One of the most popular and very effective methods to combat spam is to use some form of captcha protection. But, captchas can lead to poor user experience. reCAPTCHA by Google is a quite different captcha trying to minimize user interaction.
Before you go on with this post, check out the previous parts in this series about the comment spam:
reCAPTCHA is a new version of captcha developed by Google, and it is also known as ‘No Captcha reCAPTCHA’. It works quite differently from other captcha systems, and in most cases, it required only to click on the checkbox. Once in a while, reCaptcha requires you to solve some visual (or audio) puzzle – select images according to the keyword or by type. Here is the example of how it works, and you can click on the image to visit Google home page to learn more.
To test how effective reCAPTCHA is, I have used data gathered on Dev4Press blog between March 23, 2016, and March 29, 2016, as a control period where no antispam method is used. This is the same data used as the control for previous Honeypot effectiveness test. reCAPTCHA is used between April 13, 2016, and April 19, 2016.
First week: no reCAPTCHA
First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.
reCAPTCHA is added using GD Security Toolbox Pro plugin. It allows you to set language and style for the reCAPTCHA (color, size…), and you can select where the reCAPTCHA should be integrated. The plugin can integrate reCAPTCHA into WordPress login, registration, lost password, comments, and signup forms. Also, it directly supports third party plugins: WooCommerce, BuddyPress and bbPress.
You can set up conditions for banning visitors that fail the reCAPTCHA test. This will ensure that some users might legitimately fail the reCAPTCHA test, and if the same IP generates too many failures, the plugin will ban the IP address.
For some forms, plugin allow some extra settings: you can set to not display reCAPTCHA for users with approved comments, or if the user is logged in.
Second week: reCAPTCHA in use
When the time has come to use reCAPTCHA, it was set on login and comment forms. So, it will work in two ways: it will stop potential bots from logging in (and it was established earlier that most spam on Dev4Press comes from registered users accounts used by bots), and if someone tries to post without being logged in, reCAPTCHA on comment form will be used. Most legitimate users are not even affected, if they had a comment, they will not see reCAPTCHA at all.
As you can see, this is 99.97% difference, from almost 16,000 to only 5, with only one reCAPTCHA tweak used, and that is an amazing achievement, reCAPTCHA has completely stopped spam! During this week, the plugin has blocked total of 254 IP addresses for failed reCAPTCHA, and most of these (201) were marked as known spam bots by Honeypot Project (GD Security Toolbox Pro can get various information about each IP).
Here is the chart for both weeks:
Google reCAPTCHA is easy to use, and it is not creating the bad user experience. It fits in forms well, and it doesn’t require too much interaction from users. And, as you can see, it is very, very effective. Also, this proves that reCAPTCHA like this is too hard (almost impossible) for spam bots to solve.
GD Security Toolbox Pro allows you to select which forms you want to protect with reCAPTCHA, and that will give you extra control over the spam bots that attempt to register, login or post on your website. Automatic banning will ensure that spam bots will be prevented from coming back with the same IP.