Anti-Captcha as a WordPress Plugin
The aim of this plugin is to prevent automated attacks (by bots) on the following WordPress actions:

• Posting comments
• Logging in
• Registering for a new account
• Requesting a lost password

When a comment is posted without a valid Anti-Captcha token, it shall be instantly marked as spam. This way, you can always manually approve this comment in hindsight if it appeared to be sincere.

Download
You can download this plugin directly from the WordPress plugin repository:
http://wordpress.org/extend/plugins/anti-captcha/

Requirements
This plugin is written for WordPress (up to version 2.9.2). It has been tested and verified to work on most browsers, including the dreaded IE6.

Note: the user does need to have javascript and cookies enabled for form submission to succeed. Generally, it's frowned upon if you don't write javascript in an unobstructive way. The reason for this is that some visitors don't support javascript but should still be able to get around your website.

AFAIK there are four types of user-agents not supporting javascript:

• Search-engine spider bots
• Users of a command-line browser (like Lynx)
• Users who actively disabled javascript in their browser
• Mischievous bots trying to spam or hack into your blog

Obviously, search-engines don't need to comment, register or login so they can be ruled out. Lynx users and users with javascript disabled are likely to be a very small percentage of the internet population, who have actively excluded themselves from certain webfeatures. Finally, badly behaving bots, is what the Anti-Captcha plugin is trying to block.

Changelog

=> 20100708

• Tested on WordPress version 3.0

=> 20100426

• Changed error message to be more descriptive
• Changed cookie mechanism to not rely on PHP sessions
• Added 'Back/Forward Cache' prevention
• Removed jQuery dependency
• Tested on WordPress version 2.9.2

=> 20090821

• First release

Until recently, image-based Captcha's have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, Captcha's too have to continuously increase in complexity.

Just look at these gems and imagine yourself being color blind:

Ironically, it's come to the point that computers are better at deciphering Captcha's than humans are, simply because computers have infinite patience.

To illustrate: evildoers trying to beat your Captcha are probably satisfied with a success ratio of 1/100 – because in just a few hours of repetition this can add up to hundreds of successful passes. A typical human user on the other hand probably throws in the towel after three consecutive failed attempts – at which point they'll most likely leave your website altogether.

Who can blame them? The average user doesn't understand why they should enter a random string of letters in the first place. It's not their problem and they do not care what it is for. For them it's some sort of annoying puzzle that stands in the way of doing what they want to do. Not being able to pass it, makes them feel inadequate and frustrated.

I argue, let's keep the end-user entirely out of it,
I propose we rid ourselves of Captcha's as we know it,
I proclaim this the era of Anti-Captcha's... Hallelujah!

The Anti-Captcha challenge
The basic idea behind it is simple;

"Create a captcha solution which does not require any end-user interaction"

As a first attempt, I concocted a working Anti-Captcha based on the reasoning that only browsers can interpret javascript well. Making it a question of "Has a browser been involved at form submission?" instead of "Has a human been involved". In general the answer ends up to be equal (see "Caveats" section below).

How it works
Check out the online demo here

In the head of the html document an external javascript-file is called, this file is in fact a php file which is designed to:

1. Generate a random token
2. Store a checksum of this token in a cookie
3. Generate some obfuscated javascript code which (when interpreted) adds a hidden input-field to every form element on the webpage using the token as a value

After form-submission, the checksum of the post value should equal the checksum stored in the cookie. As a bonus, this technique should also provide adequate protection against XSRF.

Installation

1. Download Anti-Captcha
2. Put both scripts in the head of your html document (in the proper order):

   <head>
   <script src="anti-captcha-0.2.js.php" type="text/javascript"></script>
   </head>
   

3. After form-submission match the input value with the sha1 checksum stored as a cookie:

   <?php
   // Verify the token using the checksum stored in cookie
   if (sha1($_POST['anti-captcha-token']) == $_COOKIE['anti-captcha-crc']) {
   
   // Reset token (preventing form resubmission)
   setcookie ('anti-captcha-crc', sha1(rand()), time() + 3600, '/');
   
   // Continue form validation
   die('Captcha accepted');
   
   } else {
   
   // No Anti-Captcha checksum received
   die('Error, please enable javascript and/or cookies');
   
   }
   

Looking for the WordPress plugin? Click here

Requirements
The Anti-Captcha script is written to be PHP4 compatible and should run on most hosting platforms. It has been tested and verified to work on most browsers, including the dreaded IE6. Note: the user does need to have javascript and cookies enabled for form submission to succeed.

Caveats
Obviously this technique isn't perfect, at some point bots might gain the ability to interpret javascript or simply read-out the obfuscated code instead. At that time a different approach, with a similar concept, would be needed.

It should also be possible to fool the Anti-Captcha with the use of “automated mouse-clicking software”. However this should be very hard to combine with botnets - thus making additional security layers (for example: maximizing form-submission on a per-ip basis) more feasible.

Another major drawback is the need for javascript to allow form-submissions, which is something you should ponder over yourself. Personally I feel it outweighs the disadvantages image-based Captcha's bring in, but this probably depends on the project at hand.

Credits
Part of the obfuscation technique used is based upon Dean Edwards JavaScript's Packer which is ported to PHP by Nicolas Martin, and made compatible with PHP4 by Mark Fabrizio Jr.

License
The Anti-Captcha is licensed under LGPL 2.1