Skip Navigation
Buy Now

Home Toolset Professional Support [Resolved] Reopening: Lots of spam registrations (CAPTCHA enabled)

[Resolved] Reopening: Lots of spam registrations (CAPTCHA enabled)

This support ticket is created 2 years, 1 month ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 2 replies, has 2 voices.

Last updated by nicholasG-2 2 years, 1 month ago.

Author
Posts
#2519087

nicholasG-2

Hi there,

I opened a ticket a few weeks ago and was talking with @Luo about it. The original thread is here: https://toolset.com/forums/topic/lots-of-spam-registrations-captcha-enabled/

We're getting a lot of spammy user registrations on our custom user registration form. Luo suggested I set up an email alert to notify me when someone uses the form, but I must have set it up incorrectly, since it wasn't triggered, and I thought the regs must be coming from another place. After checking, though, I fixed the form, and it turns out that all of the spammy registrations ARE coming from our registration form, even though we have a CAPTCHA set up on it -- I've started receiving emails when these registrations take place, and they're all coming from the form.

Our registration page is here: hidden link

I'm not sure how they're getting around the CAPTCHA, though I do know Toolset doesn't use the newer versions of Google's reCAPTCHA which I wish I could try. It's not feasible for our use case to manually approve each registration at this stage, and I'm hoping to figure out how these bulk registrations are happening, and how our CAPTCHA is being bypassed.

Any help would be greatly appreciated.

Thanks,
Nick

#2519701

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

If the Captcha is proving ineffective, you might consider adding a honeypot field to your form yourself.

You can add markup to a form, and so can include a disposable field whose content you do not save, and which is visually hidden.

If the form is submitted with a value provided for that field, you know that it wasn't added by a human.

A quick Google should help you understand what's involved.

From the Toolset perspective you need to use the Forms API to intercept the form submission (e.g. the cred_form_validate hook) and reject it if the honeypot is filled with a value: https://toolset.com/documentation/programmer-reference/cred-api/#cred_form_validate

#2520005

nicholasG-2

Hi Nigel,

Thanks for this idea. I've implemented a honeypot field, and will keep my fingers crossed that this helps!

Cheers,
Nick

Known issues and solutions

Frequently asked support questions

Support tickets archive

Get help from experienced contractors

Meet Toolset support team

Toolset Customer Support Policy

Need to tell us something about the quality of support

How to remove personal information from your database for support