I am trying to setup a simple captcha for a form. Now I recently joined this company and they are currently using
2.8.1-pl version of MODX revolution, so might be some issues stem from that, I’m planning to try upgrading next week.
I installed the Recaptcha v2 from the extras
Now from looking at the documentation recaptcha - Hooks | MODX Documentation, I’m suppose to simply add
above the form decleration
somewhere in the form to make it appear + error.
Now the formit.recaptcha_html doesn't actually render, so I simply put one of the premade snippets that come with the recaptchav2 extra. I put the v2 so its actually visible, since v3 is completely invisible and does things in the background as far as I know.
But how am I suppose to get the result of the recaptcha hookit? which I believe is suppose to return false or true?
the decleration of the form is the below, incase something is wrong, it's inside of an echo incase that makes any difference.
<form class="form" method="post" action="[[++site_url]][[~[[*id]]]]">```
I think when you add the recaptcha hook to the tag, Formit will prevent the form’s action from happening if captcha fails. This may mean that you need to use a separate page to process the results from the form rather than doing it on the current page. I don’t use FormIt, so I could be wrong about all of this.
&hooks=`recaptcha` from the documentation you linked is the built-in hook from FormIt.
To use the hook from the ReCaptchaV2 extra, use either
&hooks=`recaptchav3` (depending on the desired version).
There is more information on the github page:
I’m fairly certain Google is no longer supporting v2, so you should use the v3 hook. (It’s confusing because the extra is named ReCaptchaV2, but it includes hooks for both 2 and 3.)
You will also need to set up an account w/Google and generate API keys for each site. The keys are then added in the site settings.
The docs for the extra are very useful:
FYI, some bot is registering users at one of my sites. ReCaptcha had no effect, and I’ve determined that they’re somehow bypassing the form altogether. I still haven’t determined how.
That’s not good! Are you using Captcha 2 or 3? I don’t think 2 works anymore.
Once it appeared that they were bypassing the form, I figured it wasn’t worth going to V3 (and it looks like Google is making you use reCatpcha Enterprise now).
I’ve been fighting these miscreants for a month or so now. They send a new registration every hour or two when they’re active. The email addresses are mostly bogus, so they’re probably hurting my deliverability. I think they’re trying to decode the encoded link in the confirm-register email. The registrations are in pairs with everything the same but the username and full name. If they succeed, they won’t get anything useful, since I’m using Subscribe. Register, though (IIRC), encodes the username in the link and it’s not very securely encoded. If they crack the algorithm, they could intercept registration emails, and do a brute-force attack using an actual username. All the registrations so far come from IPs in China, Russia, Indonesia, and Brazil.
I’m trying out Mark Hamstra’s Akismet extra, but it may have the same trouble as reCaptcha if they’re bypassing the form. I’ll know as soon as they hit me again.