Skip to content

Captcha-La/captchala-whmcs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CaptchaLa for WHMCS

Privacy-first CAPTCHA + anti-spam for the WHMCS client area — protect login, registration, password reset, contact form, ticket submission and cart checkout against bots and spam.

Unlike a plain site-key widget, every challenge is backed by a server-issued, single-use token (anti-replay), and no third-party trackers are loaded.

Requirements

  • WHMCS 8.x and 9.x (tested against the 8.3 and 9.0 client area; works with both the six and twenty-one themes, with or without Friendly URLs)
  • PHP 8.0+ (WHMCS 9.0 itself requires PHP 8.2+)
  • A CaptchaLa account — grab your App Key + App Secret at dash.captcha.la

Installation

  1. Download the latest whmcs-x.y.z.zip from the releases.
  2. Extract it into your WHMCS root directory. This adds:
    modules/addons/captchala/
    
  3. In the WHMCS admin area, go to Setup → Addon Modules, find CaptchaLa, and click Activate.
  4. Click Configure, paste your App Key and App Secret, choose which forms to protect and the widget mode, then Save Changes.
  5. Open the CaptchaLa addon page in the admin sidebar to run a live connection test.

After activating, if the widget doesn't appear, re-save the module settings once — WHMCS only registers a module's hooks.php when the module is (re)activated/saved.

Widget modes

Mode Behaviour
popup Visible trigger bar → fullscreen challenge (recommended).
float Visible trigger bar → inline floating panel.
embed Inline checkbox + challenge directly in the form.
bind Invisible; intercepts the form's submit button.

How it works

On each protected form page the module issues a fresh server token (sct_) from the CaptchaLa dashboard, scoped to that form's action, and renders the widget bound to it. After the visitor solves the challenge the SDK writes a single-use pass token (pt_) into the form. On submit the module validates that pt_ server-side before WHMCS processes the form; replays and action mismatches are rejected.

The visitor IP is intentionally not part of validation, so the plugin works correctly behind Cloudflare and on dual-stack (IPv4 + IPv6) networks.

If the dashboard is temporarily unreachable, the module fails open (lets the submission through) so your client area is never locked out by an upstream hiccup.

Links

License

MIT

About

CaptchaLa module for WHMCS

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors