Recaptcha v2 not preventing spam registrations

mbisogno · 10 May 2022 11:27

Hi all,

I’ve not found an answer to this so apologies if it has been addressed elsewhere.

I have s2member Pro form configured on a registration page with recaptcha (v2) here:

The problem is I’m still getting two to five spam registrations daily in spite of the setup. The recaptcha keys are all set up correctly, and I have usage statistics in google to show it’s working.

My question is how can I retain the current form setup but deploy a more effective spam signup prevention mechanism?

Thanks in advance for reading and considering my question.
Matt

Creativologist · 6 August 2022 23:34

I have the same issue. I don’t know how the bots are getting past recaptcha.

trafix · 7 August 2022 09:59

What security plugin are you using on your site?

Also, it’s good to check where these bots and DDos are coming from and block their geolocation.

Cloudflare can also help you with this.

clavaque · 7 August 2022 17:37

I wonder if spam registration bots have javascript or skip it… If yes, it’d be worth testing a field that is not visible to humans, but that a bot will trigger and cause the form’s action to change so it can’t be submitted properly…

If you’d like to try it, please create an s2 custom profile field, a checkbox, and add the style and javascript shown in the picture:

Screenshot%202022-08-07%20at%2020-14-56%20s2Member%20General%20Options%20%E2%80%B9%20s2Member%20Membership%20Plugin%20for%20WordPress%20%E2%80%94%20WordPress

Let me know if you notice a drop in spam signups with it.

Creativologist · 9 August 2022 22:28

I am getting the spam registrations here

www.musicwizardacademy.com/campus/registrar

They all have same first and last name and emails with a lot of DOTs lIke RA.ie.js.ff.gr.ie.ll@gmail.com

I have recaptcha there and don’t know how to stop it. This just started happening. I’ll try your suggestion tomorrow, though I don’t fully understand it.

I also have WORDFENCe, a security plugin and it has BRUTE FORCE PROTECTION. I don’t know if that conflicts with s2member or has any relation to this.\

clavaque · 10 August 2022 00:48

The idea is that the field is not visible by a human, because the style makes it only 1px high and removes the border, so it should be left untouched. But a bot would touch it, and if it has javascript, then the code in that field will change the address to which the form gets submitted, spoiling the registration.

It relies on javascript, though, but I’m guessing some of these bots support javascript because many forms will need it to work. But I’ll see if I make one that doesn’t rely on js, and instead checks the field after the form gets submitted, and if the field was changed, then discard the registration.

Let me know if this hack reduces the spam signups on your site. I hope it helps.

Creativologist · 10 August 2022 17:05

It’s asking me to put in

Field Label/Desc: *

Unique Field ID: *

I don’t know what “allyourbase” means as it goes to a 404

clavaque · 10 August 2022 23:45

The 404 is on purpose, that’s for a bot trying to register that triggers it, it wouldn’t happen to a human that doesn’t touch it. You could add any address you want, as long as it’s not the one that’ll register the bot.

For label you could just enter a dot, it won’t be visible to users. And for the field id anything unique will do.

Creativologist · 11 August 2022 16:08

So is the field OPTIONAL? It’s triggering a popup that must be filled.

clavaque · 11 August 2022 19:17

Optional, otherwise the human can’t submit the form without touching it. Sorry I forgot to mention that setting.

Creativologist · 12 August 2022 20:10

Unfortunately, unless I did something wrong, it doesn’t work.

clavaque · 12 August 2022 22:10

Thanks for the update!

It could be something wrong, but most likely is that the bot doesn’t support javascript.

When I have the more reliable implementation of the idea, I’ll post it here for you guys to try out.

Creativologist · 12 August 2022 22:31

I appreciate the timely responses. My page even has a required checkbox for terms of service agreement. So I don’t know how a bot can recognize that.

clavaque · 12 August 2022 22:57

That’s just HTML, not javascript, and is standard and required in lots of registrations, so bots will be able to handle them for the registration to go through. Bots either recognize the asterisk or “required” in the field’s name, or maybe recognize it’s right before the submit button. They will also fill out other fields sometimes (e.g. country, state), even if not required.

Creativologist · 14 August 2022 16:13

I believe we can defeat this is we can force first and last name to be different as all the spam has the same first and last name. Can’t seem to find a hack on that.

Creativologist · 21 August 2022 17:35

Cristián

Its interesting that Ultimate Member sees the same problem.

That hack doesnt’ work for s2member. Any ideas?

Thanks

mbisogno · 9 November 2022 16:22

Hi @clavaque - thank you for your replies and sincere apologies for the long pause since I first raised the ticket. I think, ideally, the General Options > CAPTCHA Anti-Spam Security would support reCaptcha v3.

Is that (relatively) easy to integrate in place of v2?

Also, in that Captcha area within s2member’s general options you refer to a plugin that ceased to be supported in 2018 and has been removed from the wordpress repo for a breach of terms. Do you/any s2 user have a suggestion for a quality registration spam blocker, please?

Matt

mbisogno · 10 November 2022 09:04

A quick further update on this. I installed ‘anti-spam by Clean Talk’ (free version), and it seems to have dealt with the spam registration issue. It’s early days but so far no additional spam users have been registered.