I was getting a lot of spam in a website form and decided to try installing a Recaptcha check using the ReCaptchaV2 snippet. I’ve installed it and it looks like it is injecting the default recaptchav3_html chunk with the public V3 key, but nothing is showing on the front end.
I was expecting a checkbox or something, is Recaptcha V3 invisible? How do I check to see if it is working properly?
“reCAPTCHA v3 returns a score for each request without user friction”
Beware though that V3 in particular comes with some pretty heavy privacy baggage.
“The score is based on interactions with your site and enables you to take an appropriate action for your site.”
Or to put it another way - reCAPTCHA allows Google to monitor your user’s behaviour as they browse your website.
I’m not sure there are any great solutions for stopping form spam these days - and it’s not just a MODX issue.
That’s not to say there are none that are effective. A lot of people use Modmore’s Akismet extra - and it seems well regarded - but the fact that it sends your emails to a third-party server for analysis means that it’s not suitable in all applications. Similarly, reCAPTHCHA works well - but, yeah, privacy.
These days, I usually leave the form open and allow the client’s perimeter email security to take care of it - where appropriate. It helps that in most cases I am involved in the provision of email services and security for my MODX clients - as well as the website.
Personally, as a user, I really dislike web forms and would always prefer just to be presented with a contact email address - but clients seem to love them
I’d love to hear what others are up to these days on this front.
reCaptcha V3 will only display a CAPTCHA test if it us unable to detect human behaviour by the browser interaction on the page. There are reCaptcha alternatives out there, some of which are listed in the MODX Extras repo.
In addition, the number one way to prevent form spam is to never send any user submitted values via email. This is typically done as a confirmation and very often these forms send it to the submitter email. After a quick test and the bad actor knows the form will send user submitted content to the email input in the email address field, it’s game over. Your form is now going to be a target of automated attack.
First, if you can help it, completely drop the use of the FormItAutoResponder (aka fiar) and send emails to a thank you page that describes the next steps/sets expectations. It confirms that the form was submitted but it gives no other indication tha there was a problem.
Secondly, use a CSRF helper which ensures that the form must be submitted after the page load (i.e. a generated token needs to be available for the submission to be valid.). While these are often used to prevent man in the middle attacks or clickjacking, they also prevent lazy automators from trying to abuse your form.
Further, you can use a third-party email validation service and a custom plugin to prevent spammers. MODX FormIt’s spam can use the StopForumSpam API, in addition, you can also use validation services such as Senderscore or similar to trash or ban spam or low-quality bad emails.
Cleantalk, Senderscore, Neverbounce, etc are all good services to use. My only thing is to make sure to use a FormIt hook for them rather than js as the JS a) can easily be bypassed if there’s nothing stopping the form submission without some sort of token and b) it adds significant page weight and latency.