Snaptcha Logo Snaptcha

Invisible CAPTCHA to pre­vent spam form sub­missions.

Invisible and completely unobtrusive form spam prevention.

Prevents spam bots from submitting to your site.

Works automatically with any form and any plugin.

Snaptcha (Simple Non-obtrus­ive Auto­mated Pub­lic Tur­ing test to tell Com­puters and Humans Apart) will val­id­ate all POST requests to the front-end of your site, mean­ing that it will work with any form and any plugin. 


Note that since this will affect all POST requests, you must add the required tem­plate tag before enabling val­id­a­tion (see usage instructions).

To get Snaptcha v1 for Craft CMS 2, please pur­chase a license through the Craft 3 Plu­gin Store and send your receipt to [email protected]​putyourlightson.​net. We will then email you the leg­acy plugin.

License #

This plu­gin requires a com­mer­cial license pur­chas­able through the Craft Plu­gin Store. The license fee is $29 plus $9 per sub­sequent year for updates (option­al).

Require­ments #

Craft CMS 3.0.0 or later.

Usage #

Install­a­tion #

To install the plu­gin, search for Snaptcha” in the Craft Plu­gin Store, or install manu­ally using composer.

composer require putyourlightson/craft-snaptcha

After installing the plu­gin, go to the plu­gin set­tings page. Snaptcha val­id­a­tion is dis­abled by default so that you can first add the required tem­plate tag to your forms. Once you have done this you can enable Snaptcha validation.

Add the fol­low­ing tem­plate tag to every form that sub­mits a POST request to your site. This will out­put a hid­den input field along with some JavaS­cript code.

{{ craft.snaptcha.field }}      // Outputs a hidden input field

If you are sub­mit­ting a POST request through AJAX then you can get the field name and value as follows.

{{ craft.snaptcha.fieldName }}       // Outputs the name of the field

{{ craft.snaptcha.fieldValue }}      // Outputs the value of the field

You can option­ally use the getField and getFieldValue meth­ods to pass in con­fig­ur­a­tion val­ues that will over­ride the default val­ues in the plu­gin settings.

{% set config = {expirationTime: 60, minimumSubmitTime: 3} %}

{{ craft.snaptcha.getField(config) }}         // Outputs a hidden input field

{{ craft.snaptcha.getFieldValue(config) }}    // Outputs the value of the field

Set­tings #

Val­id­a­tion Enabled #

With this set­ting enabled, Snaptcha will val­id­ate all forms sub­mit­ted through POST requests. Ensure that all of your forms that sub­mit via POST requests have the neces­sary tags in place before enabling this.

One Time Key #

Enabling this will restrict the num­ber of times that a form can be sub­mit­ted to one time per page refresh. This is a strong secur­ity meas­ure and is recom­men­ded for low to medi­um traffic sites. For high traffic sites, dis­abling this will pre­vent the data­base table that the plu­gin uses from get­ting too big. 

Log Rejec­ted #

Wheth­er rejec­ted form sub­mis­sions should be logged (log will be writ­ten to storage/logs/snaptcha.log).

Field Name #

The name of the hid­den Snaptcha input field.

Error Mes­sage #

The error mes­sage that will be dis­played if Snaptcha iden­ti­fies a sub­mis­sion as spam.

Expir­a­tion Time #

The expir­a­tion time for form sub­mis­sions in minutes.

Min­im­um Sub­mit Time #

The min­im­um time for form sub­mis­sion in seconds (increase this to harden spam blocking).

Excluded URI Pat­terns #

The URI pat­terns to exclude from validation.

URI pat­terns use PCRE reg­u­lar expres­sions. Below are some com­mon use cases. You can ref­er­ence the full syn­tax here.

  • . Matches any character
  • .* Matches any char­ac­ter 0 or more times
  • .+ Matches any char­ac­ter 1 or more times
  • \d Matches any four digits
  • \w Matches any word character
  • entries Matches any­thing con­tain­ing entries”
  • ^entries Matches any­thing begin­ning with entries”
  • ^entries/entry$ Matches exact URI

Black­list #

IP addresses to black­list from all form submissions.

Con­fig Set­tings #

Snaptcha comes with a con­fig file for a multi-envir­on­ment way to set the plu­gin set­tings. To use it, copy the config.php to your project’s main config dir­ect­ory as snaptcha.php and uncom­ment any set­tings you wish to change.

Dis­abling Val­id­a­tion #

Val­id­a­tion can be dis­abled by spe­cify­ing URI pat­terns to exclude. Adding a prop­erty called $enableSnaptchaValidation to any con­trol­ler class and set­ting it to false will dis­able val­id­a­tion when the actions in that class are called.

class WebhookController extends Controller
   * @var bool Disable Snaptcha validation
  public $enableSnaptchaValidation = false;

Test­ing Snaptcha #

If you want to test or see how Snaptcha works on your site then nav­ig­ate to one of your forms, open your browser’s inspect­or and delete the input field that Snaptcha inser­ted. It will usu­ally be inside your form’s markup and will have an ID that begins with the pre­fix in your exten­sion set­tings (snaptcha by default). After delet­ing the input field, sub­mit the form and the error mes­sage from your plu­gin set­tings should appear.