Add bot protection to any website in under 2 minutes with just 2 lines of code.
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="YOUR_SITE_KEY"></script><?php
$token = $_POST['shield_token'] ?? '';
$res = file_get_contents('https://captcha.btebresult.tech/api/validate.php', false,
stream_context_create(['http'=>['method'=>'POST',
'header'=>"Content-Type: application/json\r\nX-API-Key: YOUR_KEY\r\n",
'content'=>json_encode(['token'=>$token])
]])
);
if (!json_decode($res,true)['valid']) die('Bot!');
// ✅ Real human+15
-25 if fast
+8
score=0
-30
+12
-20
+10
Works on any PHP site — WordPress themes, custom sites, contact forms, etc.
<head>Open your HTML file or PHP template (e.g. header.php) and paste before </head>
<!-- Paste in <head> section -->
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="YOUR_SITE_KEY"></script>In the PHP file that receives your form POST request:
<?php
// form-handler.php
function shieldcaptcha_verify(string $token): bool {
$res = @file_get_contents(
'https://captcha.btebresult.tech/api/validate.php',
false,
stream_context_create(['http' => [
'method' => 'POST',
'timeout' => 5,
'header' => "Content-Type: application/json\r\n"
. "X-API-Key: YOUR_SITE_KEY\r\n",
'content' => json_encode(['token' => $token])
]])
);
if (!$res) return true; // fail open — network error
return json_decode($res, true)['valid'] ?? false;
}
// In your form handler:
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$token = $_POST['shield_token'] ?? '';
if (!shieldcaptcha_verify($token)) {
http_response_code(403);
die('Security check failed. Please refresh and try again.');
}
// ✅ Real human — process form
$name = htmlspecialchars($_POST['name'] ?? '');
$email = htmlspecialchars($_POST['email'] ?? '');
// ... your code here
}There are two ways to integrate ShieldCaptcha with WordPress. Choose the one that fits your setup.
Go to Appearance → Theme Editor → functions.php (or use a child theme). Add this at the bottom:
// ── ShieldCaptcha for WordPress ──────────────────────
define('SC_SITE_KEY', 'YOUR_SITE_KEY');
define('SC_API_URL', 'https://captcha.btebresult.tech/api/validate.php');
define('SC_EMBED_URL','https://captcha.btebresult.tech/embed.js');
// 1. Add embed.js to all pages
add_action('wp_head', function() {
echo '' . "\n";
});
// 2. Verify function
function sc_verify(string $token): bool {
if (empty($token)) return false;
$res = wp_remote_post(SC_API_URL, [
'headers' => [
'Content-Type' => 'application/json',
'X-API-Key' => SC_SITE_KEY,
],
'body' => json_encode(['token' => $token]),
'timeout' => 5,
]);
if (is_wp_error($res)) return true; // fail open
return json_decode(wp_remote_retrieve_body($res), true)['valid'] ?? false;
}
// 3. Protect Contact Form 7
add_filter('wpcf7_validate', function($result, $tags) {
$token = sanitize_text_field($_POST['shield_token'] ?? '');
if (!sc_verify($token)) {
$result->invalidate('', 'Security check failed. Please refresh the page.');
}
return $result;
}, 10, 2);
// 4. Protect WooCommerce checkout
add_action('woocommerce_checkout_process', function() {
$token = sanitize_text_field($_POST['shield_token'] ?? '');
if (!sc_verify($token)) {
wc_add_notice('Security check failed. Please refresh.', 'error');
}
});
// 5. Protect WordPress comments
add_filter('preprocess_comment', function($data) {
$token = sanitize_text_field($_POST['shield_token'] ?? '');
if (!sc_verify($token)) {
wp_die('Security check failed.', 'Error', ['back_link' => true]);
}
return $data;
});
// 6. Protect WP Login form
add_action('login_head', function() {
echo '';
});
add_filter('authenticate', function($user, $username, $password) {
if (!empty($_POST['shield_token'])) {
if (!sc_verify($_POST['shield_token'])) {
return new WP_Error('sc_failed', 'Security check failed.');
}
}
return $user;
}, 30, 3);WordPress Admin → Plugins → Add New → search "Header Footer Scripts" → Install & Activate
Paste in the Header section:
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="YOUR_SITE_KEY"></script>Add the sc_verify() function and hooks from Method A to your functions.php
Use the JS event listener approach for React SPAs and Next.js apps.
// app/layout.tsx (Next.js 13+ App Router)
import Script from 'next/script'
export default function RootLayout({ children }) {
return (
<html>
<body>
{children}
<Script
src="https://captcha.btebresult.tech/embed.js"
data-sitekey="YOUR_SITE_KEY"
strategy="afterInteractive"
/>
</body>
</html>
)
}// hooks/useShieldCaptcha.ts
import { useEffect, useState } from 'react'
export function useShieldCaptcha() {
const [token, setToken] = useState<string | null>(null)
const [verified, setVerified] = useState(false)
useEffect(() => {
const handler = (e: any) => {
setToken(e.detail.token)
setVerified(true)
}
window.addEventListener('shield:pass', handler)
// Check if already verified
if ((window as any).shieldToken) {
setToken((window as any).shieldToken)
setVerified(true)
}
return () => window.removeEventListener('shield:pass', handler)
}, [])
return { token, verified }
}
// ── Usage in a form component ────────────────────────
// ContactForm.tsx
export default function ContactForm() {
const { token, verified } = useShieldCaptcha()
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault()
if (!token) return alert('Security check not complete yet.')
const res = await fetch('/api/contact', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name, email, message, shield_token: token })
})
const data = await res.json()
console.log(data)
}
return (
<form onSubmit={handleSubmit}>
<input name="name" placeholder="Name" />
<input name="email" type="email" placeholder="Email" />
<button type="submit" disabled={!verified}>
{verified ? 'Send Message' : 'Security check...'}
</button>
</form>
)
}
// ── Server-side validation (Next.js API route) ───────
// app/api/contact/route.ts
export async function POST(req: Request) {
const body = await req.json()
const token = body.shield_token || ''
const res = await fetch('https://captcha.btebresult.tech/api/validate.php', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-API-Key': process.env.SC_SITE_KEY! },
body: JSON.stringify({ token })
})
const check = await res.json()
if (!check.valid) return Response.json({ error: 'Bot detected' }, { status: 403 })
// ✅ process contact form...
return Response.json({ success: true })
}// composables/useShieldCaptcha.js
import { ref, onMounted, onUnmounted } from 'vue'
export function useShieldCaptcha() {
const token = ref(null)
const verified = ref(false)
function onPass(e) {
token.value = e.detail.token
verified.value = true
}
onMounted(() => {
window.addEventListener('shield:pass', onPass)
if (window.shieldToken) {
token.value = window.shieldToken
verified.value = true
}
})
onUnmounted(() => window.removeEventListener('shield:pass', onPass))
return { token, verified }
}
// ── In your component ─────────────────────────────────
// ContactForm.vue
<script setup>
import { useShieldCaptcha } from '@/composables/useShieldCaptcha'
const { token, verified } = useShieldCaptcha()
async function submit() {
if (!token.value) return
await $fetch('/api/contact', {
method: 'POST',
body: { ...formData, shield_token: token.value }
})
}
</script>
// ── Nuxt — add to nuxt.config.ts ────────────────────
export default defineNuxtConfig({
app: {
head: {
script: [{ src: 'https://captcha.btebresult.tech/embed.js', 'data-sitekey': 'YOUR_KEY' }]
}
}
})// 1. Add to .env
SC_SITE_KEY=your_site_key_here
SC_API_URL=https://captcha.btebresult.tech/api/validate.php
// 2. Create a middleware: app/Http/Middleware/VerifyShieldCaptcha.php
namespace App\Http\Middleware;
use Closure; use Illuminate\Http\Request;
class VerifyShieldCaptcha {
public function handle(Request $request, Closure $next) {
$token = $request->input('shield_token', '');
$response = \Http::timeout(5)
->withHeaders([
'X-API-Key' => env('SC_SITE_KEY'),
'Content-Type' => 'application/json',
])
->post(env('SC_API_URL'), ['token' => $token]);
if (!$response->successful() || !$response->json('valid')) {
return response()->json(['error' => 'Bot detected'], 403);
}
return $next($request);
}
}
// 3. Register in bootstrap/app.php (Laravel 11+)
->withMiddleware(function (Middleware $middleware) {
$middleware->alias(['shieldcaptcha' => \App\Http\Middleware\VerifyShieldCaptcha::class]);
})
// 4. Use on routes
Route::post('/contact', [ContactController::class, 'store'])
->middleware('shieldcaptcha');
// 5. Add to Blade layout (resources/views/layouts/app.blade.php)
// Before </head>:
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="{{ env('SC_SITE_KEY') }}"></script># 1. utils/shieldcaptcha.py
import requests
SC_SITE_KEY = 'YOUR_SITE_KEY'
SC_API_URL = 'https://captcha.btebresult.tech/api/validate.php'
def verify_token(token: str) -> bool:
try:
r = requests.post(SC_API_URL,
json={'token': token},
headers={'X-API-Key': SC_SITE_KEY},
timeout=5)
return r.json().get('valid', False)
except Exception:
return True # fail open
# 2. views.py
from django.http import HttpResponseForbidden, JsonResponse
from utils.shieldcaptcha import verify_token
def contact(request):
if request.method == 'POST':
token = request.POST.get('shield_token', '')
if not verify_token(token):
return HttpResponseForbidden('Bot detected')
# ✅ process form...
return JsonResponse({'success': True})
# 3. base.html — before </head>
# {% block head %}
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="YOUR_SITE_KEY"></script>from flask import Flask, request, jsonify, abort
import requests
app = Flask(__name__)
SC_KEY = 'YOUR_SITE_KEY'
SC_URL = 'https://captcha.btebresult.tech/api/validate.php'
def sc_verify(token):
try:
r = requests.post(SC_URL, json={'token': token},
headers={'X-API-Key': SC_KEY}, timeout=5)
return r.json().get('valid', False)
except:
return True # fail open
@app.route('/contact', methods=['POST'])
def contact():
token = request.form.get('shield_token','') or \
request.json.get('shield_token','') if request.is_json else ''
if not sc_verify(token):
abort(403, 'Bot detected')
return jsonify({'success': True})from fastapi import FastAPI, HTTPException, Form
import httpx
app = FastAPI()
SC_KEY = 'YOUR_SITE_KEY'
SC_URL = 'https://captcha.btebresult.tech/api/validate.php'
async def sc_verify(token: str) -> bool:
async with httpx.AsyncClient() as client:
try:
r = await client.post(SC_URL,
json={'token': token},
headers={'X-API-Key': SC_KEY},
timeout=5)
return r.json().get('valid', False)
except:
return True
@app.post('/contact')
async def contact(shield_token: str = Form('')):
if not await sc_verify(shield_token):
raise HTTPException(403, 'Bot detected')
return {'success': True}// middleware/shieldCaptcha.js
const SC_KEY = process.env.SC_SITE_KEY || 'YOUR_SITE_KEY';
const SC_URL = 'https://captcha.btebresult.tech/api/validate.php';
async function verifyToken(token) {
try {
const res = await fetch(SC_URL, {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-API-Key': SC_KEY },
body: JSON.stringify({ token }),
signal: AbortSignal.timeout(5000),
});
return (await res.json()).valid === true;
} catch { return true; } // fail open
}
// Middleware
module.exports = (req, res, next) => {
const token = req.body?.shield_token || '';
verifyToken(token).then(valid => {
if (!valid) return res.status(403).json({ error: 'Bot detected' });
next();
});
};
// ── Express app.js ────────────────────────────────────
const express = require('express');
const shieldMW = require('./middleware/shieldCaptcha');
const app = express();
app.use(express.json());
// Apply to specific routes
app.post('/contact', shieldMW, (req, res) => res.json({ ok: true }));
app.post('/checkout', shieldMW, (req, res) => res.json({ ok: true }));
// ── Add embed.js (EJS template) ───────────────────────
// views/layout.ejs — before </head>:
<script src="https://captcha.btebresult.tech/embed.js"
data-sitekey="<%= process.env.SC_SITE_KEY %>"></script>Scores the visitor. Returns auto-pass token OR signals to show CAPTCHA. Called automatically by embed.js.
| Field | Type | Description |
|---|---|---|
site_key | string | Site API key REQ |
mouse_moves | int | Mouse event count |
time_ms | int | Ms since page load |
scrolled | bool | User scrolled? |
hp_field | bool | Honeypot filled? |
Click any type to try a live preview of how it looks and works.
| Plan | Price | Sites | Req/mo | CAPTCHA Types |
|---|---|---|---|---|
| Free | $0 | 1 | 5,000 | Basic |
| Pro | $9/mo | 10 | 100,000 | All 25 |
| Business | $29/mo | ∞ | 1,000,000 | All 25 |
| HTTP | Error | Fix |
|---|---|---|
400 | Missing fields | Check required params |
400 | Token expired | Token is one-time, 10 min TTL |
403 | Invalid site_key | Check your API key in dashboard |
429 | Limit reached | Upgrade plan |