Zum Inhalt springen
ALTCHA ALTCHA ALTCHA

Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.

WordPress How To

This guide explains how to fine-tune where ALTCHA runs in your WordPress site — including disabling protection for specific plugins and controlling where the widget scripts are injected.

Other resources:

Disabling ALTCHA for Certain Plugins

By default, ALTCHA protects all non-viewer requests (e.g., POST requests). Some plugins rely on front-end Ajax requests (e.g., cookie banners, notification widgets, or certain form plugins), and may not work correctly if those requests are protected.

If you need to disable ALTCHA for a specific plugin, you can exclude the plugin’s Ajax paths or actions under Settings:

  • If the plugin uses a REST API endpoint such as /wp-json/some-plugin/submit, add this to Paths:

    !/wp-json/some-plugin/submit

    Or exclude all requests from that plugin:

    !/wp-json/some-plugin/*

  • If the plugin uses admin-ajax.php, add the Ajax action name to Actions:

    !action_name

Alternatively, if you only want to protect selected forms or actions, edit the Actions list by removing the default wildcard * (which matches everything) and specify only the actions you want to protect.

For more examples, see Special Plugin Configuration.

Controlling Where the Scripts Are Injected

By default, the widget scripts are injected into every page. To improve performance, you can limit script injection only to pages that require protection.

You have two options:

  1. Configure Paths in the plugin Settings
  2. Use the altcha_inject filter for full programmatic control

The examples below inject the ALTCHA scripts only on /contact and all pages under /shop/*.

Example using Paths (Settings):

/contact
/shop/*

Note: the default * wildcard has been removed. Leaving it would inject the scripts on all pages.

Example using the altcha_inject filter:

function altcha_inject_filter($inject, $bypass)
{
  global $pagenow;
  $altcha = AltchaPlugin::$instance;


  if ($bypass) {
    // Don't inject if a bypass (logged in, whitelisted IP, etc.) is triggered
    return false;
  }


  if ("wp-login.php" === $pagenow) {
    // Inject on the WordPress login page when "Protect Login" is enabled
    return true;
  }


  $inject_paths = array(
    "/contact",
    "/shop/*"
  );


  if ($altcha->match_patterns($altcha->get_request_path(), $inject_paths)) {
    // Inject only on matching paths
    return true;
  }


  return false;
}


add_filter("altcha_inject", "altcha_inject_filter", 10, 2);