugins) Drag the **Gaitcha** field from the builder palette into your form. The label is configurable in the field settings. Privacy ------- [](#privacy) This is the whole point: - No data leaves your server — ever - No cookies, no fingerprinting, no tracking pixels - No external JavaScript loaded - Nothing to declare in your privacy policy - GDPR-friendly by design, not by configuration Hooks ----- [](#hooks) ### `gaitcha_bypass_admin` [](#gaitcha_bypass_admin) Bypass captcha validation for logged-in admins. Enabled by default. ``` // Disable admin bypass (admins must solve captcha too). add_filter( 'gaitcha_bypass_admin', '__return_false' ); ``` ### `gaitcha_config` [](#gaitcha_config) Filter the Gaitcha configuration array before initialization. ``` add_filter( 'gaitcha_config', function ( $config ) { $config['score_threshold'] = 0.6; // Stricter scoring (default: 0.5). $config['ttl'] = 60; // Shorter token validity (default: 120s). return $config; } ); ``` Available options: `secret`, `ttl`, `score_threshold`, `debug`, `no_js_fallback`, `anti_replay`, `token_store`. How It Works ------------ [](#how-it-works) Gaitcha combines two layers: **Behavioral analysis** — the JS client collects interaction data in a circular buffer: mouse trajectory curvature, angular jitter, direction reversals, endpoint deceleration, speed autocorrelation, keyboard dwell times, tab timing entropy, touch offset patterns. Three profiles (mouse, keyboard, touch) are scored independently; the highest wins. Touch scoring has been refined for mobile — pressure, radius, and gesture dynamics are now factored into the touch profile. **Stateless HMAC tokens** — each form load generates a random field name and a signed token. On submit, the server verifies the signature, checks the TTL, and scores the behavioral log. No session to manage, no database table to maintain. Several "kill signals" cause immediate rejection: interaction under 100ms, zero movement before click, pixel-perfect center click, no keyboard activity before a keyboard-triggered check. Development ----------- [](#development) ``` composer install ``` The core Gaitcha library is pulled via Composer (`willybahuaud/gaitcha`). The JS client (`assets/js/gaitcha.min.js`) is a pre-built bundle from the core library. Core library ------------ [](#core-library) This plugin is built on [Gaitcha](https://github.com/willybahuaud/gaitcha) — the standalone PHP + JS captcha library. If you're not on WordPress or want to integrate Gaitcha into a custom stack, head there. License ------- [](#license) GPL-2.0-or-later Author ------ [](#author) [Willy Bahuaud](https://wabeo.fr) ### Health Score 35 — LowBetter than 80% of packages Maintenance86 Actively maintained with recent releases Popularity5 Limited adoption so far Community6 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~2 days Total 2 Last Release 60d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/0e8a7bedebdd7f13546cf2503217cced5340f74c2b64ec00e47e32b16412bb95?d=identicon)[willybahuaud](/maintainers/willybahuaud) --- Top Contributors [![willybahuaud](https://avatars.githubusercontent.com/u/1868803?v=4)](https://github.com/willybahuaud "willybahuaud (28 commits)") ### Embed Badge ![Health badge](/badges/wabeo-gaitcha-for-wp/health.svg) ``` [![Health](https://phpackages.com/badges/wabeo-gaitcha-for-wp/health.svg)](https://phpackages.com/packages/wabeo-gaitcha-for-wp) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)