If you have a contact form on your website, you’ve probably been the recipient of spam or junk messages. Unfortunately these forms are easy to abuse, and there are automated processes that allow spammers to submit thousands of forms without any human interaction. Like email, you can’t prevent every spam submission from getting through, but there are some things you can do to limit the damage.
There are several reasons why I think using reCAPTCHA is a bad idea.
Dependency on Google
You’re entirely reliant on Google to continue offering this service. Unfortunately, Google have been known to change services to require accounts, remove functionality, and even shut down services altogether – sometimes at short notice. For example, a few years ago Google made changes to their Maps functionality which meant that embedded maps stopped working on many websites.
Different names for things
When I encounter a reCAPTCHA, I’m often asked to ‘select all photos which contain crosswalks’. Being British, I never use the word ‘crosswalk’ and would probably have no idea what it means if it were not for reCAPTCHAs (we call it a ‘zebra crossing’). There are other examples where the challenge assumes that you either live in the US or have an understanding of its culture, foods etc.
Images aren’t accessible
Most reCAPTCHAs ask me to select images based on some criteria. This isn’t accessible to anyone with a visual impairment, which could range from difficulty distinguishing colours to a complete lack of vision. Sometimes they have an audio alternative, although that’s still not accessible to anyone with a visual and audio impairment.
There are simple changes you can make to your forms without needing to rely on a third party service.
Simple arithmetic question
You could generate a simple arithmetic question, should as ‘what is 4 + 10?’. This should be accessible to anyone with a visual impairment, as screen reading software can read it out. I’m not sure how accessible it would be to someone with dyscalculia – it may be possible to lessen the impact by using a subset of numbers which are easier to manipulate but I don’t know enough about dyscalculia to say one way or the other.
In theory it would be trivial to solve these questions automatically, but in my experience the automated form submission processes that currently exist don’t seem to do this.
Rate limiting by IP address
If you receive more than two or three submissions in a few minutes from the same IP address, they’re very likely to be automated and can be blocked (up to three could be a real user resubmitting after making a mistake). This will still let the first few submissions through, and it might not work if requests come from lots of different IP addresses.
This has the advantage of not requiring any interaction from the user, and therefore should be accessible across devices, user requirements etc.
You can set a cookie when the page loads and only allow the form submission if the cookies is set. In theory it is trivial for automated processes to send and receive cookies, but they don’t always do so.
The combination I have found to be effective against spam whilst limiting the effect on genuine users is to use a simple arithmetic question combined with rate limiting by IP address.
If you need help reducing contact form submissions on your PHP site, get in touch for an initial consultation and quote.