With the release of Joomla 5, the reCAPTCHA plugins were removed from Joomla core, for a number of good reasons. The downside was that the Joomla core was left without a captcha integrated by default, meaning that forms could only be protected against spam using third-party plugins. The good news is: that is going to change again. We’re introducing a better, native and user-friendly solution, built in Joomla’s core and not depending on third-party services.

For a CMS like Joomla, which has traditionally been well positioned in the area of security, this is a serious problem: it undermines the strong market position the CMS holds in this field. This issue was also discussed during the Joomla 8 Sprint in August 2025. The solution was clear: Joomla needs an effective captcha again.

Learning from the past

The former core captchas were based on Google’s reCAPTCHA service. At the time of its initial implementation, the service was attractive because it was hosted by Google, continuously adapted to new spam bots, and free of charge.

However, there were also numerous problems: users could not simply activate the captcha but first had to register their site with Google. As part of modernization efforts, Google gradually phased out older captcha versions and recently introduced the requirement to provide a payment method in order to use reCAPTCHA—so the hurdles for site operators kept getting higher and higher.

Even more important, however, was reCAPTCHA’s impact on the user experience: in the age of AI, spam bots are becoming better and better at solving the tasks they are given. As a result, the tasks that end users had to solve also became increasingly complex. This is a problem affecting the entire “traditional” captcha industry: the idea of using a captcha to prove that a user is actually human is increasingly turning out to be a dead end.

A new captcha solution for the Joomla core therefore needed to be independent of third-party services, so that it could be activated with just a click—and it needed to use a mechanism that does not aim to test the “humanness” of users.

Proof-of-Work Captchas

Joomla 6.1 therefore introduces a captcha based on the Proof-of-Work (POW) method: Joomla generates a math task that the visitor’s computer must solve. Generating the task and verifying the solution is very fast and requires hardly any resources, while finding the solution itself is computationally expensive and therefore takes significantly longer. To solve the captcha, visitors do not have to prove that they are human, but “only” that they are willing to invest the necessary computing power to solve the task. Automated form spamming is a business model that only works through sheer volume—if sending a single message becomes slow and computationally expensive, the business model no longer works.

For human visitors, on the other hand, the user experience is significantly better than with traditional captchas: their browser automatically solves the required computational task in the background while the user fills out the form. A pleasant advantage of this approach is that a Proof-of-Work captcha is also fully accessible.

Integration in Joomla 6.1

Joomla 6.1 adds such a Proof-of-Work captcha plugin, based on the open-source library ALTCHA. However, the captcha plugin is deliberately designed in such a way that the core could replace the current Altcha-based implementation with an alternative system if the need arises in the future. ALTCHA operates completely independent from hosted services, meaning no registration with an external provider is required, no API keys are needed, and there are no conflicts with local data protection laws.

In subsequent versions of Joomla, the Proof-of-Work implementation is planned to be complemented by a so-called rate-limiting mechanism: if multiple POW challenges are requested from a single source (or, more specifically, an IP address) within a short period of time—i.e. if a form is submitted multiple times—the complexity of the tasks to be solved will increase with each new submission. This makes it even less attractive for spammers to invest the computing time required to solve the challenges, as the necessary resources would continue to increase with every submission.