custom CAPTCHAs?

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
mzltest
Posts: 3
Joined: Wed Dec 09, 2020 4:35 am

custom CAPTCHAs?

Post by mzltest » Wed Dec 09, 2020 4:58 am

As title.Just wondering how to use custom verification questions for replys as the built-in captcha (antispam plugin) seems to be to easy(some spam bots already cracked them and got filtered by akismet),while the reCaptcha plugin is not user-friendly in China(due to the block).

So,can we use custom questions for captcha(like SMF) and if yes,which plugin to install?
Moreover,is it possible to apply other types captcha without creating a plugin(as I have little php knowledge)
The main principle is easy - to check a token sent by $_POST before accepting a comment,but ...how to achieve that in this moduled action flow)

BTW: I believe the paths in s9y is absolute as I spent much effort to migrate my blog - finally done by reinstalling and reposting....
BTW #2: just wondering why don't use jquery on a cdn but using local version instead on almost all themes...

User avatar
onli
Regular
Posts: 2463
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: custom CAPTCHAs?

Post by onli » Wed Dec 09, 2020 4:23 pm

It's best to not use a captcha at all. Use the plugins spamblockbee + spamblock_bayes together with the regular spamblock-plugin. That way you get a good protection against spam without killing the accessibility of your blog.
BTW #2: just wondering why don't use jquery on a cdn but using local version instead on almost all themes...
Using a generic CDNs leak your visitors IP addresses to random third parties, which is pretty much illegal in Europe (even if sites did not catch up to that yet). Hosting the JS files locally is much better in that regard.

mzltest
Posts: 3
Joined: Wed Dec 09, 2020 4:35 am

Re: custom CAPTCHAs?

Post by mzltest » Thu Dec 10, 2020 9:21 am

onli wrote:
Wed Dec 09, 2020 4:23 pm
It's best to not use a captcha at all. Use the plugins spamblockbee + spamblock_bayes together with the regular spamblock-plugin. That way you get a good protection against spam without killing the accessibility of your blog.
Currently using akismet + ip frequency blocking.
Spamblock_bayes doesn't work quite well on Chinese(and some other languages) as we don't seprate words.We only put a "。" at the end of a sentence.Moreover a you need a trained dataset ,which makes it hard to *prevent* spam.
I haven't tried SpamBlockBee and the method looks interesting however I'm not sure of the
Using a generic CDNs leak your visitors IP addresses to random third parties, which is pretty much illegal in Europe (even if sites did not catch up to that yet). Hosting the JS files locally is much better in that regard.
Uh.Sorry for not knowing this as the digital privacy isn't really good here.But is it possible to manually switch a Jquery provider(default to use local,but using another source is also ok)?

User avatar
onli
Regular
Posts: 2463
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: custom CAPTCHAs?

Post by onli » Thu Dec 10, 2020 4:22 pm

Oh, I hadn't realized that the filter might not work with chinese. It comes without a trained model, you train it yourself with the comments and the spam you get in your blog. So it's helpful only after a short while. But okay, possible that it will not work all that well for you. Here, Akismet is usually at least as good as a custom Bayes filter - but even that is not working great for you?
But is it possible to manually switch a Jquery provider(default to use local,but using another source is also ok)?
Not like that. But you can replace our jQuery with a jQuery file hosted on a CDN. You will need to edit some code though - specifically the html we use to embed the jQuery. That's in line 69 of the file include/plugin_api.inc.php:

Code: Select all

<script src="<?php echo $serendipity['serendipityHTTPPath']; ?>templates/jquery.js"></script>
Change that src to link to the jQuery file you prefer instead.

This might be a good use of the jQuery plugin we once had. I think it's archived now. But if someone wanted to bring that back with some CDNs and maybe jQuery variants as config option I would help to get this back in Spartacus.

mzltest
Posts: 3
Joined: Wed Dec 09, 2020 4:35 am

Re: custom CAPTCHAs?

Post by mzltest » Thu Dec 10, 2020 6:03 pm

onli wrote:
Thu Dec 10, 2020 4:22 pm
Oh, I hadn't realized that the filter might not work with chinese. It comes without a trained model, you train it yourself with the comments and the spam you get in your blog. So it's helpful only after a short while. But okay, possible that it will not work all that well for you. Here, Akismet is usually at least as good as a custom Bayes filter - but even that is not working great for you?
Thanks for the reply.Akismet works well and recently it seems all the bot-generated spams are in English selling drug.
Wordpress's comment-moderation method is also a good example.Wordpress defaults to let blog admins moderate the first comment of a person.

And hmm...Sorry to mention captchas again,but is there a possiblity to add a captcha for serendipity_admin.php for admin logins to prevent attacks?
I once noticed an issue focusing on admin login security on github and it says a new version might include this.(Though changing the admin login entrance page in the blog settings might help)

User avatar
onli
Regular
Posts: 2463
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: custom CAPTCHAs?

Post by onli » Thu Dec 10, 2020 6:49 pm

If your spam is in english really give the Bayes plugin a chance. For english spam it does work well. And it should learn then that english is related to spam, while chinese comments are not - in your blog.

I'm not aware of a captcha protection for the admin login provided by serendipity. You can use your webserver to add an additional layer of security for the backend, for example to add an additional password with Apache's .htaccess.

Post Reply