Husky Ninja Blogs

How I Learned to Stop Worrying and Love reCAPTCHA

Recently we had a meeting to discuss security and SPAM issues on the hundred or so sites that we host at work, and it came up that most of the sites are using Mollom or the CAPTCHA module (or both) to keep this kind of thing at bay. So why were we still getting SPAM? Well, the short answer is that SPAMMERS are getting better at what they do, but the long answer is that these services and modules are not keeping up with the market and we need to locate something that does. So off to my Googles (as my mother calls it) I went.

Default CAPTCHA. Computers are good at math.

Well, it didn't take long to identify a solution: Google itself. But how was I going to get Google's noCAPTCHA (just a button click to identify) onto Drupal and still make a long lunch? Of course there's a module for that, and that is the newest version of reCAPTCHA. In earlier versions of reCAPTCHA, you were presented with a mess of an image from a street number (or such) and the chance to get out your spectacles and a magnifying glass to type in what would end up being incorrect information (and since our clients are aging baby-boomers and their aging children this could be a problem). We needed something simple, and it needed to work on pages that used Ajax components that created page refreshes without blowing up the CAPTCHA. So I figured that the old version of reCAPTCHA, which was installed but unused on most of the environments, would not work.

OK, what am I suppose to do with this?

Version 2.0 of reCAPTCHA has taken over the development of the Google CAPTCHA module (no one has ever been fired for using a Google product), and now offers easy integration with Drupal in a nice and supported manner. It has the easy "I am not a robot" button that most users (who are hopefully not a robot) can understand, and big pretty pictures in case the users are robots.

Pretty...

But this is not why I love reCAPTCHA, although it doesn't hurt. What I love about this is the management within Google itself. It offers defining domain groups based on user defined "buckets", which is great for an organization that has a dozen different customers each with 10 of their own domains. Each group receives their own key set and analytics dashboard (which is something that managers love). It is like having your cake and eating it too. Of course I'm sure Google is behind the scenes vacuuming up as much information about your sites and users as they can, but they do that in a hundred different ways already anyway. It is a small trade for organized and pretty.

Enough with the selling. Let’s get on with the installation. First you will need a Google account (and you know you want one). Log onto your account and head to https://www.google.com/recaptcha. Here you can register a new site. Enter a "Label" and the related "Domains" (one per line, includes all subdomains) and "Register". Once you are registered, you are presented with the keys associated with this "Label" (i.e. those domains you entered one per line). Now you’re off to your Drupal installation.

Leave it to Google to keep everything nice and neat.

Once you have the module installed (requires the CAPTCHA and JQuery Update modules), go to Admin -> Configuration -> People -> CAPTCHA, and select the reCAPTCHA tab. You configure the module by entering the keys given to you by Google. Don't forget to set the Tab Index to use on forms (it bitched at me if I left it at the default "0").

All set in reCAPTCHA

Next you need to set the CAPTCHA configuration to use the reCAPTCHA module and where to use it. (Same place as the reCAPTCHA config, under the CAPTCHA tab.) I recommend you set it to work on user_login and user_login_block to keep the brute force attacks at bay. I removed the default description and left everything else default. Do as you see fit.

All set in CAPTCHA - typing CAPTCHA over and over again hurts my hands

Now you're good to go. You can add Webforms you wish to protect by referencing them by their form id (you can find this by viewing the form's code - look for the ID of the FORM element and replace the dashes with underscores). You can also apply this to all unlisted forms if you wish.

Does it work as advertised? Well, while testing a Webform on the second submit it called me out and demanded I pick the correct picture. So it is working, at least for me. Now going forward, most of the reCAPTCHA has been challenging any submission I make. So it looks like it works. When the deployment is finished I will update this post, but for now I have a new girl (module?) friend in reCAPTCHA.

Of note, there is also a Google reCAPTCHA module, which I have not tested. As of today, it does not have the same install base nor the same life cycle. It is also not available for Drupal 8, but it is still worth noting based on the developer's comments. Maybe if I get a chance at some point I will play with this one. We will see, True Believers. Excelsior!

I'm still a geek! 'nuff said.