%20--%3e%3csvg%20version='1.1'%20xmlns='http://www.w3.org/2000/svg'%20x='0px'%20y='0px'%20viewBox='0%200%20207.3%2029'%20style='enable-background:new%200%200%20207.3%2029;'%20xml:space='preserve'%3e%3cstyle%20type='text/css'%3e%20.st0{fill:%231E293B;}%20.st1{fill:%232563eb;}%20%3c/style%3e%3cg%20id='Ebene_1'%3e%3cg%20id='Ebene_2_00000023959154727838081460000010218683892316788135_'%3e%3cg%3e%3cg%3e%3cpath%20class='st0'%20d='M24.3,7.4c0-0.8,0-1.5,0-2.2c0-0.6-0.4-1-1-1c-4.4,0-7.6-1.2-10.4-3.9c-0.4-0.3-1-0.3-1.5,0%20C8.7,2.9,5.4,4.1,1.1,4.1c-0.6,0-1,0.5-1,1c0,0.7,0,1.5,0,2.2c-0.2,7.4-0.4,17.3,11.8,21.6l0.3,0.1l0.3-0.1%20C24.6,24.6,24.4,14.7,24.3,7.4z%20M11.4,17.5C11.4,17.5,11.3,17.5,11.4,17.5c-0.3,0.2-0.5,0.3-0.8,0.3l0,0c-0.3,0-0.5-0.2-0.7-0.3%20l-2.7-3c-0.3-0.3-0.3-0.9,0.1-1.1L7.5,13c0.3-0.3,0.9-0.3,1.1,0.1l1.4,1.6c0.3,0.3,0.8,0.3,1.1,0.1l4.4-4.2%20c0.3-0.3,0.9-0.3,1.1,0l0.3,0.3c0.3,0.3,0.3,0.9,0,1.1L11.4,17.5z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg%20id='Ebene_2'%3e%3cg%3e%3cpath%20class='st1'%20d='M46.3,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6z'/%3e%3cpath%20class='st1'%20d='M54.3,16.2h-3.2v6.3h-2.8V6.2h5.8c1.9,0,3.3,0.4,4.4,1.3S60,9.6,60,11.2c0,1.1-0.3,2-0.8,2.8%20c-0.5,0.7-1.3,1.3-2.2,1.7l3.7,6.8v0.2h-3L54.3,16.2z%20M51.1,13.9H54c1,0,1.7-0.2,2.2-0.7s0.8-1.1,0.8-2s-0.2-1.5-0.8-2%20C55.7,8.7,55,8.5,54,8.5h-3v5.4H51.1z'/%3e%3cpath%20class='st1'%20d='M74.3,6.2v10.9c0,1.7-0.6,3.1-1.7,4.1s-2.6,1.5-4.4,1.5c-1.9,0-3.4-0.5-4.5-1.5c-1.1-1-1.6-2.3-1.6-4.1V6.2%20h2.8v10.9c0,1.1,0.3,1.9,0.8,2.5c0.5,0.6,1.4,0.9,2.5,0.9c2.2,0,3.3-1.1,3.3-3.5V6.2H74.3z'/%3e%3cpath%20class='st1'%20d='M85.7,18.3c0-0.7-0.2-1.3-0.8-1.7c-0.5-0.4-1.4-0.8-2.7-1.2c-1.3-0.4-2.4-0.8-3.1-1.3%20c-1.5-0.9-2.2-2.2-2.2-3.7c0-1.3,0.5-2.4,1.6-3.3s2.5-1.3,4.2-1.3c1.1,0,2.2,0.2,3,0.6c0.8,0.4,1.6,1,2.1,1.8s0.8,1.6,0.8,2.6%20h-2.8c0-0.9-0.3-1.5-0.8-2s-1.3-0.7-2.3-0.7c-0.9,0-1.7,0.2-2.2,0.6s-0.8,1-0.8,1.7c0,0.6,0.3,1.1,0.8,1.5s1.5,0.8,2.7,1.2%20c1.2,0.4,2.3,0.8,3.1,1.3c0.8,0.5,1.3,1,1.7,1.7c0.4,0.6,0.5,1.4,0.5,2.2c0,1.4-0.5,2.5-1.6,3.2c-1,0.8-2.5,1.2-4.2,1.2%20c-1.2,0-2.3-0.2-3.3-0.7c-1-0.4-1.8-1-2.3-1.8s-0.8-1.7-0.8-2.7h2.8c0,0.9,0.3,1.6,0.9,2.2c0.6,0.6,1.5,0.8,2.6,0.8%20c1,0,1.7-0.2,2.2-0.6C85.4,19.5,85.7,19,85.7,18.3z'/%3e%3cpath%20class='st1'%20d='M102.6,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6z'/%3e%3cpath%20class='st0'%20d='M117,17.2c-0.2,1.7-0.8,3.1-1.9,4.1s-2.6,1.5-4.5,1.5c-1.3,0-2.4-0.3-3.4-0.9c-1-0.6-1.8-1.5-2.3-2.6%20c-0.5-1.1-0.8-2.5-0.8-4v-1.5c0-1.5,0.3-2.9,0.8-4.1s1.3-2.1,2.3-2.7s2.2-0.9,3.5-0.9c1.8,0,3.3,0.5,4.4,1.5s1.7,2.4,1.9,4.1h-2.8%20c-0.1-1.2-0.5-2-1-2.5c-0.6-0.5-1.4-0.8-2.4-0.8c-1.2,0-2.2,0.5-2.8,1.4c-0.7,0.9-1,2.2-1,4v1.5c0,1.8,0.3,3.1,0.9,4.1%20s1.6,1.4,2.8,1.4c1.1,0,1.9-0.2,2.5-0.8c0.6-0.5,0.9-1.3,1.1-2.5L117,17.2L117,17.2z'/%3e%3cpath%20class='st0'%20d='M128.5,18.8h-6.4l-1.3,3.8h-2.9l6.2-16.4h2.6l6.2,16.4h-3L128.5,18.8z%20M122.9,16.5h4.7l-2.4-6.8L122.9,16.5z'%20/%3e%3cpath%20class='st0'%20d='M137.2,16.5v6.1h-2.8V6.2h6.3c1.8,0,3.3,0.5,4.3,1.4c1.1,1,1.6,2.2,1.6,3.8c0,1.6-0.5,2.9-1.6,3.7%20c-1.1,0.8-2.5,1.3-4.4,1.3C140.6,16.4,137.2,16.4,137.2,16.5z%20M137.2,14.2h3.4c1,0,1.8-0.2,2.3-0.7s0.8-1.2,0.8-2.1%20s-0.3-1.6-0.8-2.1s-1.3-0.8-2.2-0.8h-3.5C137.2,8.6,137.2,14.2,137.2,14.2z'/%3e%3cpath%20class='st0'%20d='M160.7,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6L160.7,8.6z'/%3e%3cpath%20class='st0'%20d='M175.1,17.2c-0.2,1.7-0.8,3.1-1.9,4.1c-1.1,1-2.6,1.5-4.5,1.5c-1.3,0-2.4-0.3-3.4-0.9c-1-0.6-1.8-1.5-2.3-2.6%20c-0.5-1.1-0.8-2.5-0.8-4v-1.5c0-1.5,0.3-2.9,0.8-4.1s1.3-2.1,2.4-2.7c1-0.6,2.2-0.9,3.5-0.9c1.8,0,3.3,0.5,4.4,1.5%20s1.7,2.4,1.9,4.1h-2.8c-0.1-1.2-0.5-2-1-2.5S170,8.4,169,8.4c-1.2,0-2.2,0.5-2.9,1.4s-1,2.2-1,4v1.5c0,1.8,0.3,3.1,0.9,4.1%20c0.6,0.9,1.6,1.4,2.8,1.4c1.1,0,1.9-0.2,2.5-0.8c0.6-0.5,0.9-1.3,1.1-2.5L175.1,17.2L175.1,17.2z'/%3e%3cpath%20class='st0'%20d='M190.4,22.5h-2.8v-7.2h-7.3v7.2h-2.8V6.2h2.8v6.8h7.3V6.2h2.8V22.5z'/%3e%3cpath%20class='st0'%20d='M202.8,18.8h-6.3l-1.3,3.8h-2.9l6.2-16.4h2.6l6.2,16.4h-3L202.8,18.8z%20M197.3,16.5h4.7l-2.4-6.8L197.3,16.5z'%20/%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200V24H32V0H0Z'%20fill='%232E42A5'/%3e%3cmask%20id='mask0_270_67386'%20style='mask-type:luminance'%20maskUnits='userSpaceOnUse'%20x='0'%20y='0'%20width='32'%20height='24'%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200V24H32V0H0Z'%20fill='white'/%3e%3c/mask%3e%3cg%20mask='url(%23mask0_270_67386)'%3e%3cpath%20d='M-3.56323%2022.2854L3.47846%2025.2635L32.1597%203.23787L35.874%20-1.18761L28.344%20-2.18297L16.6456%207.3085L7.22956%2013.7035L-3.56323%2022.2854Z'%20fill='white'/%3e%3cpath%20d='M-2.59924%2024.3719L0.988173%2026.1001L34.5402%20-1.59881H29.5031L-2.59924%2024.3719Z'%20fill='%23F50100'/%3e%3cpath%20d='M35.5631%2022.2854L28.5214%2025.2635L-0.159817%203.23787L-3.87415%20-1.18761L3.65593%20-2.18297L15.3543%207.3085L24.7703%2013.7035L35.5631%2022.2854Z'%20fill='white'/%3e%3cpath%20d='M35.3229%2023.7829L31.7355%2025.5111L17.4487%2013.6518L13.2129%2012.3267L-4.23151%20-1.17246H0.805637L18.2403%2012.0063L22.8713%2013.5952L35.3229%2023.7829Z'%20fill='%23F50100'/%3e%3cmask%20id='path-7-inside-1_270_67386'%20fill='white'%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M19.7777%20-2H12.2222V8H-1.97253V16H12.2222V26H19.7777V16H34.0275V8H19.7777V-2Z'/%3e%3c/mask%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M19.7777%20-2H12.2222V8H-1.97253V16H12.2222V26H19.7777V16H34.0275V8H19.7777V-2Z'%20fill='%23F50100'/%3e%3cpath%20d='M12.2222%20-2V-4H10.2222V-2H12.2222ZM19.7777%20-2H21.7777V-4H19.7777V-2ZM12.2222%208V10H14.2222V8H12.2222ZM-1.97253%208V6H-3.97253V8H-1.97253ZM-1.97253%2016H-3.97253V18H-1.97253V16ZM12.2222%2016H14.2222V14H12.2222V16ZM12.2222%2026H10.2222V28H12.2222V26ZM19.7777%2026V28H21.7777V26H19.7777ZM19.7777%2016V14H17.7777V16H19.7777ZM34.0275%2016V18H36.0275V16H34.0275ZM34.0275%208H36.0275V6H34.0275V8ZM19.7777%208H17.7777V10H19.7777V8ZM12.2222%200H19.7777V-4H12.2222V0ZM14.2222%208V-2H10.2222V8H14.2222ZM-1.97253%2010H12.2222V6H-1.97253V10ZM0.0274658%2016V8H-3.97253V16H0.0274658ZM12.2222%2014H-1.97253V18H12.2222V14ZM14.2222%2026V16H10.2222V26H14.2222ZM19.7777%2024H12.2222V28H19.7777V24ZM17.7777%2016V26H21.7777V16H17.7777ZM34.0275%2014H19.7777V18H34.0275V14ZM32.0275%208V16H36.0275V8H32.0275ZM19.7777%2010H34.0275V6H19.7777V10ZM17.7777%20-2V8H21.7777V-2H17.7777Z'%20fill='white'%20mask='url(%23path-7-inside-1_270_67386)'/%3e%3c/g%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_270_67386'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%2016H32V24H0V16Z'%20fill='%23FFD018'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%208H32V16H0V8Z'%20fill='%23E31D1C'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200H32V8H0V0Z'%20fill='%23272727'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_270_67353'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M22%200H32V24H22V0Z'%20fill='%23F50100'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200H12V24H0V0Z'%20fill='%232E42A5'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M10%200H22V24H10V0Z'%20fill='%23F7FCFF'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_270_67361'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
What Is a Math CAPTCHA?
A math CAPTCHA (which stands for mathematical captcha) is a challenge–response test that asks users to solve a simple arithmetic problem before submitting a web form. Common CAPTCHA math questions look like this: “What is 4 + 9?”, “Solve: 15 − 7 = ?”, or “Enter the result: 6 × 3.” If the user provides the correct answer, the form accepts the submission. If not, it rejects it as a likely bot.
The idea behind a math CAPTCHA is the same as behind all CAPTCHA types: create a test that is trivial for humans and hard for computers. In the early 2000s, when most bots were rigid scripts with no cognitive ability, arithmetic questions were a real barrier. Today, they are not. This article covers how math CAPTCHAs work, why they have significant security and accessibility problems, and what website owners should use instead.
How a Math CAPTCHA Works
The technical implementation of a math CAPTCHA is deliberately simple, which is one of the reasons it remains so widespread in legacy systems.
- Question generation — The server generates a random arithmetic expression (most commonly addition or subtraction, occasionally multiplication).
- Display — The expression appears inside the form, either as plain HTML text or as a rendered image.
- User input — The user reads the question, calculates the answer, and types it into a designated input field.
- Validation — On form submission, the server compares the submitted value to the expected answer. A mismatch triggers a rejection message.
Math CAPTCHA Examples
Below are representative math CAPTCHA question formats you will encounter across the web:
What is 6 + 4?→ expected answer:1012 – 5 = ?(rendered as an image) → expected answer:7Enter the sum of 8 and 3:→ expected answer:11- A “number CAPTCHA” with a label like
Type the answer: 9 + 6→ expected answer:15
This simplicity is the appeal: no third-party API, no account, no recurring cost, and only a few lines of server-side code. It is built into older WordPress plugins like Really Simple CAPTCHA, phpBB’s forum software, and countless custom PHP contact forms. In many cases, site owners have not revisited their CAPTCHA choice since initial setup — the math CAPTCHA is simply still there as the default.
Math CAPTCHA and Security: The Real Picture
This is where the critical gap between perception and reality becomes apparent. A math CAPTCHA looks like protection. In practice, against any attacker with even minimal technical capability, it offers none.
AI Solves Math CAPTCHAs Instantly
The clearest demonstration of the problem: take a screenshot of a math CAPTCHA and paste it into ChatGPT, Claude, Gemini, or any multimodal AI model. The correct answer appears before a human user could even finish reading the question.
Solving math CAPTCHAs requires no programming knowledge, no infrastructure, and no dedicated tools — just an AI assistant that any person with internet access already has. Any bot operator integrating an AI API call for image-to-text extraction plus arithmetic evaluation can fully automate this in under a day. The fundamental security assumption behind math CAPTCHAs — that arithmetic is hard for computers — has been false for years.
For text-rendered math CAPTCHAs (where the question appears as HTML text rather than an image), the barrier is even lower. A simple regex pattern that extracts two numbers and an operator, followed by basic arithmetic, solves every question in milliseconds. No AI required.
Free Math CAPTCHA Solver Tools Exist
Dedicated math CAPTCHA solver scripts are freely available and actively maintained. GitHub hosts Python libraries and browser extensions built specifically to automate form submissions by solving arithmetic challenges. These are practical utilities used by spammers, scrapers, and mass-submission bots.
The security of a math CAPTCHA is therefore conditional on the assumption that an attacker either does not know these tools exist or cannot spend a few hours finding them. That is not a realistic threat model for any website handling sensitive data, user registrations, or commercial forms.
What a Math CAPTCHA Protects Against — and What It Doesn’t
To be fair, a math CAPTCHA still deters:
- Completely unsophisticated bots with no text-parsing ability
- Automated submissions using the most primitive “fill and submit” scripts
A math CAPTCHA does not protect against:
- Any bot with basic OCR, regex, or AI integration
- Automated scrapers and contact form spammers
- Account creation abuse, credential stuffing, or carding bots
- Volumetric attacks — a math CAPTCHA adds no computational cost, does not slow down requests, and cannot scale its difficulty dynamically
Critically, a math CAPTCHA does not detect bots. It only checks whether a correct number was entered. A bot that can read and calculate passes every time — meaning that it can easily submit a form 1.000 times in few minutes. There is no behavioral analysis, no proof-of-work mechanism, and no bot scoring — just a static question with a predictable, knowable answer. The practical conclusion for any serious threat model is that a math CAPTCHA is equivalent to no CAPTCHA at all.
Math CAPTCHA and Accessibility: A Compliance Risk for EU Businesses
Security is one dimension of the problem. Accessibility is the other — and increasingly, the one with direct legal consequences.
Cognitive Load and User Experience
Solving an arithmetic problem, even a simple one, requires users to interrupt what they are doing. They must:
- Shift attention to the CAPTCHA
- Read and parse a mathematical expression
- Perform mental arithmetic
- Type the result correctly before returning their attention to the rest of the form
For most users, this takes only a few seconds. But those seconds create friction — form abandonment increases whenever additional steps are added to a submission flow. More significantly, this process is not equally easy for everyone.
Users with dyscalculia (a specific learning difficulty affecting mathematical processing) find arithmetic tasks disproportionately difficult. Users with cognitive disabilities, ADHD, or age-related cognitive changes may struggle with the context-switching and calculation the task requires. Math CAPTCHAs also rarely provide an audio alternative or any non-visual fallback, meaning a user relying on a screen reader may encounter an arithmetic question with no accessible way to complete it.
European Accessibility Act and WCAG 2.1
This is not just a UX concern — it is a legal exposure for businesses operating in the European Union.
The European Accessibility Act (EAA) entered into force on June 28, 2025, requiring digital products and services offered to consumers in the EU to comply with the accessibility standard EN 301 549, which incorporates WCAG 2.1 at level AA. The EAA covers most B2C web services — e-commerce, SaaS platforms, public-facing web applications, and more.
Relevant WCAG 2.1 criteria that math CAPTCHAs may fail:
- Success Criterion 1.1.1 (Non-text Content) — requires that CAPTCHAs provide a text alternative describing their purpose and an alternative for users who cannot complete the primary format. A math CAPTCHA with no audio or visual-alternative path fails this requirement.
- Success Criterion 3.3.2 (Labels or Instructions) — forms must provide clear instructions sufficient for users to complete them. An unlabelled arithmetic field often does not satisfy this.
- WCAG’s own guidance on CAPTCHAs explicitly states that if a CAPTCHA is used, at minimum two different modalities must be offered (e.g., a visual and an audio version).
A math CAPTCHA that renders a text equation with no audio alternative and no accessible fallback path fails these requirements. For EU businesses with consumer-facing digital services, this creates compliance exposure.
Where Math CAPTCHAs Still Appear Today
Despite these limitations, math CAPTCHAs remain widespread. They persist primarily because they are included as defaults in widely-used tools and were set up years ago without being revisited:
- WordPress contact form plugins — “Really Simple CAPTCHA” and similar legacy plugins remain installed on millions of sites
- phpBB and other forum software — built-in math CAPTCHA as the default registration challenge
- Custom PHP and Python forms — a common DIY implementation for developers avoiding third-party dependencies
- Government and institutional websites — older sites built before modern captcha standards that have not been updated
- E-commerce checkouts — older Magento, PrestaShop, and WooCommerce setups with custom captcha implementations
In many cases, the math CAPTCHA was never a deliberate security decision — it was simply the easiest option available at the time and has never been reviewed since.
What to Use Instead of a Math CAPTCHA
Now, since a math CAPTCHA is no longer adequate, what should replace it? The right answer depends on the level of protection the site actually needs.
Honeypot Fields
A honeypot is an invisible form field hidden from human users via CSS but visible to bots that parse raw HTML. If the field is filled in on submission, the server identifies the request as automated and silently rejects it.
Honeypots:
- Require zero interaction from the user
- Add no cognitive load or friction whatsoever
- Are free to implement with a few lines of code
- Work against unsophisticated bots
The limitation: modern bots can detect and deliberately skip honeypot fields. A honeypot works well as a first layer but is not sufficient protection against a targeted or technically capable attacker on its own.
Rate Limiting and Server-Side Signals
Capping form submissions per IP address, per session, or per time window adds friction for bots that rely on volume. Combined with server-side heuristics — unusual submission speed, repeated identical payloads, no referrer header — this catches some automated traffic without adding any user-facing complexity.
Rate limiting works best in combination with other measures. On its own it is bypassable via IP rotation, which is simple for most bots.
TrustCaptcha: Invisible Bot Protection Built for Europe
For websites that need reliable bot protection without sacrificing accessibility or regulatory compliance, TrustCaptcha represents a fundamentally different approach to the problem.
Instead of asking users to answer a question, TrustCaptcha operates entirely in the background using two complementary mechanisms:
Proof of work — the user’s browser automatically solves a cryptographic challenge. Legitimate users notice nothing; TrustCaptcha starts early and completes before the user finishes filling out the form. For bots attempting attacks at scale, the computational overhead of solving these challenges makes mass automation economically unviable.
Bot scoring — every request is evaluated against technical and behavioral signals. When the risk score rises — for example, during a spike in automated submissions — TrustCaptcha dynamically increases challenge difficulty, raising the cost of the attack without touching the experience for real users.
The result from a user perspective: nothing happens. No question, no arithmetic, no image grid, no interruption. From a bot perspective: there is a real, scalable barrier that gets harder to bypass under load.
TrustCaptcha is built specifically for the European compliance environment:
- Cookie-free and no browser storage used
- EU-hosted — all data processed in EU-certified data centers, no transfers to third countries
- GDPR-compliant — a Data Processing Agreement (DPA/AVV) is provided to every customer
- Accessible by design — because there is no visual or cognitive challenge, there is no WCAG accessibility failure mode; it works transparently with screen readers and assistive technology
For EU businesses replacing a math CAPTCHA and needing to satisfy both EAA accessibility requirements and GDPR simultaneously, TrustCaptcha addresses all of these concerns with a single integration.
Key Takeaways
Math CAPTCHAs were a reasonable tool in a different era. Today, they sit at the intersection of three problems: they are trivially bypassed by any AI or open-source solver, they impose cognitive burden on users, and they create accessibility compliance exposure under EU law.
The good news is that replacing them does not require asking users to do more — it requires asking them to do nothing at all. Honeypot fields, rate limiting, and modern invisible bot detection each improve on a math CAPTCHA in every measurable dimension. For businesses that need real protection and EU compliance, the path forward is invisible by design.
Try TrustCaptcha for Free
Ready to replace your math CAPTCHA with protection that actually works? Try TrustCaptcha for free and protect your forms invisibly against bots and spam.
