Recaptcha v3 best practices in Kirby

I love the basic kirby contact form, but my clients get a lot of spam coming through. I’ve added Google’s Recaptcha v3, but it only returns a score from 0-1 indicating how likely the user is to be spam (0) or a human (1). Instead of showing puzzles, it leaves it to me to determine how to respond to a low score.

Any ideas on best practices here? If it’s just a contact form, I can’t initiate 2-factor authentication since these visitors have no account on my website. But could I send them an email that would require them to click another link in order for the contact form to submit?

For example, I’d like to add it to this simple form on to prevent spam from sending an email to the site owner…

Thanks for any direction.

Would be too much of a hassle for me anyways, to be honest.

I usually include one extra field with a “static captcha”. For Example: “Enter the word mainsouth into the field”. You can check the value with a Kirby validator and only send the form if the user entered the word correct. I usually accept different spellings - “mainsouth”, “Mainsouth”, “MAINSOUTH”.

It’s simple, easy and I have good results with it so far.

When you use Kirby Uniform you can easily add a Simple captcha Guard or a Calc Guard, should work as well.

1 Like

Thank you @stffr! The design team is asking me for a frictionless check so no human sees a graphical check which is what pushed me to Recaptcha v3. I like your idea of a static captcha though–do you find it reduces the spam?

In my cases - yes! I haven’t found a better solution to date as far as a reasonable compromise between frictionless and spamless goes.

1 Like

@stffr Would it make sense to use the Recaptcha v3 to check for bot likelihood, then show your static captcha field if the score is below a certain threshold? That way I could let most ‘people’ through and only add some friction if seems like a bot.

It wouldn’t be the solution for me - I try to avoid Google Services, but I don’t see why it shouldn’t work.

We use 2 honeypots in combination and have never had any problems in the last few years.

  • a hidden field is checked to see if it is empty, as bots like to fill it (subject)
  • a hidden field is checked to see if it is not empty and contains a certain value, which is written in by Javascript

This works great and is also invisible for the visitor, but requires active Javascript.

I recently stumbled upon and implemented this at a clients website. And so far we had no spam coming through. You wrote “no graphical check” which it is not. However, it should show for a visual feedback - although you can probably hide this just as well.

@lukehatfield I’m curious how you got on with this; any insight since?

I’d love to know more about this @Oli1 ; do you plan on sharing the code for this at any point?

If you use uniform and want to use a captcha, but not hook into google’s universe, maybe check out Turnstile for Uniform | Kirby CMS.

1 Like

Thanks for sharing this, just added it to a site it next to no time!

@dilby we never got the go-ahead for the implementation. Happy to see all the options in this chain though so I’m ready when a client asks for it.

1 Like