Easily bypassed, vulnerable

This plugin does not really work to stop automated registrations, and here’s why:

Inside wm-simple-captcha/classes/wm_simple_captcha_front.php in the captcha_errors method, which is supposed to do the validation of the code, the whole logic is wrapped in a if(isset($_REQUEST['captcha_challenge_field'])){ block.

What this means is that if the request does not contain the captcha challenge field then no errors are output and the captcha is not considered invalid at all, successfully letting the registration through.

Try it yourself, open the /wp-login.php?action=register page, enter Developer Tools and delete the capthca input box. Viola!

Do you really think that automated registration scripts will actually submit all the form inputs? Because they won’t. They’ll simply send a POST request to /wp-login.php?action=register with the bare minimum username and email parameters and they’ll get through. And they don’t.

Thus, this plugin does absolutely nothing to stop spam registrations, contains a captcha bypass vulnerability.