There are a lot of Captcha-Libaries, but none of them provide such features as reCaptcha.

@fdellwing The only feature we need is not getting overwhelmed with spam 🙂

Bonus points if it is accessibility-friendly.

As I said, I know no captcha that is nearly as user friendly as reCaptcha. So best would be to take some random image captcha (where are MANY) and just hit an self made database on top that recognises returning users.

As I said, I know no captcha that is nearly as user friendly as reCaptcha

I really have to disagree. I regularly spend multiple minutes getting angrier and angrier as I am clicking through page after page arguing whether something can be considered a storefront when the captcha switches into extra-slow mode where every image takes a 5-second transition to load.
(I am not using a VPN or anything similar, just a regular internet connection)

I think a captcha doesn't need to be complex to stop most bots (after all while Recaptcha is hard to circumvent, it only costs 0.2 cent to pay someone to solve it for you), it just needs to be different enough so it stops automated bots programmed to popular wordpress forms.

I even think that a simple input field asking to enter the name of the open source project you are trying to contact (that maybe also allows common variants) would stop nearly all automated spam.
And the remaining ones I think (from what I see on the forum) are actual people pasting spam texts into the forms and those are not blockable via captchas.
@tsteur, would it be possible to add something like this to the forms without too much work?

As long as there is a wordpress plugin for it that should be fine. We wouldn't want to build anything ourselves. The plugin would ideally hook into random places where needed and support gravity forms etc.

https://wordpress.org/plugins/humancaptcha/ seems to be pretty much what I described, but the plugin looks odd and only seems to integrate with comments.
Apart from that I could only find https://wordpress.org/plugins/humancaptcha/ which seamlessly integrates into login, registration, lost password, comments, bbPress and Contact Form 7.

I have never used Gravity forms before, but it seems to have many features and maybe one can make a required input field with the quiz feature Not sure if it can be combined with the normal contact form.

Did a quick search for "captcha gravity" maybe https://wordpress.org/plugins/nomorecaptchas/ or https://wordpress.org/plugins/cleantalk-spam-protect/ would help? cleantalk also seems to support woocommerce. not really sure how good they are though.

I reckon something where people need to enter "Matomo" might be too complicated sometimes for some humans (it seems easy but may not always be clear what to enter) and at the same time someone wanting to spam us could easily achieve it.

https://wordpress.org/plugins/nomorecaptchas/ or https://wordpress.org/plugins/cleantalk-spam-protect/

Both plugins work by sending the visitor behaviour data to the services' servers and analyzing it there. So I guess they are no better than ReCAPTCHA.

It's odd that there isn't a well-maintained opensource plugin that just does basic local analysation.

someone wanting to spam us could easily achieve it.

Targeted attackers will probably always be able to afford the 0.2 cent it costs to reliably circuvent all types of captcha.

I would think alternate of recaptcha will be kind of service, something that can solve traditional recaptcha issue like GDPR and accessibility and still provide solution like no captcha.

I came across some solutions and here is a quick summary

Captcha providers can widely be categorized in 2 categories :-

Captcha Service Providers : This option works well for mission critical Enterprises looking for protection against constantly evolving spam and bot threats. Some of the Industry players in Captcha Services are :-

RECAPTCHA : Free and One of the most widely used captcha service used across the globe. They have recently launched recaptcha v3 which generate a risk score based on user behavior on site, google cookies, traffic history etc. GDPR has been a major concern considering what information it stores and uses for other google product like google ads.

MTCaptcha : Captcha Service that is more focused for Enterprise needs. Provide NoCaptcha alternative to recaptcha, captcha account management, GDPR compliant, Availability across globe (China included). Limited in low friction captcha capabilities.

Solve Media captcha: Ad driven Captcha that uses advertisement to generate captcha and solving them. GDPR compliant, Beautiful captcha and customizable. It may not be good idea to show advertisement on enterprise site.

Captcha Library Providers: There are lot of players in Captcha Library space, And if you are willing to manage and setup the code, some of the options are:-

BotDetect CAPTCHA : Most widely used captcha library, Available in multiple languages. They license the library which then need to be implemented and managed.

KeyCAPTCHA - Innovative Anti-Spam Solution : Plugin driven captcha cover wide range of CMS systems. Mostly for CMS driven, need self hosting and management. Permutations are limited for captcha generation.

I just came across https://www.phpcaptcha.org/ which seems to be the only local open source captcha solution that has a wordpress plugin: https://wordpress.org/plugins/securimage-wp/

But I don’t know how well it supports the forms used on matomo.org

Hi there,
We offer a PoW (proof-of-work) based captcha system where a user must verify a captcha via mining a cryptocurrency for several seconds before proceeding to confirm the token. You may find more at our website: https://crypto-loot.org (will have to login to see the demo/code)

We are also doing a rebrand shortly along with a potential partner to help bring web mining into the white light for the industry.

Please feel free to let us know if you would like to work with us!
support@crypto-loot.org

Privacy concerns of this tool are real, see https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side

One non-google product you could use to better protect your login page (or any page of the site) would be using the free version of Cloudflare. I use "Page Rules", then configure only my login page with the form on it to be in "under attack" mode in Cloudflare. By doing so, it scans any/all users who try to access that page of the site. It's not a perfect solution but it should cut out most of the pure bots hitting that page. Hope that helps.

@joekarns Using Cloudlare might be even worse as it

• allows one entitiy to intercept a huge fraction of the internets traffic
• cuts of a large fraction of internet users (e.g. tor users)
• still uses ReCaptcha (I think) to detect bots

We're still actively looking for an alternative to Google recaptcha!

if you have any hint, we'd love to hear!

we are too, over at element-hq/element-web#3606 (in the interests of sharing any discoveries). (Riot also uses matomo for its analytics, fwiw :)

What about:

• Captcha code ?? It's up to date and looks clean to me. I don't know if it's effective though.

For the record:

• Visual Captcha? It's not maintained, but it may just work. Wrong, the wordpress plugin is not up to date.
• Secure Image It's not the cutest, but it's just a matter of CSS. But it's also not up to date
• Lepture Captcha: For python projects, it looks a good resource, even thought last commit is from Nov 2018.

It feels like the interest for light and effective captchas has dropped really a lot. Thank you for not surrendering on this.

@raneq
I am really not sure if those Captchas that just use GD to print a random string to an image and sprinkle a few dots or lines above it are really helpful.

• They are all completely inaccessible, so a lot of people are completely prevented from submitting a form.
• I really doubt any but the most trivial bot is unable to detect those images via OCR (especially as they use known font-files)
• most of them seem to have the latest commit many years ago

For captcha-code-authentication specifically there seem to be multiple reviews mentioning that removing the captcha from the form circumvents it.

Btw we could also self-hosted the google recaptcha and proxy requests, this would help people from china at least, and may limit some of the privacy implications? using this: https://github.com/google/recaptcha

PHP client library for reCAPTCHA, a free service to protect your website from spam and abuse. http://www.google.com/recaptcha/

@gzuidhof ... it looks like a little better solution than Google reCaptcha... but it is still something which is annoying the user. And it looks like you want to sell something which is annoying Matomo user... 😉
From my side you will give you a 👎! I still prefer the principles of "negative captchas", it costs nothing, and is no-one annoying. Humans should never have to prove themselves to machines as humans! Your solution is another script with 24k, another dependence on another online service... nothing really new, but what has to be paid.

What about the negative captcha, then? Has anyone apart from @supervisitor proven it to work while taking care of accessibility? Is there some kind of general solution documented?

Also @gzuidhof approach of a crypto puzzle has not been discussed enough I guess. I can think about carbon footprint of wasted CPU, and punishing the already punished: users of older, slower devices. Isn't the intended effect equivalent to a simple timer?

I can only see downvotes for all the other alternatives, while matomo website is still sticking to arguably the worst of them.

From the equivalent riot/element issue I found the equivalent gitlab issue. They already merged an "invisible captcha" option, that says, quoting:

The invisible captcha uses 2 ways to fight spam:

• A honeypot (invisible input field) in the registration form: either firstname or lastname (randomly picked)
• A time-sensitive registration, set to 4 seconds, being the idea that humans take longer than this time to fill in and submit the registration form.

However, in gitlab.com (the central instance) they are still using google recaptcha.

EDIT: I am suspicious of the accessibility issues raising from using meaningful names for hidden fields, for the case of screen readers.

@fadelkon You're right that the computation is useless (I would love to make it useful, but so far no proof of work has been invented with that property it seems) and that users of slower devices will have to wait longer. Two points that alleviate the problem:

• The computation can happen in the background as soon as the user loads the page (or when the user first clicks a form element, which is the default). My intuition tells me that users on slower devices (e.g. smartphones) will take longer to fill the form anyhow so hopefully still have a high probability of the captcha already completed by the time they are done filling the form.
• So far the worst case time spent I've seen is 15 seconds on a a fairly old phone (it only uses 1 core), I expect that the energy usage of downloading the challenge (up to 2MB for recaptcha) and the user spending time to solve it might not actually be all that different in energy usage (not to mention the infastructure to support this labeling task).

I wish a perfect captcha existed, but there seems to be inherent downsides to every solution.. I believe trading seconds of useless computation against accessibility, inclusivity and privacy issues is a good idea (but of course I'm very biased as that is literally why I created FriendlyCaptcha).

@gzuidhof ... it looks like a little better solution than Google reCaptcha... but it is still something which is annoying the user. And it looks like you want to sell something which is annoying Matomo user... 😉
From my side you will get a 👎! I still prefer the principles of "negative captchas", it costs nothing, and is no-one annoying. Humans should never have to prove themselves to machines as humans! Your solution is another script with 24k, another dependence on another online service... nothing really new, but what has to be paid.

In response to this: honeypots are a good idea but are security through obscurity that screenreaders and other assistive technologies will have a hard time with. Have you tried the demo for my offering? In my experience it costs 0 extra time when you actually fill out the form (I personally can't fill a form in less than 5 seconds)..

My solution is available as free open source software and can be self hosted so there needs not be dependence on another service if that is desired. I offer the SaaS offering to try to make it a sustainable project and to make it as easy to integrate as other 'unfriendly' captchas. I think 9KB (gzipped size for modern browsers, only to be included on pages with an actual form) is good value for what it provides..

@guido: I tried your demo on my Galaxy S2 and I can't say it's a good experience compared to other CAPTCHAs. It opens a page that shows a form (cut off at 'Any other thoughts or comments'). Completing the form causes it to say 'FriendlyCaptcha verification failure' and says I submitted before the CAPTCHA was finished- at no point did I see a CAPTCHA or agree for it to run. So going back and manually scroll I realize my phone's virtual keyboard was blocking the CAPTCHA and would submit, because the submit button lets you submit even if the CAPTCHA doesn't work or isn't visible. A more fundamental issue is that the user has to wait for the CAPTCHA to solve. I used another newer phone to solve the CAPTCHA. With my phone on power saver it takes long enough that I switch over to another app since I want to use my phone to do things instead of solve CAPTCHAs. It was still solving so I just put my phone to sleep and checked it later. To its credit it did solve, but I really didn't know whether or not to press submit in case it gave me that error again.

Oh no :(, I imagine something went wrong when loading the script the first time. Thank you for the detailed report, I will definitely have to fix this. On the demo form I intentionally made submitting with an incomplete captcha possible so you can make it fail. Maybe that only adds confusion :/, that was probably a mistake.

Could you tell me which browser you have installed on your Galaxy S2? If it's more than 8 years old I don't have a fallback for those browsers. (Well, it is possible to compile with support for them, but the polyfill makes it even slower).

If it took longer than say 20-30 seconds then that definitely needs improvement on my end. It's a balancing game of puzzle difficulty vs time. >15 seconds is an awful experience, but if it is 0.1% of users with that speed who use an outdated browser and device then I suppose it is acceptable for now..
For reference, the captcha takes 4 seconds on my phone, but that phone is less than 2 years old and has an up to date browser so of course it's very different.. I will have to do is more on actual device testing for older devices

Maybe what the world needs is a captcha that is a labeling task, without tracking, with a fallback to proof-of-work for those who struggle with the task 🤔

EDIT: In conclusion, FriendlyCaptcha right now is not so friendly when it comes to old low power devices (>6 years old) with even older browsers. I am afraid that perhaps proof of work based CAPTCHAs will never work if the UX has to be good for those devices as well, maybe there should be a fallback for those users with a labeling challenge.

@gzuidhof I really don't want to talk bad about your solution, because after all I think it's a better solution than Google's. But... first I fill out all the fields and then I have to click "Press to Start" and wait until it is ready... not really optimal...
This was not a "paranoid"-configured browser... this I see with the browser of the office-notebook from my girlfriend company?!

@gzuidhof I really don't want to talk bad about your solution, because after all I think it's a better solution than Google's. But... first I fill out all the fields and then I have to click "Press to Start" and wait until it is ready... not really optimal...
This was not a "paranoid"-configured browser... this I see with the browser of the office-notebook from my girlfriend company?!

Thank you for letting me know, the captcha listens to a vanilla focusin event on the parent form (see these few lines of code), it looks like Safari is misbehaving and not firing that correctly, I'll have to find a workaround. The button is there as a fallback for these kinds of issues.

I appreciate the bug report here and it's good to be aware of limitations and bugs when considering which captcha to switch to, but I suppose we need to be careful not to take over this discussion. I will create an issue in the respective repo to track this issue.

Hi there. I have nothing to do with Matomo or anything, but I am always looking for better captcha solutions. Appreciate you coding this and I'll be researching it more. A downside to proof of work solutions like these is that people who have javascript disabled are left out, but it's still a good solution I think.

You're right that you need JS enabled, what I tend to do is add something like:
<noscript> You need Javascript enabled to perform the anti-spam verification to submit this form</noscript>

With an open source captcha you can put the JS in your own bundle so at least those who block third party scripts won't run into this issue.

Unrelated update: I've changed the default difficulty parameters of FriendlyCaptcha making it around 60% easier to alleviate the time it takes on older devices to get it under the 20s upper bound. Thank you all for the contributions :)

Hi,
I know this is getting quite off-topic here, but apparently this now seems to be the place for people to talk about Captcha-ideas.
As long as people find alternatives to recaptcha this way, I won't complain.

@gzuidhof I like the idea of Friendly Captcha. Of course, it has some issues (the largest being that it does not actually detect bots, so I would not call it a CAPTCHA for the lack of the CHA part), but this also means that it doesn't have the huge privacy and accessibility issues most solutions proposed here would have.
What would stop me personally from using it on a website (but I am probably not speaking for a lot of people) is the dependency on a non-free third-party server. So for me to use this, the server-side part would need to be FOSS and self-hostable, but I might be a minority there.

My organisation is also having a hard time finding alternatives to Google ReCaptcha. We are currently looking at Antispam Bee, which is a solution that runs entirely locally in Wordpress.

Unfortunately, the plugin has very limited compatiblity with third-party forms, but we are getting desperate enough that we will probably build our own version that works specifically with our forms solution.

There is work underway to make Antispam Bee more compatible, but progress is really slow.

Has anyone tried using https://www.mtcaptcha.com ? (which was mentioned earlier this year)

It has an invisible option, although this isn't included in the free plan :(

At the veeeeeeery bottom of their FAQ page they say that they won't sell any of the usage data.

I'm going to give the free plan a try.

They seem bit difficult to solve re accessibility but maybe the invisible option is good (although would need to check what this means re privacy)

Only had a 2sec look in the privacy policy where they mention GA and others but not sure if they embed this into the captcha or only in their website/backend. Be also great to know if you can choose where data is stored etc not sure if they allow this?

My opinions on mtcaptcha:

• They are neither FOSS nor self-hostable
• Their captchas are pretty easy
  
• They are also easy enough that Google's OCR has no trouble correctly detecting the text.
• they seem to have a Wordpress plugin

Regarding Accessibility:

• Their audio captcha is solvable (compared to many others)
• I wouldn't be surprised if any normal voice recognition software could detect the letters correctly (audio.zip)
• only people who speak English can solve the audio captcha
• their docs mention that their audio captcha supports many languages including German, but somehow it still shows me the English one

Technical Remarks:

• Their default embed code loads both mtcaptcha.min.js and mtcaptcha2.min.js which look nearly identical and are 65KB (28KB compressed) each.

Now to the important question of privacy:

• They claim to be privacy focused, GDPR compliant and don't share any data with third parties
• They use Google Analytics on their website, but not in the CAPTCHA
• Their website also includes tracking by typekit.net, squarespace.com and mouseflow.com
• They don't mention any location for their company or which countries laws apply.
• They don't mention where data is stored, but it seems like they use AWS in Germany.
• Their Data Processing Agreement is mostly a template and doesn't mention:
  • the company behind mtcaptcha
  • again: Who is responsible for privacy
  • any subprocessors ("Current Subprocessors: None") which is most likely false considering the above
• They have this weird paragraph in their captcha privacy policy

We may use third-party Service Providers to monitor and analyse the use of our Captcha Service. Usage of any such Service Providers will also comply with this Privacy Policy, which will only retain Usage Data and do not track or retain any Personal Data.

• Our Captcha Service does not address anyone under the age of 18 ("Children").

  I guess bad luck if you are a teenager wanting to submit a form.

• again: They don't have an imprint mentioning the company behind the service

• They seem to forward customer data to Google Ads and Bing Ads for remarketing. (I'll never understand why someone would thing this is a normal thing)

• They have a section on how you can enable Do Not Track in your browser that starts with "We do not support Do Not Track." (I misread that sentence at first)

• Their "Data Breach Notification Policy" mentions that they will report breaches to the Information Commissioner's Office which implies that they are in the UK (or they just used their template)

• Their Terms of Service contain this paragraph:

• These Terms shall be governed and construed in accordance with the laws of New Jersey, United States, without regard to its conflict of law provisions.

  which is really weird if they were an EU company.

• If they are an US company, this sentence from the privacy policy reads a bit different and might contradict GDPR:

• Under certain circumstances, MTCaptcha may be required to disclose Usage Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

  as it implies that any US governmental agency is allowed to invoke the CLOUD Act and force them to track all of their users data

• After reading through their site for a long time, I finally looked at https://www.mtcaptcha.com/contact which contains their address in San Francisco (still no company name)

• https://www.mtcaptcha.com/faq#ip-whitelist mentions the IPs they use which also consists of AWS servers in India, Hongkong and other countries and an Alicloud server in China which makes it even more doubtful that all user data is exclusively stored on EU servers and that they don't use any subcontractors.

Privacy policy for captcha users: https://www.mtcaptcha.com/legal-privacy-captcha
Privacy policy for customers: https://www.mtcaptcha.com/legal-privacy-client

To sum all of this up: They seem to have a good intention, but provide a CAPTCHA that is not really that different from the ones mentioned above here. And they are not transparent enough and contradict themselves too often, that I personally would trust them privacy-wise.

+1 to @Findus23 for a great, detailed rundown.
I came to the same general conclusion when checking them out a few months ago.

Thanks for your comprehensive reports and comments, @Findus23!

I fully agree with you regarding MTCaptcha, that’s why I think a fresh & different approach to spam prevention than “normal” CAPTCHAs would make sense.

What do you think about Friendly Captcha? This is what you said about it before:

@gzuidhof I like the idea of Friendly Captcha. Of course, it has some issues (the largest being that it does not actually detect bots, so I would not call it a CAPTCHA for the lack of the CHA part), but this also means that it doesn't have the huge privacy and accessibility issues most solutions proposed here would have.
What would stop me personally from using it on a website (but I am probably not speaking for a lot of people) is the dependency on a non-free third-party server. So for me to use this, the server-side part would need to be FOSS and self-hostable, but I might be a minority there.

While, as you said, a completely self hosted solution has its advantages, Matomo is currently using Google reCAPTCHA, which is A) closed source, B) entirely hosted by Google, and C) not user-friendly because of its annoying labeling tasks. That’s why it’s probably the worst solution regarding these benchmarks.

Friendly Captcha has recently won some large customers like the European Union itself (see https://www.eea.europa.eu/contact-us —> Ask a question)

In addition it is currently improving its service by adding dynamic puzzle difficulty (=when a bot is trying to submit a form multiple times the puzzle is automatically getting more difficult) across all sites where it’s used, which is an argument for using the Cloud solution for the back end part. The front end is completely open source and therefore I think it’s a good fit for Matomo.

Looking forward to your reply! :)

We're removed google recaptcha from Matomo.org websites. So far we're using a mix of simple catchas (a math question) and also https://www.hcaptcha.com/

We're removed google recaptcha from Matomo.org websites. So far we're using a mix of simple catchas (a math question) and also https://www.hcaptcha.com/

Hi @mattab
I'm the maker of OOPSpam API. Just wanted to mention OOPSpam as alternative. It is a privacy-friendly, and has no accessibility issue as you can silently flag a submission based on Spam Score. Happy to answer any questions.

Try Smart.Captcha, it is opensource ...
See a demo here
http://demo.unix-world.org/smart-framework/?/page/samples.testunit/tab/0/CamelCase/Test/tab/2

Currently is not quite a separate component, it is mainly written in javascript but rely also on some PHP backend libraries which are inside Smart.Framework.
But who knows ... maybe some day I would find the free time to continue the work and deliver it also as a separate component !

The smart.captcha have 3 steps:

1. single click, but here it try to detect as much as possible from the user interactivity
2. if suspicious that user might be a bot would go to the 2nd step, which is an interractive shape drawing with shape recognition over a html5 canvas
3. step 3 is for impaired (ex: have an alternate qrcode that a user can scan with the mobile phone if have issues and not have a perfect sight ...) or as a fallback if none of the first 2 steps passed

Hint: To force step 2 click the space between the timer and the clock icon before timer gets to zero and will reveal the checkbox before timer ends. Click on that checkbox before timer ends and will get you to the 2nd hidden level (drawing shapes) ;-)

What would stop me personally from using it [FriendlyCaptcha] on a website (but I am probably not speaking for a lot of people) is the
dependency on a non-free third-party server.

There is now a simple Open Source server for FriendlyCaptcha.

https://github.com/FriendlyCaptcha/friendly-lite-server

(Disclaimer: I implemented this as a proof of concept a while ago and handed over the repo to FriendlyCaptcha today, while I am not affiliated otherwise with FriendlyCaptcha)

Also I discovered mCaptcha today, which is another example of a ProofOfWork captcha solution.

• Services, sometimes called anti-captcha, take around 0.2 cent to break Google's Re-Captcha,
• My CPU is not able to mine 0.2 cent per minute,
• But it was able to solve the FriendlyCaptcha in 30 seconds.

I mean, because the cost of a CPU that is able to solve ProofOfWork-puzzle is by far less than the cost of said services,
the security is by far less as well.

Unless they make my device solve a puzzle worth 0.2 cent, they are solved too cheap, hence provide zero security benefits.

Exactly two years ago, I had the same problem. I worked on a project where the customer wanted a form on the website's front page. We've discussed using reCAPTCHA, but because of data privacy concerns and the fact that it would be on the first page of a website, it was completely unacceptable. I started to investigate other options to protect the form and searched the internet for protection methods - as you did in this issue.

My result was the same as you got here: there are solutions with puzzles, which are not solvable for some humans, uses only the CPU to decide, or the solution is a data privacy nightmare.

On the internet, and in this issue, some people ask why we humans have to prove that we're real and why not the bot has to confirm that the form submission is good.

So I took this fundamental question and thought about how we could solve this problem. I had some discussions with a friend, and then we started the project mosparo - modern spam protection.

mosparo does not try to decide between humans and bots. mosparo does only decide if a submission contains spam or not. This decision is made on the data that the user entered into the form. If mosparo detects spam, the form cannot be submitted. The detection is based on rules. As an owner of the mosparo installation, you have to define these rules. After you've installed mosparo, it will not catch any spam. But by adding rules, you can tell mosparo which content you want and which you don't want. After that, mosparo can check the submission and block unwanted content.

mosparo is open-source, free to use, and self-hosted. It is accessible since the visible checkbox is optimized for screen readers (it's a standard HTML checkbox with two additional status updates for screen readers). It stores the data only in your server's database and does not use external services. You can use the GeoIP2 database to localize IP addresses (for rules to block providers or countries), which is optional and the resolution would happen on your server (not remotely). mosparo uses only the data that the user has entered, the IP address, as well as the user agent of the user. But mosparo does not track the user to see if it's a valid user or not.

There are more features in mosparo, but I think this comment is already too long. You can find all details on our website: https://mosparo.io/

We've developed a WordPress plugin for mosparo. It is compatible with the most used form plugins (also with Gravity Form).

Please let me know if you want to know anything else about mosparo or if I can help you somehow.

Thank you very much for your patience.