Published: April 26, 2026
If you've ever added reCAPTCHA to a client project and felt a small pang of guilt, you're not alone. We've been there plenty of times bolting Google's widget onto a contact form because it's the path of least resistance, all while knowing it tracks visitors, drops cookies, and sends data halfway around the world. For a while there wasn't a genuinely good alternative in the CakePHP ecosystem. So we built one.
Today we're open-sourcing cakephp-altcha, a CakePHP 5 plugin that integrates ALTCHA a proof-of-work CAPTCHA mechanism that verifies humans without harvesting their data. The plugin is available now on GitHub and via Composer.
Why we moved away from reCAPTCHA
reCAPTCHA works. Nobody disputes that. But if you're building sites for UK or European clients, the compliance picture has become increasingly uncomfortable. The widget loads third-party scripts, sets cookies, and processes personal data on Google's servers. Under current ICO guidance and the GDPR, that means cookie consent banners, a valid legal basis for the data transfer, and if we're being honest a lengthy entry in your privacy policy that most visitors will never read.
We wanted something simpler. Something that just stops bots without turning your privacy policy into a novel.
What ALTCHA actually does
ALTCHA takes a fundamentally different approach. Instead of analysing user behaviour or fingerprinting browsers, it issues a small cryptographic puzzle that the visitor's browser solves in the background. It's a proof-of-work challenge trivial for a real device, expensive to repeat at scale for a bot army. No cookies, no tracking, no external data processing.
The clever bit is that it's entirely self-hosted. The challenge is generated and verified on your own server. Nothing leaves your infrastructure. That makes GDPR compliance almost a non-issue, which is exactly the kind of sentence we like writing.
What the plugin gives you
Our CakePHP 5 plugin wraps the whole flow into something you can drop into an existing application in minutes. It provides a helper that renders the ALTCHA widget in your templates, a component that handles server-side verification in your controllers, and sensible default configuration that you can override in your app's config files. We've kept the API surface small on purpose there's no reason this should be complicated.
Installation is the usual Composer one-liner, and we've written up clear documentation in the repository's README covering setup, configuration options, and a working example. If you've integrated any CakePHP plugin before, this will feel familiar.
Why open-source it
Honestly, because we think more CakePHP projects should be considering this. The framework has a loyal community, but the ecosystem of modern, privacy-conscious tooling can feel thin compared to Laravel or Symfony. We'd rather contribute a solution than quietly keep it in our own stack.
We also benefit from other people stress-testing it. If someone finds an edge case we haven't hit, that makes the plugin better for our own client projects too. Open source isn't charity it's enlightened self-interest, and we're fine admitting that.
When you might not need it
We should be upfront: ALTCHA's proof-of-work model is excellent at stopping automated spam at scale, but it isn't a silver bullet for every threat model. If you're dealing with targeted, sophisticated attacks where someone is willing to burn compute on solving challenges, you'll want additional layers rate limiting, honeypot fields, server-side validation, the usual defence-in-depth approach. For the vast majority of contact forms, registration pages, and enquiry submissions though, it does the job cleanly and privately.
Give it a look
The repository is at github.com/azzmin/cakephp-altcha. Stars, issues, and pull requests are all welcome. If you're running CakePHP 5 and you've been meaning to sort out your CAPTCHA situation, this is a good weekend project though realistically it'll take you about fifteen minutes, not a weekend.
And if you'd rather we handled the whole thing - whether that's swapping out reCAPTCHA on an existing site, building something new, or just talking through your options get in touch. We're always happy to chat.