User Tools

Site Tools


captcha_alternative

Captcha Alternative

This is a tutorial on how to manually create a Bot Trap (also known as a honeypot) which can be used as an alternative to a captcha in preventing bots from registering on your Etano site.

Why an alternative to captcha?
Unfortunately most captchas are no-longer very effective in preventing spam bots from registering or posting on sites, which is exactly what captcha were intended for. Bots these days are getting smarter when it comes to captcha images, they're increasingly being able to recognize letters and numbers on images using OCR (Optical Character Recognition) programs. Therefore using a bot trap or honeypot tends to be a more effective alternative.

What is a Bot Trap?
A bot trap is a hidden field added to the registration which is only seen by bots. The concept is to try and trap the bot by filling out this hidden field. Most bots simply inspect the page and will typically try to fill in ALL available fields, if they fill in the hidden field they are caught in the trap and the registration fails.

Can I use both Captcha and a Bot Trap?
Yes, however if you're using a Bot Trap it's not really necessary to use Captcha. However, if you decide not to use Captchas it's especially important not to allow non-members to post comments on the site. It's recommended that you don't allow non-members (visitors) to write comments under any conditions which allows them to post comments on member's profiles, photos, and blogs. This just opens your site up for potential spam, especially by bots who have the ability to get past Captchas. Therefore to only allow members to post comments in the admin go to the Admin » General Settings » Access Levels section and make sure that "write comments" is unchecked under the non-members column:


Captchas can be turned on or off in the Admin » General Settings » Features and Options section, and the first item listed under Basic Features.


Note: Captchas and Bot Traps are designed for "bot" spammers and won't prevent "human" spammers from signing up. Bot spammers are by far the most common and annoying as they can complete a sign up in a matter of seconds. Bots are relentless and once they find and discover that they successfully sign up and spam your site, they will continue to return and often cause your site to have dozens or even hundreds of junk sign ups a day.

How to create a Bot Trap in Etano

Step 1.

First we create the field for our bot trap, the process is the same as creating any profile field you want included at registration.
Go to your Etano Admin » Site Setup » Profile Fields section.
Then add a new "Textfield"


Then we create the field. ONLY add or select the items shown below, leave all others unchecked or empty:


We have labelled the field as "First Name", this can be anything that will hopefully entice the bot to fill in the field. You can change this label to whatever you want such as "Name", "Your Name", "Website, etc. It's important that you don't label the field the same as a profile field that you're already using.

The "Help Text for User" field is optional, this is a fall back just in case a legit human has CSS turned off and they will see the hidden field meant for bots, which will be rare, and if a user has CSS turned off your site won't be very usable to them anyway.

IMPORTANT: Make a note of the field number for the new field you just created as it will be used in other steps as we go along, the new profile field number may differ than what's used as an example in these instructions:

Once you're done creating the field don't forget to regenerate your profile fields:

regenerate_fields.jpg

TEST - At this point you can go to your join (signup) page and check to see if the new field is showing like this:


If it appears like this then proceed to the next step.



Step 2.

Next edit the skins_site/def/join.html file by adding (copy & paste) the following line of code into the file:

<input type="hidden" name="redirect_thanks_url" value="{tplvars.baseurl}/login.php" />

Add the above line of code directly above the line of code for the "fieldset controls" as shown below:


If the bot fills in our bot trap field and clicks the "Save" button to complete the registration, instead of completing the registration or creating their profile, this line of code redirects the bot to the login page giving the bot a false impression that the registration was successful and the bot would then attempt to login.

You can alternatively send the bot to another site if you want, such as to Google's main search page by editing the "value" part of the code.

from this:

value="{tplvars.baseurl}/login.php"

to this:

value="https://www.google.com"



Step 3.

Next we edit the processors/join.php file by adding (copy & paste) the following lines of code to the file.
Important - Make sure to edit the field numbers (f17) in the code so they match the field number that was created and noted in Step 1.

if(isset($_POST['f17'])) {
if(!empty($_POST['f17'])) {
header('Location: '.$_POST['redirect_thanks_url']);
exit();
}
}

The code MUST be added in the exact spot in the file as shown below:


TEST - At this point you can now test it, go to your join (signup) page and fill out the registration form including the bot trap field we created.


When you click the "Save" button it should redirect you to the Login page, or to another site if you decided to change the redirect as noted in Step 2.

If that worked, then try filling out the registration form again, this time without filling in the bot trap field to see if it successfully creates a new member.

Once you've tested the registration and confident it's working as it should, then proceed to the next step where we'll hide the bot trap field.



Step 4.

Now we will make our bot trap field hidden from human visitors.
Add the following lines of code to the skins_site/def/styles/join.css file (you can simply add it to the end of the file).

dl#row_f17  {
display: none;
}

Important - Again, make sure to edit the field number (f17) in the code so it matches the field number that was created and noted in Step 1.



Step 5.

The final step is to configure Etano to temporarily ban a bot (or visitor) after so many failed login attempts.

This step is OPTIONAL but it's generally a good idea to set this up whether or not it's just for the purpose of our bot trap as it's another layer of protection for your site. This will help prevent bots and hackers from using bruteforce attempts to try and login to the site. A bruteforce attack basically consists of systematically checking all possible keys or passwords until the correct one is found. Bots can sometimes be relentless to the point it can even have an effect on your server resources.

Setup

Go to the Etano Admin » General Settings » Rate Limiter.

Then click the "Add new" link:

Then set it up as follows:


Text for the Error Message: Sorry, you have exceeded the number of login attempts permitted within a 10 minute span. Please try again later.

captcha_alternative.txt · Last modified: 2014/04/29 16:10 by admin