You’re about to make an online purchase, but you’re suddenly asked to decode a strange twisted word, do a simple calculation, or identify which images you’re shown contain a bus. What just happened? What is this pop-up that looks like a cross between a game and a test — but it’s an absolute waste of your time?
You have come across a CAPTCHA or Fully Automated Public Turing Test to Tell Computers and Humans Apart. This is the method used by website owners to identify human visitors and users, and then allow logged in users to make purchases, view pages, or create accounts. It also acts as a way to deter bots and scam users.
This blog post explores captchas, their purpose, and how this technology relates to WordPress site security. We’ll also learn about the different types of captchas and their limitations.
What is a verification code?
Don’t let complicated-sounding acronyms scare you. The concepts behind CAPTCHAs are not difficult to understand. It stands for: Fully Automatic Public Turing Test to Tell Computers and Humans Apart. Alan Turing was an influential computer scientist in the early 20th century who worked on ways to distinguish machine responses from human responses in plain text channels. It is a modified version of the “Turing test” used in modern captchas.
Captchas are designed to test whether a computer user is a human or a machine by asking them to perform a task that a machine or code cannot. In this way, it provides proof of personhood before allowing the user to proceed. The assumption is that automated bots lack the sophistication to accurately interpret the visualized data. Captchas work by distorting the visual display, making it harder for automated mechanisms to process the data.
Captcha and Site Security
What problem does the verification code solve?
One of the problems CAPTCHA addresses is computer security. CAPTCHAs provide a way to verify important information about a user’s identity. A CAPTCHA differs from usual user credentials such as passwords because it is not designed to verify an individual’s identity. Instead, its purpose is to verify that the user is human.
However, CAPTCHA and password authentication do share a common structure. They are both forms of challenge-response authentication:
- In the case of password authentication, the challenge is to ask for your password, and the response is the correct password
- With CAPTCHA, the challenge is to reproduce the presented text or recognize something in the image (such as a pattern), and the response is to try to do so
- Even more advanced CAPTCHAs, such as ReCAPTCHA v3, which analyze behavior instead of copying for recognition, still use that behavior as the user’s response input
- One notable difference is that there is no password reset equivalent to CAPTCHA
CAPTCHAs as we know them today were created to prevent malicious hackers’ bots from gaining unauthorized access to a website or areas of a website that could be used to commit fraud. Bots are software applications that can also be used for a range of negative purposes:
- Malicious online behavior such as spreading comment spam, posting unwanted content or low-quality links, all of which can harm your SEO
- Unethical marketing practices such as harvesting email and IP addresses
- Anti-democratic abuse, such as disrupting online polls
- Online website fraud, such as using brute force attacks to break into online accounts, or steal sensitive data such as login credentials, health documents, or financial information
What are the different types of verification codes?
The nature of CAPTCHAs has evolved over time and will continue to evolve. This leaves you with multiple captcha options. Some older versions are still in use, while the latest versions are far from widespread. The general trend over time is to make CAPTCHAs less invasive, time-consuming, and less damaging to user experience (UX). But the newer versions don’t make the old ones obsolete, even though they work very differently.
so What’s the difference between CAPTCHA, reCAPTCHA, and NoCAPTCHA?
The first version of a CAPTCHA was a series of letters, combined numbers, displayed as distorted or distorted pictures. Sometimes a background color gradient is added. The user’s task is to correctly decipher this sequence as proof of personality. There is usually a text box right below where the user can type what they see.
Types of reCAPTCHA
- ReCAPTCHA is a Google CAPTCHA service that includes different types of CAPTCHAs.
- reCAPTCHA v1 – closed since March 2018
- reCAPTCHA v2 – “I’m not a robot” checkbox (also known as NoCAPTCHA reCAPTCHA)
- reCAPTCHA v 2 – Invisible reCAPTCHA Badge
- reCAPTCHA Android
- Captcha v3
- Verification code v1
The first version of the reCAPTCHA challenge usually consists of a full correct word, without numbers. The word is often displayed as an image rather than simple text, often taking on a distorted appearance, similar to the first version of the CAPTCHA. But strikethrough was added to the text to make it harder for computer programs to decipher it. Other visual rather than verbal versions of reCAPTCHA are also used, such as photos and objects in a grid, and the challenge is to select matching objects (e.g., all crosswalks). There are other audio and calculation based captchas.
no captcha reCAPTCHA
This type takes the form of a checkbox that only needs to be ticked by the user so they can say “I’m not a robot”. So it looks simpler, and from the user’s point of view. But behind the scenes, this CAPTCHA keeps track of the user’s entire activity, such as how the cursor moves before the interaction, and how it moves during and after checking boxes. All of these provide information that strongly suggests that the user is not a malicious bot with an automated script, as the behavior suggests a manual run.
invisible verification code
This version of Captcha neither uses checkboxes nor challenges of any kind. It’s called “stealth” because it works behind the scenes to distinguish bots from humans by combining machine learning and risk analysis that can adapt to threats.If the user is considered low risk, no challenge will be displayed at all
Verification code v3
The latest version of reCAPTCHA verifies legitimacy without any user interaction. Google’s goal is to make the user experience as smooth as possible.
In addition to Advanced NoCAPTCHA and Invisible CAPTCHA, there are other different types of CAPTCHA checks, such as human-assisted OCR (Optical Character Recognition) and TYPE-IN.
Are there limitations and drawbacks to captcha technology?
Captcha technology has received many different types of criticisms during its development:
- Completion of CAPTCHA tasks slows down and complicates user tasks that could otherwise be performed directly
- Many CAPTCHA tasks are inherently difficult to complete successfully and lead to alienating or even excluding the human users they are designed to verify
- Users with visual or auditory processing disabilities, users with learning disabilities, or users with dyslexia find it difficult to complete captchas and report that
- Captcha methods are discriminatory and violate their rights to technology, services and data
- Data and privacy experts have raised different concerns about CAPTCHAs, arguing that it may rely on tracking cookies and the possible use of data collection for
- targeted advertising
- CAPTCHAs are used to keep anti-spam bots out, but they allow human spammers in because they’re designed to let humans through (check out our Still using CAPTCHAs on WordPress Encountering Spam? blog post)
Other criticisms focus on the different threats that malicious hackers typically issue to undermine captcha protections:
- The most sophisticated attempts to bypass CAPTCHAs use machine learning to build automated methods to solve CAPTCHA tests, such as the Google AI neural network called LaMDA, which effectively passes CAPTCHA tests. For example, some artificial intelligence companies have developed algorithms that can solve certain captcha schemes with a high success rate.
- A more primitive approach is to offload CAPTCHA tasks to a workshop of poorly paid human operators hired to recognize and decode them in batches.
- Malicious hackers have discovered security holes in CAPTCHA implementations that they can exploit to bypass CAPTCHA barriers. Some CAPTCHA systems are particularly vulnerable to brute force attacks, for example, where bots quickly and repeatedly enter credentials into login forms until they gain access.
Captchas and WordPress Sites
You can add CAPTCHAs to your WordPress site through CAPTCHA plugins. We also highly recommend using a professional WordPress CAPTCHA security plugin to harden your WordPress site and completely block malicious bots. So, what are the characteristics of the best WordPress CAPTCHA plugins?
What WordPress captcha plugin to use
When considering which WordPress plugin to use for your CAPTCHA plugin, we recommend a plugin with the following features:
- A good reCAPTCHA plugin should be able to adapt to various CAPTCHA versions. First, determine which CAPTCHA version is best for your current and future needs, and make your choice based on those priorities.
- You should be able to display it on all important and vulnerable pages. Of course, this means it has to be able to be deployed in multiple areas of your website, not just limited to one page or form.
- The plugin must work with any other forms or third-party plugins you add to your site. This is especially important if you have an e-commerce site (such as WooCommerce) that you want to link to.
- You should be able to deploy the CAPTCHA plugin in both single-site and multi-site environments
- Other recommended plugin strengths include ease of use, top-notch support, and different payment levels as needed. Our CAPTCHA 4WP plugin has all this and more!
Verification code displayed at checkout
How to Install Captcha on Your WordPress Site
While this is not a how-to guide, you may find it helpful if we give you a general overview of what you need to get a CAPTCHA up and running on our WordPress site.
Step #1 – Choose the Best Plugin with the Features Above
Step #2 – Install and activate this plugin to add CAPTCHAs to your WordPress site
Step 3 – Copy the key or site key generated by the Google reCAPTCHA console to add to your website
Step 4 – Create and add Google reCAPTCHA to your site (if your plugin uses it) for different versions and view traffic analysis
Step 5 – Configure your plugin settings to secure all important pages
Where to Enable Captcha on Your WordPress Site
No matter which CAPTCHA WordPress plugin you decide to use, after installing, activating, and adding it to your website, you must configure the settings to protect critical areas. In other words, CAPTCHA protection must be enabled for all important and vulnerable pages on your WordPress site. This task is usually performed from the General Settings option.
We strongly encourage you to pay close attention to these pages and forms:
- All WordPress login forms (for users and admins)
- Login forms for any eCommerce plugins and other external plugins for WordPress (for example, WooCommerce Login or any login page for an eCommerce site)
- User registration form and registration page
- Every password reset form and password recovery page
- Comment form or any area with a comment section
- contact form
- All other WordPress forms
Test the CAPTCHA 4WP plugin now
CAPTCHA 4WP plugin is easy to install and has universal compatibility. It provides you enhanced security and spam protection. Even if you decide not to opt for the premium version on the pricing options, CAPTCHA 4WP is a free plugin, so many features and benefits of the plugin are free! Get your 14-day free trial now.
The post Why You Need CAPTCHA on Your WordPress Website appeared first on WP White Security.
*** This is WP White Security’s Security Blog Network syndicate blog written by Dawn Baird. Read the original article: https://www.wpwhitesecurity.com/why-need-captcha-wordpress-website/