Privacy-first CAPTCHA + anti-spam for the WHMCS client area — protect login, registration, password reset, contact form, ticket submission and cart checkout against bots and spam.
Unlike a plain site-key widget, every challenge is backed by a server-issued, single-use token (anti-replay), and no third-party trackers are loaded.
- WHMCS 8.x and 9.x (tested against the 8.3 and 9.0 client area; works with
both the
sixandtwenty-onethemes, with or without Friendly URLs) - PHP 8.0+ (WHMCS 9.0 itself requires PHP 8.2+)
- A CaptchaLa account — grab your App Key + App Secret at dash.captcha.la
- Download the latest
whmcs-x.y.z.zipfrom the releases. - Extract it into your WHMCS root directory. This adds:
modules/addons/captchala/ - In the WHMCS admin area, go to Setup → Addon Modules, find CaptchaLa, and click Activate.
- Click Configure, paste your App Key and App Secret, choose which forms to protect and the widget mode, then Save Changes.
- Open the CaptchaLa addon page in the admin sidebar to run a live connection test.
After activating, if the widget doesn't appear, re-save the module settings once — WHMCS only registers a module's
hooks.phpwhen the module is (re)activated/saved.
| Mode | Behaviour |
|---|---|
popup |
Visible trigger bar → fullscreen challenge (recommended). |
float |
Visible trigger bar → inline floating panel. |
embed |
Inline checkbox + challenge directly in the form. |
bind |
Invisible; intercepts the form's submit button. |
On each protected form page the module issues a fresh server token
(sct_) from the CaptchaLa dashboard, scoped to that form's action, and
renders the widget bound to it. After the visitor solves the challenge the
SDK writes a single-use pass token (pt_) into the form. On submit the
module validates that pt_ server-side before WHMCS processes the form;
replays and action mismatches are rejected.
The visitor IP is intentionally not part of validation, so the plugin works correctly behind Cloudflare and on dual-stack (IPv4 + IPv6) networks.
If the dashboard is temporarily unreachable, the module fails open (lets the submission through) so your client area is never locked out by an upstream hiccup.
- Homepage: captcha.la
- Dashboard: dash.captcha.la
- Docs: captcha.la/integrations/whmcs
MIT