If you are a web developer and use Google Recaptcha (or any service that uses Google Recaptcha like Cloudflare or Incapsula), you unintentionally lock out and delay many potential and existing users. This is because Google bases captcha processing on your users IP addresses. This is harmful because a spammer with the same IP address (such as in same college, public hotspot, wifi access point, VPN or Tor network) can lock out or inconvenience the majority of legitimate users. Legitimate users are often forced to spend 2 minutes repeating captchas (only to have Google reject their answer due to their IP address), have no access to audio captchas for accessibility, or be locked out from accessing your website entirely with the error: "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit our help page". This inconvenient delay or complete lockout means that users will not want to come back to your website, will click away from registration and checkout, or will use their accounts less often.
What to do? It is unfortunately difficult to tell someone in a public network, VPN or Tor to stop spamming (and there are better ways to prevent spam than indiscriminate IP blocking), and due to legitimate personal privacy and safety concerns, it is not reasonable to ban users from using VPN or Tor. Therefore the solution is to acknowledge that many users are behind the same IP address and not reject captchas based on IP address alone. There are many other captcha libraries that are easy to install, keep out spam and dont indiscriminately block based on IP - meaning that your users are judged on their actions, not on who shares their IP address.
For example, Securimage is a simple but effective PHP text captcha with accessible audio option. You can download Securimage here:
https://www.phpcaptcha.org/
Or take a look at other captcha libraries for other languages:
https://github.com/lorien/awesome-captcha
Another service that often locks out legitimate users based on IP address are CDNs like Cloudflare, Cloudfront and Incapsula. In this case Cloudflare is slightly better as it allows legitimate users to access your website after waiting or completing a captcha, whereas Incapsula often locks out legitimate users entirely based on their IP address. Such CDNs offer basic hiding of server IP, shared SSL certificate, rate limiting (helps to protect against spam, DDOS and brute force), cache (faster page load speeds), and web application firewall (helps to protect against XSS, SQL injection and similar attacks). However you can set up such protection on your own server, and avoid MITM CDNs that can lock out and inconvenience your legitimate users.
Hide server IP
- It is often possible to find server IP despite Cloudflare, however if you want to prevent easy access to your servers IP address, you can use a reverse proxy, e.g. with Nginx:
https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
SSL certificate
- Many domain registrars offer SSL certificates from $2/year
- Alternatively you can get a secure and free SSL certificate from Lets Encrypt: https://letsencrypt.org/
Rate limiting
- If you use Apache
http://mod-qos.sourceforge.net/dos.html - Nginx rate limiting
https://www.nginx.com/blog/rate-limiting-nginx/
It is advised to throttle or block individual requests, but dont permanently block a whole IP address (in case it is shared by many people in VPN/Tor).
Cache
- Use CDNs for libraries such as Bootstrap or Jquery
- Minify css and js files
- Set up compression and caching for Apache
https://medium.com/@ali.dev/how-to-setup-caching-gzip-compression-in-apache-web-server-with-htaccess-292a0f689553 - Set up compression and caching for Nginx
http://jvdc.me/fine-tune-gzip-compressing-and-enable-static-file-caching-on-nginx/
Web application firewall
- If you use Wordpress, you can use Wordfence Firewall and Malware Scanner: https://wordpress.org/plugins/wordfence/
- For Apache and Nginx web servers, mod_security can help:
https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project - Follow security best practices in your source code, such as OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
In conclusion, for accessibility reasons and to create a better and more convenient experience for your users, consider to switch Google Recaptcha for Securimage or use one of many captchas and CDN services that doesnt block based on shared IP address.
If you found this guide useful, feel free to send a contribution to 1CaLCR5mGwS4FJzU1HZm9qwr5WoRYFDdyB (BTC).
This article was written by Web4Crypto. Web4Crypto offers web development, web design, programming and scripting services from $40 and accepts Bitcoin, Monero, Ethereum and other cryptos. Visit https://web4crypto.xyz for more information and a free consultation.