Dokumentasi Pengguna Dokumentasi Pengembang | |

Spam Protection

Protect comment forms and the contact form from bots using hCaptcha and a honeypot field.

TL;DR

Go to Admin → Settings → Spam. Enter your hCaptcha Site Key and Secret Key (get them free at hcaptcha.com). Once both keys are saved, hCaptcha appears automatically on comment and contact forms.

Details

Why hCaptcha?

Pubvana uses hCaptcha rather than reCAPTCHA. hCaptcha is privacy-friendly (GDPR-compliant by design), does not track users across the web, and offers a generous free tier suitable for most sites.

Getting Your Keys

  1. Sign up at hcaptcha.com.
  2. Add your site and obtain two keys:
    • Site Key — a public key embedded in the form HTML.
    • Secret Key — a private key used on the server to verify the response. Never share this publicly.

Configuring in Pubvana

  1. Go to Admin → Settings → Spam.
  2. Paste your Site Key and Secret Key into the respective fields.
  3. Click Save.

Once both keys are present, the hCaptcha widget is automatically injected into:

  • Comment forms on blog post pages
  • The contact page form

No theme or template changes are required.

How Verification Works

When a user submits a form with hCaptcha:

  1. The browser collects a hCaptcha response token from the widget.
  2. The token is posted with the form data to the Pubvana controller.
  3. HCaptchaService sends the token to https://hcaptcha.com/siteverify along with the Secret Key.
  4. If the API returns success: true, the submission proceeds normally.
  5. If the API returns success: false (bot detected, token expired, or missing), the form is rejected and an error message is displayed.

Honeypot Protection

In addition to hCaptcha, Pubvana adds a honeypot field to comment and contact forms as a second layer of defence. The honeypot is a hidden form field that legitimate users never see or fill in. Automated bots that blindly fill all fields will populate the honeypot, causing the submission to be silently discarded.

Honeypot protection is always active — it does not require any configuration.

Disabling Spam Protection

To disable hCaptcha, clear both keys in Admin → Settings → Spam and save. The widget will no longer appear on forms. Honeypot protection remains active regardless.