Table of Contents
CAPTCHA is a native glFusion plugin that provides an additional layer of security against spambots. CAPTCHA has been integrated with glFusion to provide another layer of security for your glFusion powered website.
A CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”, trademarked by Carnegie Mellon University) is a type of challenge-response test used in computing to determine whether or not the user is human. By presenting a difficult to read graphic of letters and numbers, it is assumed that only a human could read and enter the characters properly. By implementing the CAPTCHA test, it should help reduce the number of Spambot entries on your site.
CAPTCHA implementations are not completely fool-proof, there are many methods to bypass them. Although I have not seen any successful attempts to bypass this implementation, it should only be used to provide another layer of protection to your site. With a layered approach using the Bad Behavior2 Plugin, SpamX Plugin and the CAPTCHA plugin, together these can provide an extremely secure glFusion implementation.
CAPTCHA provides protection for:
- Forgot Password
- New User Registration
- Email User
- Email Story
- Story Submission
- Remote Users
- Forum Posts
- Media Gallery Electronic Postcards
- Link Submission
- Event Submission
glFusion CAPTCHA Options
The glFusion CAPTCHA implementation supports several types of CAPTCHAs. It can dynamically generate a CAPTCHA image on the fly, or use static images, match equations or use reCAPTCHA.
To use reCAPTCHA, you must first sign up with the reCAPTCHA service at https://www.google.com/recaptcha/intro/index.html. You will be given a public and private key that you must enter into the glFusion CAPTCHA configuration.
Math Equation is a simple math problem the user must solve. For example, it may ask 12 - 6 = so the user should enter 6. This has proven to be a very effective CAPTCHA against bots, but generally easy enough for users. It is build into glFusion's CAPTCHA so there is not need to register or interact with other services when using the Math Equation.
If you select GD Libs or ImageMagick, the CAPTCHA will be a random set of letters displayed graphically to the user. The background also has random characters. The letters the user should enter are in bold. This level of CAPTCHA is somewhat effective, but it is not very user friendly.
If there is no graphics capability on your web server, you can select to use static images that are included with glFusion. While this is better than nothing, it is not very effective method to prevent bots.
The CAPTCHA plugin will not actually do anything until it is properly configured.
The CAPTCHA plugin will log each time an invalid string is entered or an attempt to bypass the normal entry method is detected. CAPTCHA maintains its own log file at private/logs/captcha.log.
All CAPTCHA configuration options are accessed via the glFusion Online Configuration utility.
By default, CAPTCHA will not use a graphics package, instead it comes out of the box setup to use static images. The advantage to using static images is that this will work in any environment, but it does not provide a high a level of protection since there are a finite number of images to use.
For the best level of protection, you should try using dynamic images which require either GD libraries compiled into PHP or the external graphics package ImageMagick. Both of these packages must support True Type fonts in order to create the CAPTCHA image.
To configure CAPTCHA to use a graphics package, change the following in the CAPTCHA Administration Screen.
- Graphics Driver
Select GD Libs to use GD PHP Graphics Library.
Select ImageMagick to use the ImageMagick convert utility.
Select Static Images to use the prebuilt images supplied with CAPTCHA.
- Static Image Set
- If you choose Static Images as the graphics driver, select which set of static images you wish to use. Default is a set of images that look just like the dynamic images generated by CAPTCHA. Simple is a very simple graphic that is much easier to read.
- Graphics Format
- Specifies the format of the CAPTCHA graphic (JPG or PNG).
- Full Path to ImageMagick's Convert Utility
- Specifies the full path to ImageMagick’s convert program (i.e. /usr/local/bin/convert or /usr/bin/convert).
- If enabled, CAPTCHA will place detailed debug messages in the glFusion error.log file.
- Log Invalid CAPTCHA Attempts
- If enabled, CAPTCHA failures will be logged in the glFUsion captcha.log file.
- How Many Seconds a CAPTCHA Session is Valid
- The number of seconds that a CAPTCHA session is valid. After this time, the session will expire and the CAPTCHA check will always fail.
|Anonymous Only||Only present the CAPTCHA entry to non-logged in users.|
|Force CAPTCHA for All Remote Users||Force CAPTCHA for all 'remote' users (Open ID type users).|
|Enable Comment||Enable CAPTCHA for comments.|
|Enable Story||Enable CAPTCHA for story submissions.|
|Enable Registration||Enable CAPTCHA for new user registration.|
|Enable Login Form||Enable CAPTCHA for login. See note below on Login CAPTCHA|
|Enable Forgot Password||Enable CAPTCHA on the Forgot Password Screen.|
|Enable Contact||Enable CAPTCHA for contact users (via email).|
|Enable Email Story||Enable CAPTCHA to email a story.|
|Enable Forum||Enable CAPTCHA for Forum postings.|
|Enable Media Gallery (Postcards)||Enable CAPTCHA for Media Gallery postcards.|
|Enable Links Plugin Support||Enable CAPTCHA for new link submissions.|
|Enable Calendar Plugin Support||Enable CAPTCHA for new event submissions.|
If you are using glFusion's Custom Login feature, you can use this guide to Integrate CAPTCHA with your custom login solution.
If you are using CAPTCHA on the Login Forms, it is recommended that you use the reCAPTCHA option. glFusion supports multiple login boxes on a single page. For example, you have the Login Button in the menu, you could have a Login Block if using the My Account block, and finally when visiting the main login screen. All the CAPTCHA options such as Math Equation require storing CAPTCHA session information in the database, with the exception of reCAPTCHA. If you are using Login CAPTCHA and not using reCAPTCHA, this will increase the number of database queries for every page load. For example, if a Search Crawler is browsing your site, each page request will cause CAPTCHA to create at least 1 session record (more likely 3 session records) that are stored in the database. Because of this, it is highly recommended to only use reCAPTCHA if utilizing the login form CAPTCHAs.
Ensure you have enabled CAPTCHA in the glFusion Online Configuration utility. By default, CAPTCHA is automatically enabled.