Crovly – Proof of Work Captcha & Spam Protection
Crovly is a privacy-first captcha service powered by Proof of Work. Unlike traditional captchas that rely on image puzzles (easily solved by AI) or invasive tracking, Crovly makes the visitor’s browser do computational work to prove it’s not a bot. How it works: Your visitor’s browser solves a small cryptographic puzzle (Proof of Work) Browser fingerprint and environment signals are collected (as a hash — no personal data stored) Behavioral analysis detects automated patterns (mouse, keyboard, scroll) A composite score determines if the visitor is human Key features: Privacy-friendly — No cookies, no cross-site tracking No image puzzles — Invisible to legitimate users Resistant to AI vision attacks — Proof of Work cannot be solved by image recognition IP binding — Tokens are bound to the solver’s IP address Adaptive difficulty — Suspicious visitors receive harder challenges 22+ integrations — Works with major WordPress form plugins Lightweight — Widget is under 25KB gzipped, zero dependencies, 42 languages Supported integrations: WordPress login, registration, lost password, comments WooCommerce (checkout, login, register, lost password, pay for order) Contact Form 7 WPForms Gravity Forms Elementor Pro Forms Ninja Forms Fluent Forms Formidable Forms Forminator Jetpack Contact Form Divi (contact form, login) BuddyPress (registration, activity) bbPress (topics, replies) Ultimate Member (login, register, password reset) MemberPress (checkout, login) Paid Memberships Pro Easy Digital Downloads Mailchimp for WordPress GiveWP wpDiscuz wpForo WordPress Multisite signup Shortcode & PHP support: Use [crovly] shortcode in any page or post, or call crovly_render() and crovly_verify() in your theme templates. External services This plugin relies on the Crovly captcha service to function. It connects to two external endpoints: 1. Crovly Widget CDN (get.crovly.com) The plugin loads the JavaScript widget from https://get.crovly.com/widget.js on any page that contains a protected form. The widget runs Proof of Work in the visitor’s browser and collects a hashed browser fingerprint. When: Loaded on frontend pages that display a protected form (login, register, comment, checkout, etc.) What is sent: Standard HTTP request headers (IP address, user agent). No personal data. Terms of Service: https://crovly.com/terms Privacy Policy: https://crovly.com/privacy 2. Crovly Verification API (api.crovly.com) When a visitor submits a protected form, the plugin sends the generated captcha token to https://api.crovly.com/verify-token for server-side verification. When: On form submission of any form protected by Crovly. What is sent: The captcha token (opaque string), the visitor’s IP address (for IP binding), and your Secret Key (for authentication). What is received: A success/failure response indicating whether the token is valid. Terms of Service: https://crovly.com/terms Privacy Policy: https://crovly.com/privacy Both services are operated by Crovly. No data is shared with third parties. The plugin does not set cookies or track visitors across sites.
Top keywords
- crovly18×3.90%
- form9×1.95%
- com8×1.73%
- crovly com8×1.73%
- https6×1.30%
- login6×1.30%
- visitor6×1.30%
- browser5×1.08%
- forms5×1.08%
- ip5×1.08%
- widget5×1.08%
- work5×1.08%
JTZL's Bot Maze
JTZL’s Bot Maze protects your WordPress site from unwanted AI crawlers and scrapers by planting invisible trap links that only bots will follow. When a bot enters the trap maze, it gets lost in an ever-expanding maze of realistic-looking fake pages while it quietly builds a suspicion score based on its behavior. How it works: Trap link injection — Invisible links are added to your real pages. Legitimate visitors never see them, but bots following every link on the page will enter the trap maze. Lazy maze generation — Trap pages link to more trap pages, generated on demand. The deeper a bot goes, the more time it wastes. Bot scoring — Each trap page visit adds suspicion points. Deeper traversal earns bonus points. Once a threshold is reached, the visitor is flagged as a bot. Blocking and tarpitting — Flagged bots can be blocked outright (403), served decoy pages (light tarpit), or slowed down with a deliberate delay (full tarpit). Crawler verification — Known search engine crawlers (Googlebot, Bingbot, etc.) are verified via reverse DNS and exempted from scoring. Features: Zero impact on legitimate visitors — trap links are hidden from humans and search engines Configurable injection method (content, footer, or both) Adjustable scoring thresholds and blocking behavior robots.txt integration to signal trap paths as disallowed Analytics dashboard showing bot activity, top IPs, and score distribution Blocked Bots detail page showing full user agent, score, visit history Optional comprehensive tracking mode to monitor blocked bot persistence Automatic log retention and maintenance via WP-Cron Privacy policy suggestion for GDPR compliance Geographic heat map of bot activity by country with two GeoIP provider options MaxMind GeoLite2 local database — all lookups on your server, GDPR-friendly (recommended) ip-api.com external API — simple setup, no license key required Lightweight — minimal footprint, geographic tracking is fully optional Third-Party Services This plugin offers optional geographic tracking with two provider options. No data is sent to any external service unless a site administrator explicitly enables one of these providers. MaxMind GeoLite2 (Recommended) When MaxMind GeoLite2 is selected as the GeoIP provider (Settings > Bot Maze > Geographic Tracking), the plugin downloads the GeoLite2-Country database from MaxMind and performs all IP-to-country lookups locally. No visitor data leaves your server. What is downloaded: The GeoLite2-Country database (~60 MB), updated weekly via WP-Cron. What is sent to MaxMind: Only your license key during database downloads. No visitor IP addresses are shared. Requires: A free MaxMind license key from maxmind.com/en/geolite2/signup. Service website: https://www.maxmind.com License: GeoLite2 databases are licensed under CC BY-SA 4.0. Terms of service: https://www.maxmind.com/en/geolite2/eula ip-api.com When ip-api.com is selected as the GeoIP provider, the plugin sends visitor IP addresses to ip-api.com to resolve their country of origin. This data is used to display a geographic heat map of bot activity in the admin dashboard. What is sent: The visitor’s IP address only, over unencrypted HTTP. When it is sent: At the time a trap page visit is recorded, only while this provider is selected. Service website: http://ip-api.com Terms of service: https://ip-api.com/docs/legal Privacy policy: ip-api.com does not log queries from the free API endpoint. Note: The free tier only supports HTTP (not HTTPS). If your site must comply with GDPR, use the MaxMind local database option instead. Geographic tracking is off by default and requires explicit opt-in by a site administrator.