Encourage or Require CAPTCHA on forms?
Per conversations with GC IT, let's talk about whether there are ways we can:
1. Require the use of CAPTCHA on contact forms
or, failing that
2. Encourage users using forms to use CAPTCHAs
Boone, can you start us off on the conversation; would requiring CAPTCHA use necessitate editing of our existing third-party plugins, and thus be unfeasible? If so, let's talk about how we can educate users on this issue.
#1 Updated by Boone Gorges over 4 years ago
- Status changed from Assigned to Reporter Feedback
Can you clarify which contact forms you're talking about? Blog comment forms? Or comment forms created by plugins? Or BuddyPress content forms? Recent conversations with IT have really revolved around registration forms, but registration on CAC is already protected by an email whitelist.
#3 Updated by Boone Gorges over 4 years ago
- Status changed from Reporter Feedback to Assigned
- Assignee changed from Boone Gorges to Daniel Jones
- Target version set to 1.8
Ah yes, thanks. I'd forgotten that thread. Both of the forms in question were related to Contact Form 7.
Dan, I'm assigning to you for the moment. Would you mind doing a little research into whether there's an existing plugin that integrates a CAPTCHA with Contact Form 7? Ideally, it would actually force the CAPTCHA.
#4 Updated by Daniel Jones over 4 years ago
After spending some time on this I think there's two directions we could go:
First, Contact Form 7 is designed to work with a plugin that we have installed called Really Simple CAPTCHA, which allows people to use CAPTCHA shortcodes when they're making contact forms.
-There's a filter for the HTML for the Contact Form 7 forms, with which I've been able to use the handle shortcode function from Really Simple CAPTCHA to generate a CAPTCHA and response field, but I haven't been able to actually hook those fields up to validation yet so that they prevent the contact from being sent if the CAPTCHA isn't filled out. CAPTCHA's added via the shortcodes in the way they're designed work. I think with some more time I figure out how to make that work, and we could just add something to muplugins that hooks into that filter for all Contact Form 7 forms - we'd have to make sure it tested to see if there was already a CAPTCHA in place too
-Second, we could hook somewhere into the save form process to add in a message recommending that people add in a CAPTCHA, and maybe providing some code that people can cut and paste to add one to the form. We could also include that code somewhere else on the form creation page - I bet there's a filter we could use.
Which of those do you think would be better to move on?
#5 Updated by Daniel Jones over 4 years ago
Got this working, although it is a little hack-y: https://github.com/cuny-academic-commons/cac/commit/306bf9d9a973b05453ac6f5bdac9b96fe4fd0803
I use a hook that Contact Form 7 provides right after it builds the form object on the page to manually add CAPTCHA shortcodes to the form (which is just represented by a string at that stage). I use strpos and substr_replace to put the CAPTCHA in right before the submit button. First I test to see if the form already has the captchac shortcode that CF7 uses for the CAPTCHA test. It uses a captchar shortcode for the response. I couldn't think of the best way to manage testing for the presence of both and what to do if only one of them was found, so I just figured if they don't have the quiz to add a whole new captcha. Like I mentioned, it's a little hacky, but I think it basically works. One thing that's nice is that adding the captcha manually to the form the way I do also has it show up on the edit form screen in the backend, so people can go in and customize it.
Let me know what you think about it.
#6 Updated by Boone Gorges over 4 years ago
Hi Daniel - Thanks for working on this. The basic idea of doing string manipulation like this on form elements seems like a fine strategy to me. But there are a couple points I'm not entirely clear on:
1. This probably should not be in wp-content/themes/bp-nelo. If we're trying to force CAPTCHA for all uses of contact-form-7, we'll need something that runs somewhere other than in the main site's theme. (In the past, I've used wp-content/mu-plugins/assets/ files for plugin-specific fixes. These files need to be loaded from wp-content/mu-plugins/cac-functions.php.)
2. I see that contact-form-7 natively supports ReallySimpleCaptcha - but this is only if that plugin is activated. It looks as though your suggested fix will result in an error message being thrown: https://github.com/cuny-academic-commons/cac/blob/master/wp-content/plugins/contact-form-7/modules/captcha.php#L18 This is pretty unappealing. Can you look into either (a) force-activating the plugin when contact-form-7 is active, or (b) abstracting the necessary captcha-generation logic out of the other plugin so that the other plugin is not required?
#7 Updated by Daniel Jones over 4 years ago
Yes I realized right after I pushed that bp-nelo was probably not the right place, but wasn't sure where that'd be. Thanks for pointing me in the right direction!
Oh yeah, that is unappealing! I'll look into force-activating the CAPTCHA plugin for Commons sites today.
#9 Updated by Boone Gorges over 4 years ago
Would it be simpler to just add CAPTCHA to our mu-plugins (or whatever that sitewide-activated plugins folder is called now)?
The goal is to require CAPTCHA on contact forms, so it's only necessary to have the functionality turned on when using a contact form. I'm not clear on whether you're suggesting something different.
#10 Updated by Daniel Jones over 4 years ago
- Estimated time set to 1.00 h
Here's the changeset - https://github.com/cuny-academic-commons/cac/commit/4f53723354eeb653e2a55fa8b3f55afe975d3f5d
Let me know if you think this works - I added a file to mu-plugins/assets called force-captcha.php, which both force-activates Really Simple Captcha when Contact Form 7 is active (by hooking into plugins_loaded and checking to see in the function wpcf7 is defined, and then using activate_plugin), and uses the function I developed on my last commit to force the addition of a CAPTCHA to all contact forms.
I also just pushed another commit deleting a file include that wasn't needed once I moved from using is_plugin_active() to just testing for whether or not the plugin's main function was defined. That change is at https://github.com/cuny-academic-commons/cac/commit/8449722c980a477f6bc8127d354a8d7ac6922e0e
#12 Updated by Boone Gorges over 4 years ago
Thanks, Daniel, and sorry for the delay in my response.
The change is looking pretty good. I modded it a bit to avoid activating the plugin (and requiring the wp-admin file) if really-simple-captcha is already activated. https://github.com/cuny-academic-commons/cac/commit/d9d07a0c0e894429f1fcd179bd44bc68e0c3b9c4
I'm having issues with CATCHA images loading properly on my local. I haven't looked into it - it's possible there is an issue with file permissions or something - but I wonder if you can verify whether you're having the same problem? If not, I'll assume it's some quirk in my local, and make sure to test after deploying to the Commons.
One last request: I don't think we should be requiring captchas from logged-in users. It's easy to bail `if ( is_user_logged_in() )` from `cac_add_captcha_to_form()`, but it's possible that this'll cause issues on form submit. Could I ask you to verify this one way or another? Thanks!
#13 Updated by Daniel Jones over 4 years ago
Hey Boone - Thanks for this! I think the Codex entry for activate_plugin said that it doesn't activate a plugin if it's already active, but I think the extra check is totally fine, and definitely moving the include inside the if block. The CAPTCHA images generated fine on my machine - one thing is that the plugin requires that the GD PHP module be active to make the images, so it might be that GD isn't on your local.
Yes thanks for pointing that out about logged in users - I'll add it and test it locally ASAP. Thanks again!
#14 Updated by Daniel Jones over 4 years ago
Sorry it took me so long to add less than one line of code - here's the most recent version. Tested and working on my machine - https://github.com/cuny-academic-commons/cac/blob/force-captcha/wp-content/mu-plugins/assets/force-captcha.php
Let me know if this works!