educational

Protecting Your Site Via CAPTCHA

Stephen Yagielowicz

While online forms make it easy for website operators to receive feedback from customers and for customers to seek support services, these tools open the site up to a raft of vulnerabilities due to their allowance of user-submitted text — which when unprotected, could include malware, spam and viruses. As such, one of the most basic steps that webmasters can take to improve the security of their websites is to ensure that form inputs are as free from automated spam and malicious script injection as possible.

One of the most common tools used for this process is CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart).

A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.

According to its website, www.captcha.net, “a CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.”

In its most basic form, this useful tool, developed by Carnegie Mellon University, requires users to read a random text string and then input that string into a web form before it will allow users to submit their comments, etc. The form validates this information, either processing the submission request or refreshing the CAPTCHA text, graphically obfuscated to prevent machines from reading it. An enhanced audio version is available for the visually impaired.

CAPTCHA offers a variety of website security improvements and other benefits including the ability to prevent comment spam in blogs (a WordPress plugin is available). CAPTCHA protects registration and “join” forms; prevents automated email addresses harvesting; ensures the accuracy of online polling; prevents dictionary-based brute force attacks and malicious code assaults; and prevents badly behaved search engine bots from unwontedly indexing certain pages.

Interestingly, its website addresses — and dismisses — rumors that spammers send CAPTCHA images to porn sites, where viewers are required to solve the test before viewing an erotic image, thus enabling criminals to leverage humans to combat machines.

Related: