Joomla 6.1 has a built-in captcha that works without a Google account, without an API key and without sending anything to a remote server. The plugin is called CAPTCHA - Proof of Work and is available immediately after installing Joomla 6.1. This article explains what it is, how to activate it and what to check afterwards.

What is POW Captcha?

POW stands for Proof of Work, or "proof of work done." Instead of asking the visitor to click traffic lights or zebra crossings or type text, it lets the visitor's browser solve a small maths problem. This takes a normal browser about 100 to 500 milliseconds and the visitor does not notice.

However, for a spambot that wants to send the same form thousands of times an hour, that computational cost adds up to a very high burden. Spam is a matter of economics: if every sending attempt takes computing time, mass spam becomes unfeasible.

The captcha is built on the open source library Altcha, developed by BAU Software from the Czech Republic. The plugin is MIT-licensed and fully embedded in the Joomla core. No external service is involved.

Activate POW Captcha in Joomla 6.1

Setting it up consists of two mandatory steps and two checks that you perform afterwards.

Step 1: enable the plugin

1. In the admin panel, go to Extensions > Plugins.
2. Search for captcha
3. Open the plugin CAPTCHA - Proof of Work.
4. Set Status to Enabled.
5. Save via Save & Close.

During this step, you will see three settings that you can choose over:

Difficulty
Choose from Easy, Medium or Hard. Easy is suitable for a standard contact form. Hard increases the calculation cost per submission, which can be useful for forms that are often abused, such as user registration. Change this only if you actually suffer from spam.

Automatic solution
This determines when the browser starts the puzzle. The default setting "When CAPTCHA field receives focus" is good for most situations. "On submit" adds a small pause when the form is submitted. "On page load" starts as early as possible, but also lets the browser calculate if the visitor never completes the form.

Expiry time
How long the solved puzzle remains valid after being solved. The default value of five minutes is sufficient for almost any contact form. If you have a form with multiple steps that takes the visitor longer to complete, set the expiry time higher.

Step 2: set as default captcha

1. Go to System > Global Configuration
2. Open the Site tab.
3. Find the Default captcha field.
4. Select CAPTCHA - Proof of work.
5. Save.

From this moment on, all forms in Joomla that have the built-in captcha link will automatically use the proof-of-work captcha. These include the contact form, user registration and password reset page.

Step 3: check that it works

Open your website's contact form in a private browser window and submit a test message. The submission should just go through without you having to click or enter anything. Do you see another Google reCAPTCHA widget? If so, it is hard built into the template or an external extension.

Step 4: Disable Google reCAPTCHA

If you were previously using Google reCAPTCHA and POW Captcha is now the default, do the following:

1. Go to Extensions > Plugins.
2. Find CAPTCHA - ReCAPTCHA.
3. Disable the plugin.
4. Remove the site key and secret key from the plugin configuration.

Keys you no longer use do not belong in the database.

How does it work technically?

When the web page loads with a form, the Joomla server stores a mathematical challenge in the database: a random number, a salt and a target value. The visitor's browser then tries to find a number whose hash value (a kind of fingerprint) is below the target value. Once the browser has found that number, it sends it along when sending the form.

The server then checks three things: is the mathematical solution correct, has the expiry time not yet expired and has the solution not been used before? Only if all that is correct is the form processed. The challenge is then removed from the database so that no one can use the same solution twice.

This means that the captcha is stateful: each form view writes a row into the database and each submission deletes that row. For an ordinary website, this is negligible. On a page with many registrations per hour, it is worth keeping an eye on that.

GDPR and privacy laws

French privacy regulator CNIL has ruled that Google reCAPTCHA processes visitor data beyond what is strictly necessary for spam protection. Two companies were fined, partly for using reCAPTCHA without prior consent. German regulators have taken a similar stance for years.

POW Captcha does not send any data to external parties. There is no request to Google or any other service, no browser fingerprinting and no captcha cookie. The visitor data does not leave its own server. For websites that receive visitors from the EU, this is a concrete difference.

Note: If your privacy policy states that you use Google reCAPTCHA for spam protection, remove or update that sentence after you switch.

Accessibility

Classic captchas have been a stumbling block for people with visual impairments, motor impairments or cognitive disabilities for decades. The W3C published a paper on this back in 2005 and the problem has not been solved since then.

POW Captcha is completely invisible to the visitor. There is no image to recognise, no audio to listen to and no button to click. The browser does the work in the background. Altcha, the underlying library, complies with WCAG 2.2 level AA and with the European Accessibility Act 2025.