Web Development

Using Google’s Invisible reCAPTCHA to Protect ve_guestbook from Spam

Aaron

3 min read

The first question that comes to your mind might be: “Who uses guestbooks nowadays anyway?”. Well, personally I don’t, but I maintain two sites that were created in the mid 2000s that have a guestbook installed—and people are still using it. It’s ve_guestbook for TYPO3.

Way too Simple CAPTCHA

In the past years, guestbook spam has become a real issue for me—even though I had been using the captcha TYPO3 extension (screenshot above). Apparently, spam bots have evolved over the years and can now easily circumvent those CAPTCHAs. Suddenly, the guestbooks were flooded with hundreds of spam entries:

Russian Guestbook Spam

reCAPTCHA to the Rescue

A very popular means for distinguishing humans from bots is Google’s reCAPTCHA. Their newest version—called “Invisible reCAPTCHA”—takes this a step further and usually doesn’t require any interaction to identify you as a human. This might sound a bit scary, but it’s very effective and much more user-friendly than any other CAPTCHA—especially for users who are visually impaired.

To be fair, it’s not 100% invisible as it will display its logo and a link to the privacy policy in the bottom right corner. However, since it’s only shown on the guestbook’s “new entry” form, that’s acceptable for me.

Integration with ve_guestbook

Luckily, ve_guestbook has hooks that allow you integrate into the “new entry” form and perform additionally error checking in your own TYPO3 extension. Therefore, it was pretty straight-forward to integrate reCAPTCHA without touching any of ve_guestbook’s source.

You can download my TYPO3 extension here:

ak_guestbook_recaptcha_0.1.0.zip (6 KB)

I didn’t do much testing yet but I can confirm that it’s working fine for me with TYPO3 7.6 on two sites. If you’re interested in the source code or have something to contribute, check out my GitHub repository ak_guestbook_recaptcha.

Note: It’s not on the official TYPO3 Extension Repository yet but I’m happy to publish it there if it turns out to be useful. Let me know in the comment section.

Getting it up and Running

Follow these steps to protect your guestbook with reCAPTCHA. This assumes you already have ve_guestbook installed.

  1. Go to https://www.google.com/recaptcha/intro/invisible.html and sign up—you should receive a site key and a secret key
  2. Download ak_guestbook_recaptcha_0.1.0.zip
  3. Log in to your TYPO3 backend, go to Extension Manager and upload the Zip file
  4. Enable “Guestbook Invisible reCAPTCHA” by clicking the little plus sign next to it

Finally, add the following TypScript snippet to your setup:

plugin.tx_akguestbookrecaptcha.settings {
  site_key   = YOUR_OWN_SITE_KEY_HERE
  secret_key = YOUR_OWN_SECRET_KEY_HERE
}

Important: Make sure to add your own site key and secret key here.

You’re guestbook is now protected with reCAPTCHA. If all went well, you should see this indicator on your “new entry” page:

reCAPTCHA Badge

Please note that it’s not required to select a Captcha in the FORM plugin of ve_guestbook. Just leave this blank. My extension will automatically hook into ve_guestbook once it’s enabled.

Drawbacks

There are a few drawbacks you might want to consider:

  • Requires JavaScript to be enabled. Those who have JavaScript disabled on your site won’t be able to add entries to your guestbook anymore.
  • Relies on a third-party service. In case reCAPTCHA goes down (which is quite unlikely though), your visitors won’t be able to post to your guestbook anymore.
  • Google collects data about your visitors. This might be a privacy concern. However, my TYPO3 extension makes sure to only include this script on the page where the guestbook form is included. So it’s at least limited to those who actually intend to add a guestbook entry.

Conclusion

Even with the drawbacks outlined above, this is my preferred solution to fight guestbook spam. It’s simple to implement it, effective, and easier to solve than any other CAPTCHA which is a big plus for the site’s usability.

Updates

  • Aug 15, 2017: After having used the TYPO3 extension for a couple of months now, I saw that there’s still some spam coming through. I didn’t had the chance yet to analyze the in greater detail. So if someone has an idea what this could be, please leave a comment below.