Invisible Captcha

Coming soon for Craft 3

Invisible Captcha provides several user-friendly methods to protect your forms from vile spammers and evil robots.

Usage #

Select one or many Invisible Captcha security checks to protect your forms from spam. Invisible Captcha supports:

Add the captcha between your <form> tags with this one line:

{{ craft.sproutInvisibleCaptcha.protect() }}

By default, if a submission is caught, it will be redirected to your 'redirect' location. If you want more control, you can set another hidden variable called 'redirectOnFailure'

<input type="hidden" name="redirectOnFailure" value="somewhere-else">

Invisible Captcha Methods Available #

Require web-based form submissions (Origin Method)

Explanation: The Origin spam protection method ensures that your form is submitted from your website and not from a third-party website or a headless browser. This method implements behavior similar to CSRF tokens.

Note: This method should not have any chance for a regular user to get denied from submitting your form.

How do I test this method?
It may not be easy to test this method for the average user. To do so, you will need to write a script that programatically submits your form with a user agent string or domain that does not match the information for those settings provided by your website. Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

Prevent duplicate submissions if a user hits submit more than once (Duplicate Submission Method)

Sometimes a user may accidentally (or intentially) trigger a form submit button more than once. The Duplicate Submission spam protection method uses a randomly generated unique id to verify that a form is only submitted once to the database.

How do I test this method?
When you submit your form, hit the submit button as many times as you can as fast as you can (or at least twice)! With this setting turned off, if you are not preventing duplicated submissions in any other way on the front-end of your website, you should see multiple form submissions in your database. With this setting turned on, you should only see one form entry get saved to the database. Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

Prevent a form from being submmitted if a user does not have JavaScript enabled (Javascript Method)

Most human users visiting your website have Javascript enabled in their web browser. Often, when robots access your website programatically, they do not have Javascript enabled. The Javascript spam protection method tests if a user submitting your form has Javascript enabled in their browser and rejects the submission if they do not.

Note: While this method can be very effective at stopping spam and is frequently used, there is a small chance some real users will not be able to submit your form if they accessing your website from a location or device where Javascript is disabled. Check your website analytics to make the best decision for your audience.

How do I test this method?
Disable javascript in your web browser. Refresh your form page and submit the form as usual. With javascript disabled in your web browser your form submission should be blocked. Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

Block form submissions by robots who auto-fill all of your form fields (Honeypot Method)

Many robots fill out every single form field before they submit. The honeypot method of spam prevention creates a hidden field that should not be filled in by a user on your site because they will never see the field or know it exists. When a robot automatically fills in the field and submits the form, the form submission will be denied.

Note: Some screen readers will see this hidden field. We will clearly label the hidden field with a message that says to a user with a screen reader to not add anything to the honeypot form field.

How do I test this method?
To test this method you will need to modify the HTML on your form page before you submit it. Open your browser tools and find the HTML ⟨input⟩ field for your honeypot. It will be within a ⟨div⟩ that uses the name you defined in your settings and the ⟨input⟩ field will also use that same name.

Edit that input field (** This is important. In Chrome for example, if you double click on the input in your browser tools you are not editing your page as HTML and you must right click and select "Edit as HTML" to be sure that you are actually modifying the page code so that it is submitted differently for your test). Add any string of characters to the value="" parameter so that it is not blank (i.e. value="bees!") and then submit your form. Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

Require minimum time to fill out your form (Time-based Method)

The Time-based spam prevention method protects against robots who submit forms quicker than humans could.

Note: If a human does fill out the form too quickly, it will be blocked as spam, so be sure to set this number to a reasonable amount of seconds. 4 or 5 seconds is usually enough to weed out the majority of spam bots, while letting actual humans submit forms successfully.

Minimum time to submit form
This is the minimum time in seconds a user should take to fill out all form fields and hit submit.

How do I test this method?
To test the time-based method, update your time setting to something absurdly high. For example, set the minumum time required to submit your form to 1 day: 86400. Now go and submit your form in less than a day (if you can)! Blocked submissions will be logged in the database and can also be seen in the Invisible Captcha logs.

Logging Failed Submissions #

You can log failed submissions in the database to learn about what types of attacks your web forms are experiencing. Logs work but can only be accessed via the database right now.

Sprout Forms Integration #

Sprout Invisible Captcha works with Sprout Forms.

Enable Sprout Forms Protection
Select the Enable Sprout Forms Protection setting to dynamically output your Invisible Captcha when you're using the {{ craft.sproutForms.displayForm() }} tag.

Craft Services

Optimize Craft CMS to improve your workflows, impress your users, and acheive your business goals.

We have over 20,000 hours of Craft experience and work in close collaboration with businesses, agencies, and individuals to help make Craft CMS the best platform for you and your business. Save time and build a website that respects best practices and is designed to be scalable, maintainable, and grow with your online business and marketing needs.

Let's talk

Bring it on

  • Project Planning
  • Content Architecture
  • Data Migrations
  • Performance Optimization
  • API Integrations
  • Monthly Analysis
  • Digital Marketing Strategy

Make your life easier, your customers happy, and your business run more smoothly.

On top of our experience with the Sprout Plugin Suite, we’ve designed and built numerous custom plugins to help organizations address unique business and marketing challenges. From custom workflows to e-commerce to deep API integrations with customer databases, analytics, and cloud services, we can help build custom plugins suited to your specific needs.

Let's talk

Make things better

  • Custom Tooling
  • Improved Workflows
  • API Integrations
  • CRM Integrations
  • Email Marketing
  • Lead Generation Forms
  • E-Commerce & Donations

Spend more time focused on your business. We’ll spend the time to focus on your website.

Maintaining your website, content strategy, and customer relationships have a large impact on your business. Whether you’re a business owner, marketing director, or content author, we can help keep things running smoothly. We offer on-call and monthly retainer services to help you answer burning questions, fix annoying bugs, update software, monitor analytics, and even come running if there’s a fire.

Let's talk

We've got your back

  • General questions
  • Design changes
  • Bugfixes
  • Craft updates
  • Plugin updates
  • Coaching and Training

Build your roadmap to improve performance, usability, and identify new business opportunities.

Curious how your Craft website stacks up against all the other Craft sites out there? As a digital agency and CMS specialists who have worked with Craft since day one, our team can provide you insight into everything from content architecture to code debt. Request an audit to learn about optimization opportunities and provide a path for your business to create a better user experience and a more targeted digital strategy.

Request an Audit

Know where you stand

  • Craft Best Practices
  • Usability Audits
  • Code Audits
  • Security Audits
  • Server Audits
  • SEO Audits