Hashcash WordPress Plugin Makes Bots and Spammers Work For You

Patience for CAPTCHAs is wearing thin these days. There’s nothing more annoying than being slowed down by a virtually illegible mess of letters and numbers. The audio CAPTCHAs are reminiscent of your worst nightmares and are even more baffling than the visual ones. Despite the fact that everyone groans inside when landing upon a CAPTCHA, many major websites continue to employ them, for lack of a better method, in the war against bots.

The folks at Hashcash.io have created a new way to keep bots and spammers at bay by forcing the user’s browser to solve math. This also helps to secure sites against brute force attacks. Hashcash utilizes open technologies including Asm.js, HTML5, and Web Workers to keep your login form under lockdown until the browser has solved the required math.


The Hashcash team created a WordPress plugin to help users get started quickly, not to be confused with the popular WP-Hashcash plugin. The plugin integrates Hashcash.IO service with login, registration, and comment forms. Here’s how it works:

The submit button is disabled until the user unlocks it.


A progress bar fills up while the browser is solving the math to unlock the button. It updates both visually and via WAI-ARIA to inform blind users via screen reader about the progress.


When the form is unlocked, it displays the green unlocked indicator:


Supported browsers include:

  • Google Chrome 28+
  • Mozilla Firefox 22+
  • Internet Explorer 10+
  • Opera 18+

You can test out Hashcash in operation on the live WordPress demo where it is active on login, comment and registration screens. The plugin is fully accessible and follows both common sense and accessibility guidelines and is focusable and actionable via Tab-Enter keys.

After installing Hashcash, you will need to enter public and private keys for the service from the Hashcash.io website in the settings page. Here you can also adjust the complexity value, which determines how much work is required from the browser to unlock the submit button.

Ultimately, the team at Hashcash plans to allow you to make some cash while stopping spammers, but the cash feature is still in development. We’ll keep you updated on where that goes. If you’d rather have your browser solve math instead of forcing yourself to squint at a CAPTCHA, download the free WordPress.org-approved Hashcash plugin via your site’s admin panel.


41 responses to “Hashcash WordPress Plugin Makes Bots and Spammers Work For You”

  1. I don’t know if it’s this plugin in particular or just my really crappy Internet connection, but this is impossibly slow for me. It takes between 7 and 14 seconds for the “unlock” to go through after clicking it. I could see using it on a personal site if I didn’t mind the wait, but I wouldn’t want to subject my users to this wait time on a site with multiple users.

    • I wonder if the service is slower at different times? I tested it and didn’t experience it being that slow, but then again my speed is 121.72mbps download and 22.74mbps upload.

      • Thats a huge speed Sarah. Just imagine someone having 4mbps or 2mbps connection and using this service. Then its very slow. It even take 7-8 seconds on 8mbps connection

    • It depends on two parts:

      1) How fast your computer is
      2) How fast your browser is

      It does NOT depend on connection speed (almost.)

      So yeah, different users might get different time to unlock. Dashboard is in build progress and there webmaster will be able to analyze how long it takes on average and adjust it based on amount of spam and time it takes to unlock. Stay tuned :)

        • Website owner can adjust time by increasing or descreasing complexity in the settings. And by “almost” I meant that speed of unlocking is not very much depending on download speed, but still does, since it need to download javascript, images and styles to show it off. After that – it is only browser and computer speed what does matter.

          As time will go and computers and browsers become faster, it will be matter of adjusting complexity to keep up with it.

          Right now default suggested complexity is 0.01, which translates on modern computer and browser to about 5-10 seconds of unlock time. I believe lowest value you can go and still be practical is 0.001, after that it is gets too easy to protect against anything.

    • @Justin – is it possible that your computer is just really slow? If it’s the delay on clicking the lock, then it will be unrelated to connection speed as it’s waiting for your browser to do a calculation, not for any data to be transferred.

      I imagine on older browers, that this could take an impossibly long time, as their JavaScript chops aren’t up to scratch for complex calculations.

      • I’m testing on the latest version of Chrome on computer that’s less than two years old running Windows 8. Since you brought up it up, I opened my iPad and tested in the latest version of Chrome there. The spinner icon just goes into an infinite loop (unless I didn’t wait long enough) and never unlocks. In Safari on iPad, it took just under a minute for it to unlock.

        • Maybe the calculation is set to be too complex then. For me it only took a few seconds, but I have a fairly beefy six month old machine.

          I imagine something like IE7 would be a big problem with this type of thing. It would probably just sit there spinning for minutes on end before doing anything, since the JavaScript engine is way slower than in modern browsers.

          • It is not compatible with IE version below 10 at all due use of Web Worker and Typed Arrays. In addition it uses asm.js which is supported by at least recent Chrome and Firefox. If browser do not support asm.js, it will run calculation 2-6 times slower too.. So there is a lot of experimental technologies involved and I expect these will be adopted by major browsers soon.

          • Good point. I hadn’t even thought of those requirements ruling out older browsers. That should be okay for most login requirements, but isn’t much good for commenting I guess, or at least not yet.

  2. This is great for front-end spammers, but those that just submit $_POST login requests won’t be affected.

      • This “work” can be automated using auto click. And one can do that easily in python or any other language. So I am just wondering how will you differentiate auto click with a human click and turn bots into cash making workers for the site. Because for me simple click unlock could be very easy to break.

        • idea is not to differentiate between bots or humans, but rather make posts cost money and time (i.e. wait until it is done.) Think about it as a throttling rather than if () {} else {} thingy.

  3. I still think that the easiest way to keep bots out is placing “honeypots” for them. Of course, such a simple Touring Test cannot filter out human spammers and therefore it might not be suitable for very large sites.

    • This type of anti-spam tool is designed for bots, not humans. Honeypots can stop a lot, but this type of tool can hopefully block even more.

      I’ve seen honeypots stop 99.99% of all spam, but that can still result in hundreds of spams to deal with every day if you are hit hard enough.

      • Well, I guess honeypots are the simplest form of detecting a bot, so there might be bots intelligent enough to evade the honeypot. But on the other hand, you can disguise a honeypot so that it would be too hard find or too time intensive to code more intelligence into the bot.

        I admit that on some sites a honeypot is not sufficient. I don’t know what factors it really depends on, but last year I had a few days with about 1k bot attacks and 3 to 5 human attacks on the same day. All bots were cought by my private implementation of honeypots, only disguised with CSS in the style.css file and a text input named vstt_email. Of course, this cannot be representative because it’s only one site using vstt_email. With an increasing number of sites, some bots might learn to skip that field and quickly we are at the 99.99% you mentioned.

        I hope that makes any sense :)

        • A honey pot which dynamically changed the name, email address and submit button input fields regularly could block the bots fairly well I suspect. I haven’t seen any WordPress plugins which do that though.

    • Development of this project’s core technology launched about 6 months ago as a proof of concept to be used on network of private blogs. Idea itself – about year ago. And original Hashcash was invented by Adam Back in 1997 – check http://hashcash.org/. There are also couple hashcash-like based plugins on wordpress.org (just search by hashcash keyword)

      I.e. idea is definitely not new, but there are no wide-used implementation yet. Hashcash.IO is just one of these implementations and time will tell if it is good.

      • There are lots of hashcash plugins, but I haven’t seen any which force calculations upon the end-user beyond very basic JavaScript processing.

        Thanks for pointing me in the direction of that site. I always assumed “hashcash” was just a funky name people gave for when they used JavaScript to shunt around variables for antispam purposes. I didn’t realise it was directly related to forcing a calculation on the end-user like that.

        Nice to know I wasn’t the only one who came up with a crazy work creating anti-spam idea :) It nicely validates my concept. I was a little uneasy about implementing it since I hadn’t heard of others doing the same.

  4. The problem with these kinds of anti-spam measures is that you’re still downgrading the quality of the user experience in exchange for a better site management experience and I don’t like that trade should have to happen.

  5. https://www.toddlahman.com/shop/simple-comments/

    Simple Comments won’t slow down your login, and it’s invisible on forms. Works for frontend and backend hackbots and spambots. All web browsers are supported. No accessibility issues. Fill in the same login form as before, without the extra step of clicking a lock, and waiting … Great customer reviews.

  6. It has nothing to do with internet speed. It has all to do with how fast your cpu is. I believe that the hash function just gets harder so it should take longer and longer to solve it.

    • Right now complexity (i.e. what controls how hard problem is) is configurable, but static. But in the long run I would envision it to become higher (i.e. taking more work) with more invalid login attempts.

      Also it would make sense to make it higher for “high-risk” IP addresse ranges.

  7. While I believe I understand the point of this plugin, it is unclear to me how it “Makes Bots and Spammers Work For You” or how one could “make cash stopping spammers”. I’m new to some of this so could anyone point me in the right direction or explain this aspect?

    • While not announced anywhere officially yet, proof-of-work is based on Dogecoin blockchain. And currently I am working on sharing any income generated from solving dogecoin proof-of-work with webmasters. At this point it is not ready for public use yet, but this is another big part of the project.

    • Spammers can get past most anti-spam tools by simply throwing more computer resources at it. Things like honey pots etc. can be bypassed by just rendering the entire page in a browser for example (in an automated fashion), but this requires significant amounts of computing power, which actually adds up to a significant amount of cash to power their servers. Simply hammering a site with post requests is cheap, having to render the entire page each time is expensive.

      The system mentioned above takes that a step further, by forcing the spammer to not only render the page, but do a crap-ton of computer processing on top of that. The cost to do the calculation should hopefully cost more than any spammer is willing to pay, or at least it’ll get to the point where it’s cheaper to pay a human to do the spamming.

      I’ve seen lots of people claiming that humans “must be spamming me” because their existing anti-spam solutions failed to stop them. I have never actually seen a case of this myself though. It’s always been a case of the spammer simply throwing more computing resources at the problem. This plugin can hopefully push the cost to high for the spammers to bear.

      The way it could make money, is by doing useful calculations. Things like cracking hashes for Bitcoins for example is a simple way to generate money on the fly and if you can offload that onto the browser/CPU of someone who is attempting to log into your site, then you could generate a little bit of money each time.

  8. I like the unique concept but I’m not sure this is a good solution for non-tech folks. I can see it working great for sites where only a few admins need to login, but for sites where anyone, even grandma will be logging in, it might be a bit confusing. Then again, CAPTCHAs can be confusing as hell and I’m not sure grandma would do any better with one of those.

    • Like other people mentioned elsewhere it would be nice to have another option – calculation to happen in background, or on focus. This is actually how it started, but I then backed to “lock” kinda widget which gives clear feedback on what is going on vs having to wait “something”

      I was thinking about adding new option to underlying jquery.hashcash.io plugin to auto unlock on form focus. This should save time for folks to type whatever comment they want to type, and by the time they are done – submit button will be unlocked.

      Whenever I get a chance to do it tho… Busy on more backend work for this project right now. So contributions are very welcome :)

  9. 1.0.2 update of hashcash as broken WordPress login – I can no longer log in to any site with HashCash installed : (


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: