--- title: WordPress --- # WordPress Official CaptchaLa plugin for WordPress. Adds CAPTCHA verification to core WordPress forms and to the most common form, e-commerce and community plugins without writing any code. ## What it covers Each item below is an individual checkbox in the plugin's settings panel — you only enable the surfaces you actually want to protect. - WordPress login - WordPress registration - WordPress comments - WordPress lost-password - WooCommerce checkout - WooCommerce account creation - WooCommerce login - Contact Form 7 - Gravity Forms - WPForms - Elementor Forms - BBPress (topics and replies) - BuddyPress (registration and activity) If a form plugin is not installed, its toggle is hidden — the plugin detects available integrations at boot. ## Install ### 1. Install the plugin The plugin is on the official WordPress.org directory: [**wordpress.org/plugins/captchala**](https://wordpress.org/plugins/captchala). Two options: - **WordPress admin** (recommended) — `Plugins` → `Add New`, search `CaptchaLa`, click **Install** then **Activate**. One-click updates from then on. - **Manual upload** — download the zip from [`wordpress.org/plugins/captchala`](https://wordpress.org/plugins/captchala), upload via `Plugins` → `Add New` → `Upload Plugin`, and activate. The plugin targets WordPress ≥ 6.0 and PHP ≥ 7.4. ### 2. Get your keys Sign up at [`dash.captcha.la`](https://dash.captcha.la), create an application, then copy: - **App Key** — public, embedded in the page - **App Secret** — server-side only, used by WordPress to call `/v1/validate` ### 3. Wire it up In WP-Admin, open `CaptchaLa` in the left menu: 1. Paste the **App Key** and **App Secret**. 2. Pick a verification mode (popup, bind, embed or float — see [Web SDK](/web-sdk)). 3. Toggle the forms you want protected. 4. Click **Save changes**. Open one of the protected forms in a private window to confirm the challenge renders. ## Configuration All settings live under `WP-Admin → CaptchaLa`. The plugin stores them as a single WordPress option (`captchala_settings`). | Setting | Type | Default | Description | | --- | --- | --- | --- | | App Key | string | — | Public key (`cl_pub_…`) from the CaptchaLa dashboard. Required. | | App Secret | string | — | Server secret. Required. Never exposed to the browser. | | Verification mode | enum | `popup` | One of `popup`, `bind`, `embed`, `float`. Maps to the Web SDK `product` option. | | Form toggles | bool[] | all off | One toggle per supported form (see [What it covers](#what-it-covers)). | | Lazy load | bool | `true` | When on, the CaptchaLa loader is only enqueued on pages that contain a protected form. | | Theme | enum | `auto` | `light`, `dark`, or `auto` (follows the user's system preference). | | Action label | string | per-form | The `action` string sent on validation (`login`, `register`, `comment`, `wc_checkout`, etc). The plugin sets sensible defaults — override only if you have a reason. | | Bind to IP | bool | `true` | Sends the visitor IP at issuance and validation. Disable behind a proxy that does not forward client IPs. | | Block on verification failure | bool | `true` | When off, failed verifications are logged but the form still submits. Use for staged rollout, not production. | Settings can also be exported / imported as JSON from the settings page footer. ## FAQ **Is the plugin free?** Yes. The WordPress plugin is free. The CaptchaLa free plan covers 10,000 verifications a month — paid plans only apply if you need more volume. **Will it slow down my site?** The loader is enqueued lazily, only on pages that render a protected form. The verification call returns from the edge in under 100ms in most regions. There is no front-page tracking script. **Does it work with WooCommerce?** Yes. Checkout, account creation and login are supported out of the box — each is a separate toggle. The plugin hooks WooCommerce's standard validation pipeline, so failed verifications surface as normal WooCommerce form errors. **Do I need to write code?** No. Install, paste two keys, toggle the forms you want to protect. There are filters available if you need to customize behaviour, but they are optional. **Is it GDPR-compliant?** CaptchaLa is privacy-first: no third-party tracking pixels, no advertising signals, and the WordPress plugin transmits only what is needed to verify a single challenge. Per-request export and deletion are available through the CaptchaLa dashboard. ## Source - WordPress.org directory: [`wordpress.org/plugins/captchala`](https://wordpress.org/plugins/captchala) - Plugin repository: [`github.com/Captcha-La/captchala-wordpress`](https://github.com/Captcha-La/captchala-wordpress) - Issues / feature requests: filed against the repository above - Related: [Web SDK](/web-sdk) · [PHP Server SDK](/sdk/server-php) · [API Reference](/api-reference)