WordPress: Anti-Captcha plugin

Anti-Captcha is a transparent Captcha solution which does not require any end-user interaction. The aim of this plugin is to prevent automated attacks (by bots) on the following WordPress actions:

  • Posting comments
  • Registering for a new account
  • Requesting a lost password

When a comment is posted without a valid Anti-Captcha token, it shall be instantly marked as spam. This allows you to manually approve this comment in retrospect if it appeared to be genuine.

Note: Anti-Captcha works in the background of your blog and is invisible to you and your end-users. Please read the related article The Anti-Captcha Challenge to understand the concept and technique behind it.

This plugin is free and open-source, but you’re welcome to buy me a coffee if you enjoy the amounts of spam it’s blocking and want to encourage me to keep it maintained. Thanks!

Requirements

This plugin is written for WordPress (up to version 3.5.1). It has been tested and verified to work on most browsers, including the dreaded IE6. However, the user does need to have javascript and first-party cookies enabled for form submission to succeed. Generally, it’s frowned upon if you don’t write javascript in an unobstructive way (the reason for this is that some visitors don’t support javascript but should still be able to get around your website), personally I feel that Anti-Captcha is an exception to this rule.

In my view there are four types of user-agents not supporting javascript:

  • Search-engine spider bots
  • Users of a command-line browser (like Lynx)
  • Users who actively disabled javascript in their browser
  • Mischievous bots trying to spam or hack into your blog

Obviously, search-engines don’t need to comment, register or login so they can be ruled out. Lynx users and users with javascript disabled are likely to be a very small percentage of the internet
population who have actively excluded themselves from certain webfeatures. Finally, badly behaving bots is what the Anti-Captcha plugin is trying to block.

Changelog
version 20140908
Tested on WordPress version 4.0
version 20140129
Fixed a bug that always marked legitimate comments to be moderated
version 20140128
Fixed a bug that broke wordpress discussion settings
Improved code compatibility
PhantomJs headless browser detection
Tested on WordPress version 3.8.1
version 20140102
Tested on WordPress version 3.8
version 20130927
Fixed a bug in which the ‘An administrator must always approve the comment’ settings was ignored
version 20130504
Fixed a bug in which legitimate comments where always flagged for moderation
Added a check on the format of the supplied mailaddress and it’s MX-records (on fail, a comment will be held for moderation instead of being approved)
version 20130429
Updated anti-captcha to version 0.3 which introduces a new DOMReady loading method
This version also prevents a ‘alreadyrunflag is not defined’ javascript error
version 20130421
Tested plugin on WordPress 3.5.1 install, everything works as expected
Linked to new blog article at http://blog.fili.nl/wordpress-anti-captcha-plugin/
Version bump to remove WordPress ‘Out of date’ alert
version 20110129
Fixed regression bug that prevented anti-captcha to work on registration and lost-password form
version 20110125
Tested on WordPress version 3.0.4
Removed anti-captcha from login procedure
version 20100708
Tested on WordPress version 3.0
version 20100426
Changed error message to be more descriptive
Changed cookie mechanism to not rely on PHP sessions
Added ‘Back/Forward Cache’ prevention
Removed jQuery dependency
Tested on WordPress version 2.9.2
version 20090821
First release

This is anecdotal. I have installed the plugin using wordpress built-in installer, and IT DID NOT WORK! It keeps telling me:

Error, please enable javascript and try again…

in all recent browsers.

@Henry At which WP-action did you get this error (login, register)? Did you clear out your browser cache? On this blog I use the exact same plugin, you commenting here shows that it can work :)

Thank You for the plugin, it works ok.
But if You would please to describe me (or maybe add such function in next versions) how can I instantly delete spam mesages instead of marking them “spam”? For example “change string #126 in file make_post.php from $Message->Mark(“SPAM”) to $Message->Delete()”, or something like that.
Thank You.

@SolutionFix Try to change line 47 of anti-captcha.php into:
add_filter(‘pre_comment_approved’, create_function(‘$a’, ‘return 0;’));

I have not tested it, but that should probably work.

Nice job!

IE must be killed!!! use Google Chrome

thanks for the plugin, it works
i hate using akismet, it slowing my site

@indra Thanks, it works wonders for spam on this blog as well. To be honest I wasn’t even aware of the magnitude of WordPress spam until after I released this plugin.

Just installed the plugin. It successfully activated. How do I know that it is working?

dave

I now have the problem that HENRY has on login. Thoughts. When i disable this plugin the problem goes away. ANy ideas why. I did clear cache, no change.

Dave

@dave Do you have a cookie-blocker in place? Please check and see if a cookie is set, it should be named “PHPSESSID”

Captcha is going on my nerves when I come to an blog and leave a coment then Capca code is required, I type a code properly then display it is wrong re-type and the answer is the saime… but we need Captcha becouse of stupit booots :( and now this problem.
I was download and set up the plugin on my site. Nice job and thanks!

TEST

test…faut bien voir a quoi ressemble la marchandise ;)

Great!

I’ll try

test

test

@Brent Ah but there is! Read the article :)

This seems to be THE solution – thank you. One question: when a message is qualified SPAM it gets reported as SPAM but at that moment we DO NOT get a mail message informing us that a new message (spam or not) was entered – so we are not aware untill we login into the WP Dashboard.

Do you have a solution which also informs us by email when a spam message gas been entered? Tx a lot – Erik Wust

@Erik Not at the moment no, it might be a good feature for a future release. However, you probably would get quite a lot of extra emails. Maybe it’s easier to check the spam category once in a while…

Thank you for the excellent plugin! I previously had no antispam captcha on my site. Unfortunately, the spam has the upper hand, I have tried several plugins. Thine is my opinion after the baste. many thanks, for that!
regards
sebastian

mal testen was das hier macht

Hi Fili
What’s your suggestion re Akismet if using Anti-captcha? Disable Akismet?

Does this work with BuddyPress. Main issue on BuddyPress is spam member registrations!

@phillwv You can use Akismet together with Anti-Captcha if you want to (i have). @RuthMaude I’m unfamiliar with BuddyPress, so please don’t hesitate to try it out and let us know!

testing

OK, I downloaded this plugin, installed it, now I CAN’T LOG IN TO MY WP BLOG!

I’m getting the same error message mentioned above:

“Error, please enable javascript and try again”

Javascript is enabled, cookies are not blocked, AdBlock has been disabled. Please tell me how to disable this.

@Dad have you tried empty-ing your cache? Probably the Anti-captcha module is not loading because you’re looking at a cached version of the login-page.

I’ve tried emptying my cache, restarting and I got the same thing. Then I tried opening the site in both Chrome and IE (neither of which I’ve ever opened the admin site with) – same results. Right now I’m locked out of my own WP admin page, I just want to get in and disable this plug-in.

@Dad Very strange, I never heard of that before. What version of WP do you have? You could try and rename the plugin directory using FTP. This way WP can’t find the plugin and should hopefully let you pass. If not, please rename the directory back the way it was and re-contact me.

Hey I’m using this anti captcha Version 20090821 on the 2.9.1 wordpress and it does work, because before I activated it, I was getting spam comments through, but now after activating this anti captcha the annoying spam stop or extremely decreased. Great easy plugin, I recommend it.

@fili I just had the same problem as Dad. I had to rename the folder to get back into my site. This was after I (a) cleared my cache, (b) cleared my cookies. But, this was decidedly a problem with AntiCaptcha: it was happening with multiple browsers Chrome, FireFox and even (eww, yuck, eeek) IE. I dunno why it suddenly broke — I updated a couple of other plugins, but I hadn’t encountered any problems with that before.

@gdb This shouldn’t happen, what version of WP are you running?

Watcha!

Great plugin but I’ve just started having the same problem as a number of users above: “Error, please enable javascript and try again”. This occured when attempting to log in to the site either as an admin or as a user.

I got this on every browser I have installed: IE 8, Firefox 3.6, Chrome 4 and Opera 10.5. Like others, I had to FTP and disable the plugin folder directly, to be able to log into my site.

Something that may be relevant is that I host two blogs on the same site. I have two WP instances running off of a single DB with different table prefixes. I enabled you plugin on both sites but the error only occurs on one. Could this explain it? Some sort of cookie conflict?

what kind of plugin is this that you yourself don’t even use it in your own website?

@Oli Thanks for your message. It’s hard for me to debug the problem if I can’t reproduce it. Could you e-mail me the version of WP you use and all the plugins you have installed (it could be caused by a combination of plugins). As soon as I can find some time I’ll look into the matter deeper.
@Farhad I do use it on this site.

Working good

nevermind my last comment. Chrome needed to update. Ugh

Hi,
If I want to use this with a WordPress site do I simply install the plugin and activate it or is there more I need to do?

@Chris Yes, there is nothing more to it!

I like that answer!

Is it working?

Thank for the plugin. I just install it successfully. Great Works.

YOU are the man!

Thanks a bunch for this great plugin!

thanks

Test comment, I would like to see :)

Its not work :(

@hans That’s not very specific, got more info?

Thanks for the plugin – a buddy of mine told me to give it a try. Crossing my fingers that I can get rid of the captcha plugin I’m using!

Hi man. I just want to test your plugin. If it work as I expect I will install.

Is it compatible with “WP Super Cache” plugin of wordpress 3.0.1 ?

@henry Try it out and let us know :)

Well, glad to do that, but how to know whether it is functional well in wp super cache? I mean where is the javascript file added, what is name, how to identify it?

@henry You could install both plugins and then test to see if you can still comment/login when javascript enabled/disabled. Looking at the source, you should see the file anti-captcha-0.2.js.php in the header when not logged in. If all fails then you can manually remove the anti-captcha from the wp-plugins directory using ftp.

test

nice

Nice information thank you.

@tester you can try with javascript disabled/enabled in your browser. It’s working wonders for my own blog :)

I just tested with wordpress without success (no captcha appears)
Of course the plugin is activated.

Best

@joh You probably dont grasp the concept of Anti-Captcha yet, it’s supposed to be invisible (but it does work!). More information can be found in this article.

This plugin is conflict with Login With Ajax (http://netweblogic.com/wordpress/plugins/login-with-ajax/) so would you please to help me to fix it?thanks

@louisdinh I can imagine that an Ajax login process would interfere with Anti-Captcha. You’d probably have to choose between the two plugins.

Hello

WOW great plugin I love it

Regards

I use cacheing, and have found problems with various captcha systems.
I think I tried anti-captcha. but wouldn’t do the job, as my cacheing bypasses the entire wordpress enging (simple, direct php cacheing).

So… I used a simpler technique… I simply print out the text area and submit button with javascript. I don”t really do any checking… simply bypassing non-js browsers. it helps.

I’m working now on using a cookie AND printing form with js.
That would quickly lock out any bots not accepting both.

Whatcha think?

@vince Not bad, your idea is basically the same but you left out javascript encoding for simplicity sake. Which would do fine for most spambots, as long as your method won’t become very popular. Adjusting a spambot to simply read-out your javascript isn’t that hard. Furthermore, I wouldn’t recommend to build the entire form using javascript alone. This would probably not be very practical. Thanks for your comment though :)

Hye !

I’ve just installed properly the plugin in my wordpress blog…. but apparently it does not do anything : I’ve still many SPAM…
Who can I verify in this pluggin is running properly and why I still have SPAMs ?

Best regards

@Darmangeat I can see that you’ve succesfully installed the plugin, you should be protected from new spam comments. Emphasive on new, it does not clean old spam from your database. Please also note that the Anti-Captcha plugin doesn’t remove comments which it thinks is spam, it only labels it as spam – preventing it from being showed on your blog.

That’s an interesting idea ! Unfortunately on my WordPress (3.0.1) site I get a 408 error when I commit the registration form – and the registration works whether JS is enabled or not… So I had to disable the plugin.

Same happened to me, had to delete the plugin, got that could not log in error. Tried everything.

@Julien I’ve never encountered an ‘HTTP Error 408 Request timeout’ myself. Seems to me that it has something to do with the server-load. To be honest, i can’t think of a reason this would be caused by my plugin. Sorry.

@Ian The plugin injects js-code in the header – could you check if the script-tag is present on your blog? If not then some kind of caching mechanism is causing it to fail. If it does, then for some reason the cookie doesn’t get set on your browser. Have you tried a different computer/browser?

Can not install using WordPress 3.0.1.

Downloading install package from http://downloads.wordpress.org/plugin/anti-captcha.20100708.zip…

Unpacking the package…

Incompatible Archive. PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature

@frustrated I can install/run the plugin fine on my WP 3.0.1. Note that WP actually creates the zip-archives and the plugin-install procedure too for that matter. Finally, the zip-file you mentioned can be extracted without trouble on my box. I’m not sure where things are going wrong for you, but it’s probably specific to your WP installation or server configuration. Maybe posting a question on the WP support forums will help?

Hi Guys,

first of all, thank you to Fili who has done a wonderful job with this plugin. I would like to contribute something to it, a feature that many would need – here is how you can directly delete the spam rather than marking it as spam:

1. Line 43, anti-captcha.php, change to line to: add_filter(‘pre_comment_approved’, create_function(‘$a’, ‘return \’delete\';’));

2. The status ‘delete’ of the comment is not supported by default from WP, this is why I make a small modification in /wp-includes/comment.php:

– Function wp_new_comment, somewhere around line 995
– After the line $commentdata['comment_approved'] = wp_allow_comment($commentdata); enter the following:

if (‘delete’===$commentdata['comment_approved']) {wp_die(“Message flagged as Spam”,”Spam not allowed”);}

In order to test this, you can send yourself an E-Mail when the if was triggered and include this in the parentheses like that:

if (‘delete’===$commentdata['comment_approved']) {mail(“YOUREMAIL”,”comment killed before save”,”Comment {$commentdata['comment_content']} killed”,””); wp_die(“Message flagged as Spam”,”Spam not allowed”); }

Best regards

@Kosev Thanks for your input! However, altering one of the core files of WP is not considered to be best practise. After every WP-upgrade, you’d have to re-edit comment.php to include the changes you made. Did you try the method I described to SolutionFix earlier in the comments? Personally I have not, but it should probably work and you’d only have to change one line :)

Is there some way I can simulate a spam entry to see that the plugin is working and what happens to the attempted entry?

I’ve been using the anti-captcha plugin for a few months and its been working great, however it recently stopped working when I updated it to the latest version. I’m running wordpress 3.0.4 with buddypress installed. Is there anything that you changed that made it not work with buddypress registrations again? I’m getting flooded with Spammer accounts again. HELP.

@Chris Certainly, just disable javascript in your browser and post a comment on your blog. It’ll be silently marked as spam.

@Ryan There has been a recent change to the login-procedural part. I’ll look into it as soon as i can.

@Ryan There is a new version out, this should fix your problems

Thank you!

I reactivated user registration with the updated version of the plugin and it did not seem to stop the spambots. Do you think they figured out the javascript trick?

I’m sorry, but don’t get it, why is there no captcha here?

I installed the plugin on my beeldbuijs.nl wordpress (plain vanilla 3.0.4, no other plugins yet) and no captcha there either.

It’s invisible, that’s the point :) Please read this related article in order to get it.

Hiya. Please reject this comment (and the previous if you like).

Checking the code, it appears trivial to re-activate the login portion of the plugin. Perhaps you can make a note of that somewhere, and the reason it was removed in the first place? Because I’m about to activate that code, but if you removed it because it’s broken, that’d be cool to know!

Thank you.

@Kyle Some users reported problems with Anti-Captcha on the login-procedure. I’ve tried to reproduce it but it never happened to me. Most likely it was caused by the combination of another WP-plugin. In the end I decided to take out the login procedural code, also because brute-forcing WP really isn’t a common scenario. Feel free to re-enable it :)

Hello.. this works too well. I’ve been getting legitimate posts marked as spam. I’m not sure how to resolve this, do you have any suggestions? Thanks for the plug-in.

@Tester1 A false positive could only occur if the browser of a legitimate poster does not support javascript and/or accepts cookies. This can’t be fixed. Best is to check your spambox once in a while (like with email).

i cant see captcha. where is it?

@Krayloyun It’s invisible, please read this related article

i can’t use this plugin how to fix it.

Thanks!

Hi! Now I’m trying to adopt anti-captcha solution for a large blog network and had to look inside it’s code.

Let me describe you how anyone can easily pass anti-captcha without need to parse any javascript!
1. Find out that a cookie called “anti-captcha-crc” is set.
2. Google for “anti-captcha”, look in the source code.
3. Write a really stupid bot, that does not send any “anti-captcha-token” post field upon form submission nor does it accept your cookies. All it needs to do is to send a hardcoded cookie “anti-captcha-crc” with value sha1(”) in each request. That’s it!

Of course, you need to check if “anti-captcha-token” field is being sent at all. And still that doesn’t solve the whole problem. As long as hash function is known there is no need for javascript evaluation to pass your captcha.
So, I suggest hash with a secret salt in place of simply sha1() (hash_hmac() can help you).
And of course that salt must be unique for every installation.

Good Afternoon! I’ve been using your anti-captcha for a couple of weeks, and it’s been killing spam comments dead. Until today, that is. Suddenly I’m getting thousands of spam through. Not to the webpages, but into the spam comment queue. Your plugin had been keeping things completely clean. Now I’m getting large blasts of spam comments, something like 300 in 4 minutes. Not every 4 minutes, but regularly.

Does this mean some hackers have bypassed your methodology?

@Mitch Is it correct that the spam doesn’t appear on your website but only in the spam comments queue? Because this is exactly what the plugin is supposed to do. However, in your situation it might be better if the plugin deletes the comments immediatly instead of marking them as spam (saving you some time manually empty-ing the spam queue). To achieve this, you could try out what I suggested earlier in comment 71.

Is there any way to use this in other wordpress forms? I’ve got a plug-in that pops up a page feedback form which emails me people’s feedback. It’s getting spammed.

Any chance that this plugin can be used with Gravity Forms? If so, how?

Captcha sucks, It discriminates against
older people that know how to read.

It is not nessecary to force people through that crap and serious websites
should know that chaptcha got to go

Current version just sticks everything in moderation including my regular commenters.

Thanks for your bug-report, I’ve uploaded a fixed for it (version 20130504). Please try again to see if this solved your issue

Nope, my top comment poster still ended up marked as spam

You’ll have to be more specific in order for me to help you. Does his comment become spam or “under moderation” as you previously stated. Does it happen only to this one person? Is he logged in? Can you reproduce the error yourself? Also, where is you blog at?

Hi, I had to deactivate this extension because my Form had a “blnk page error”
Is this a known issue?
Regards
Rolf

Hi Rolf, no is not a known issue. Could you provide me with some more details? For example, which browser are you using when this is happening or does it happen on all? Can you also look for javascript/php errors? This will help in pinpointing the problem.

This plugin auto approves any non-spam post. It completely ignores the “An administrator must always approve the comment ” WP Admin/Discussion setting.

Please fix this.

Good point, I will look into it as soon as I can find some time

I have WordPress 3.6.1. I know as mentioned above this is for 3.4.1.. I installed it anyway hoping it would work.. Activation went smooth. I expected to see something under the comment ( or a form ) box but nothing.. or is it just running in the back ground? I deactivated it and uninstalled. Please advise. Thanks.

Anti-captcha is not like other captcha’s in that it doesnt require user interaction. It’s not visible but it works nonetheless! Just keep it running for a while and check the spam folder to see how much spam it’s catching

Hi, Filidor! Can I use Anti-captcha with “Contact Form 7″? (WordPress)

Hi Gleb, probably not. It requires a small change to the codebase of Contact Form to kick-off the anti-captcha check after form-submission

What changes are needed? Is it code from page http://blog.fili.nl/the-anti-captcha-challenge/ ?

I need a simple form “text field + send button”. Anti-captcha WordPress plugin installed.

@Gleb, it shouldn’t be too hard. Take a look at the anti-captcha wordpress-plugin code (specifically the anti-captcha.php file), something similar has to be done in your case. It’s a two-step process: 1. the anti_captcha_head() function has to be called on the page of the form to include the anti-captcha js-script, 2. the anti_captcha_verify_token() function has to be called directly after form-submission to validate the captcha’s response. Good luck!

On latest wordpress I get this:

Call to undefined function dns_get_record()

anti-captcha.php on line 99

@Greg dns_get_record() is a PHP built-in function that has been present since at least PHP 5. What version of PHP are you running? If lower then 5, I recommend ditching your hosting-provider :)

I recently updated WP to latest and server runs php5.2.17

Definitely get that error when posting comment So I disabled the Plugin for now.

Just renabled to test and same thing… :-(

Did some goolging and seems that function doesn’t work on Windows…..

Hi there,

I believe the current version of Anti-Captcha (20140102) is causing the moderation and blacklist keywords to be ignored, as well as the “Comment author must have a previously approved comment”.

After the update, I noticed that newly registered users were able to post comments immediately without moderation. More recently I noticed that a user I had placed in the moderation keywords was able to directly post comments without moderation. Upon testing I found that none of the keywords entered in the moderation or blacklist keyword fields were having any effect.

Disabling the plugin fixed the problem. Shame, because I love how much spam this plugin stops.

If you’re able to fix this, then I’ll be able to re-enable the plugin, and then I’ll be delighted to send you a donation for lots of coffee for all of your hard work :)

Thanks,
Samuel

@samuel and @greg: There is a new version that fixes your issues

Thank you very much. I appreciate it a lot. It’s amazing just how many spam registrations your plugin blocks :)

Thanks for your donation, I really appreciate it!

Well, there are too many comments here, but I’d like to enter here and specially thank you. I’ve been using your plugin since I’ve discovered it and any other heavy plugins that do the same work are gone.
Thank you!

I’m getting error while trying to access my lost password.
header already sent……..on anti-captcha.php line 34

That shouldn’t happen. Did you by any chance changed the code of anti-captcha? For example a space in front of

On a blog I manage, I now see quite a lot of false positives, so spam actually being allowed in the comments.
At the same time, also still massive amounts not being allowed, and properly being identified as spam.

Is anyone else experiencing this? Any solutions?

@Aart, what do you quantify as “quite a lot”?

@fili:
Well, last week I had ~ 5 per day. This week none so far.

This plugin is designed to block automated spam from javascript-less scripts. Five a day could still be manually entered or they could be using a javascript capable script. In any case, there is not much that I can do for you. A 100% success rate is not feasible.

I understand :-) No problem, in general it works great :-)

The plugin is broken on 4.0 for new installs, works ok on existing installs that have been updated. On a new install I get the message:

The plugin does not have a valid header.

To clarify the above, the problem only occurs when you try to activate the plugin from the install results page. Activating the plugin from the installed plugins page does work !

Thanks Dave for your bug-report, I’ll look into it!

Add a remark