--- title: Using Google’s Invisible reCAPTCHA to Protect ve_guestbook from Spam date: 2017-04-06 url: https://aaron.cc/using-googles-invisible-recaptcha-to-protect-ve_guestbook-from-spam/ --- The first question that comes to your mind might be: “Who uses guestbooks nowadays anyway?”. Well, personally I don’t, but I maintain two sites that were created in the mid 2000s that have a guestbook installed—and people are still using it. It’s [ve\_guestbook](https://typo3.org/extensions/repository/view/ve_guestbook) for TYPO3. {{< img src="images/Guestbook-CAPTCHA-2.png" alt="Way too Simple CAPTCHA" >}} In the past years, guestbook spam has become a real issue for me—even though I had been using the [captcha](https://typo3.org/extensions/repository/view/captcha) TYPO3 extension (screenshot above). Apparently, spam bots have evolved over the years and can now easily circumvent those CAPTCHAs. Suddenly, the guestbooks were flooded with hundreds of spam entries: {{< img src="images/Guestbook-Spam-1.png" alt="Russian Guestbook Spam" >}} ## reCAPTCHA to the Rescue A very popular means for distinguishing humans from bots is [Google’s reCAPTCHA](https://www.google.com/recaptcha/intro/invisible.html). Their newest version—called “Invisible reCAPTCHA”—takes this a step further and usually doesn’t require *any* interaction to identify you as a human. This might sound a bit scary, but it’s very effective and *much* more user-friendly than any other CAPTCHA—especially for users who are visually impaired. To be fair, it’s not 100% invisible as it will display its logo and a link to the privacy policy in the bottom right corner. However, since it’s only shown on the guestbook’s “new entry” form, that’s acceptable for me. ## Integration with ve\_guestbook Luckily, ve\_guestbook has hooks that allow you integrate into the “new entry” form and perform additionally error checking in your own TYPO3 extension. Therefore, it was pretty straight-forward to integrate reCAPTCHA without touching any of ve\_guestbook’s source. You can download my TYPO3 extension here: **[ak\_guestbook\_recaptcha\_0.1.0.zip](https://github.com/aaronk6/ak_guestbook_recaptcha/releases/download/v0.1.0/ak_guestbook_recaptcha_0.1.0.zip)** (6 KB) I didn’t do much testing yet but I can confirm that it’s working fine for me with TYPO3 7.6 on two sites. If you’re interested in the source code or have something to contribute, check out my GitHub repository [ak\_guestbook\_recaptcha](https://github.com/aaronk6/ak_guestbook_recaptcha). ***Note:** It’s not on the official TYPO3 Extension Repository yet but I’m happy to publish it there if it turns out to be useful. Let me know in the comment section.* ## Getting it up and Running Follow these steps to protect your guestbook with reCAPTCHA. This assumes you already have ve\_guestbook installed. 1. Go to and sign up—you should receive a *site key* and a *secret key* 2. Download [ak\_guestbook\_recaptcha\_0.1.0.zip](https://github.com/aaronk6/ak_guestbook_recaptcha/releases/download/v0.1.0/ak_guestbook_recaptcha_0.1.0.zip) 3. Log in to your TYPO3 backend, go to Extension Manager and upload the Zip file 4. Enable “Guestbook Invisible reCAPTCHA” by clicking the little plus sign next to it Finally, add the following TypScript snippet to your setup: ``` plugin.tx_akguestbookrecaptcha.settings { site_key = YOUR_OWN_SITE_KEY_HERE secret_key = YOUR_OWN_SECRET_KEY_HERE } ``` **Important:** Make sure to add your own site key and secret key here. You’re guestbook is now protected with reCAPTCHA. If all went well, you should see this indicator on your “new entry” page: {{< img src="images/reCAPTCHA-Badge.png" alt="reCAPTCHA Badge" >}} *Please note that it’s not required to select a Captcha in the FORM plugin of ve\_guestbook. Just leave this blank. My extension will automatically hook into ve\_guestbook once it’s enabled.* ## Drawbacks There are a few drawbacks you might want to consider: - **Requires JavaScript to be enabled.** Those who have JavaScript disabled on your site won’t be able to add entries to your guestbook anymore. - **Relies on a third-party service.** In case reCAPTCHA goes down (which is quite unlikely though), your visitors won’t be able to post to your guestbook anymore. - **Google collects data about your visitors.** This might be a privacy concern. However, my TYPO3 extension makes sure to only include this script on the page where the guestbook form is included. So it’s at least limited to those who actually intend to add a guestbook entry. ## Conclusion Even with the drawbacks outlined above, this is my preferred solution to fight guestbook spam. It’s simple to implement it, effective, and easier to solve than any other CAPTCHA which is a big plus for the site’s usability. ## Updates - **Aug 15, 2017:** After having used the TYPO3 extension for a couple of months now, I saw that there’s still some spam coming through. I didn’t had the chance yet to analyze the in greater detail. So if someone has an idea what this could be, please leave a comment below.