The Most Advanced reCAPTCHA Solution for OpenCart 4

Protect your store from spam, bots, and automated attacks with the most comprehensive Google reCAPTCHA v3 implementation available for OpenCart. Built with enterprise-level security features and zero impact on user experience.

### Why Choose This Extension?

Unlike basic reCAPTCHA implementations, this extension provides a complete security ecosystem designed for serious e-commerce stores. Every feature has been engineered to stop threats while maintaining seamless customer experience.

### Core Features

**Invisible Protection**
- Completely invisible to legitimate users - no checkboxes, no interruptions
- Advanced score-based validation (0.0 to 1.0 threshold)
- Automatic threat detection powered by Google's machine learning
- Works silently in the background on every protected form

**Hybrid v3/v2 System**
- Automatically falls back to visible v2 checkbox for suspicious users
- Configurable fallback threshold gives second chances to legitimate users
- Balances security with user experience perfectly
- Reduces false positives while maintaining strong protection

**Enterprise Route Protection**
- Account Registration - Stop fake account creation
- Account Login - Prevent credential stuffing attacks
- Forgotten Password - Block brute force attempts
- Contact Forms - Eliminate spam submissions
- Product Reviews - Stop fake review bots
- Guest Checkout - Prevent fraudulent orders
- Checkout Registration - Block automated account creation
- Checkout Confirmation - Advanced payment fraud protection
- Newsletter Subscription - Stop email harvesting bots
- API Order Creation - Protect against API abuse

**Advanced IP Blocking**
- Automatic IP blocking after configurable failed attempts
- Temporary blocks with customizable duration (5 minutes to 7 days)
- Permanent blocking capability for persistent threats
- Manual block/unblock from admin dashboard
- Whitelist trusted IPs to prevent accidental blocks
- Tracks block history and failed attempt patterns

**Intelligent Rate Limiting**
- Configurable attempt threshold (1-100 attempts)
- Adjustable time window (1 minute to 1 hour)
- Automatic escalation from warning to block
- Prevents brute force attacks across all protected forms
- Works independently per IP address
- Smart detection of distributed attacks

**Comprehensive Analytics Dashboard**
- Real-time monitoring of all captcha attempts
- Visual score distribution charts
- Success/failure rate tracking
- Daily, weekly, and monthly trend analysis
- Geographic IP tracking
- Route-specific performance metrics
- Blocked IP management interface
- Export capabilities for external analysis

**Advanced Validation Options**
- Action name verification prevents token replay attacks
- Hostname verification stops token theft across domains
- Token expiration checking (60-300 seconds configurable)
- Challenge timestamp validation
- Cryptographic signature verification
- Multi-layer security checks

**Professional Logging System**
- Every attempt logged to database with full details
- IP address, timestamp, score, route, and outcome tracking
- Configurable log retention (1-365 days)
- Automatic cleanup of old logs
- User agent tracking for forensic analysis
- Error categorization for troubleshooting
- Privacy-compliant data handling

### Technical Excellence

**Modern Architecture**
- Built specifically for OpenCart 4.1.0.3
- Event-driven system - no file modifications required
- Clean MVC separation
- PSR-compliant PHP code
- Namespace-based organization
- Zero conflicts with other extensions

**Database Performance**
- Optimized indexed queries for instant lookups
- Aggregated statistics reduce query overhead
- Automatic expired data cleanup
- Efficient batch operations
- Minimal storage footprint
- Scales to millions of attempts

**Developer Friendly**
- Comprehensive PHPDoc documentation
- Clean, readable code structure
- Easy to customize and extend
- Hook system for custom integrations
- Debug mode for development
- API-ready architecture

### Security Features

**Multi-Layer Protection**
1. IP block check - Instant rejection of known threats
2. Rate limit check - Prevents brute force attacks
3. Token validation - Verifies authentic Google response
4. Score threshold - Machine learning threat assessment
5. Action verification - Prevents token replay
6. Hostname verification - Stops cross-domain attacks
7. Expiration check - Enforces token freshness
8. Session validation - Prevents duplicate submissions

**Attack Prevention**
- Credential stuffing protection on login forms
- Brute force mitigation on password recovery
- Spam bot blocking on contact forms
- Review manipulation prevention
- Fake account creation blocking
- Payment fraud detection on checkout
- API abuse prevention
- Distributed attack detection

**Compliance & Privacy**
- GDPR compliant data handling
- Configurable data retention periods
- No personal data stored beyond IP addresses
- Automatic log cleanup
- Export capabilities for data requests
- Privacy-focused design