Over the years, I have received many requests from webmasters to add some sort of spam filtering capability to the contact form script generated by the Free Feedback Form Script Wizard. The reason, of course, is that spammers nowadays send automated computer programs, called "spam bots", to scour the web for feedback forms to dump spam into. As such, if your email software or email service doesn't have extensive spam removal facilities, you will probably be inundated by spam submitted through your own contact form.
This article teaches you how you can add a basic spam reducing facility, called the CAPTCHA test, to the feedback form generated by the wizard. You've probably encountered such tests before: after filling in a contact form, you are usually required to enter some string of letters or numbers to prove that you are a human and not a spam bot. If you don't know what I'm talking about, take a look at one such form at the Feedback Form with CAPTCHA Demo page.
CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The idea is to create a test that any human can pass easily but computer programs will fail. It is useful for things like feedback forms since you want humans to be able to send you feedback, but you don't want spam programs to send you its junk.
There are many different types of CAPTCHA tests around. One commonly found test places a series of words in a graphical image and asks your human visitor to enter the words he/she sees. The hope is that most computer programs won't be able to "see" the words (since programs can't actually "see" anything) and so will be unable to give the correct answer.
Of course this is not foolproof. There are a number of ways to defeat this, such as to incorporate optical character recognition (OCR) technology into the spam bots, or to employ cheap (human) labour to decode it, etc. However, the plan is that having such a test will at least reduce some of the spam entering your mail box by weeding out the less sophisticated spam bots wandering around the Internet.
This article is for the ordinary non-technical webmaster, who simply wants to add a CAPTCHA test to their web form. It is NOT for the programmer who wants to learn how to implement their own CAPTCHA test.
If you are a programmer, looking for a way to create your own CAPTCHA test, you may want to check out the following, more relevant, articles:
If you don't want to reinvent the wheel, you may also be interested in checking out the Free PHP CAPTCHA Scripts page to see how others have implemented the CAPTCHA facility.
Before you rush out to add the CAPTCHA test, note that there are important disadvantages to adding this CAPTCHA test.
By default, the basic feedback form created by the Feedback Form Script Wizard (when you don't enable the CAPTCHA test) is totally self-reliant. That is, as long as your website is running, your feedback form will also be running. If your website is down, then of course your form will also be down. But then, so will the rest of your website, so you don't have to worry about visitors going to your feedback form and finding that it doesn't work.
If you enable the CAPTCHA test in the feedback form, however, your form will become dependent on a third party service run by Google, called ReCAPTCHA. They supply the pictures and questions that will be shown in your form. When your form is displayed, the feedback form script requests a new picture/question from ReCAPTCHA. After your visitor enters his/her answer to the "security" challenge test, the answers given by him/her will be sent to the ReCAPTCHA website. They will then respond by telling the feedback form script whether or not the answer is correct.
Don't worry. Only the answers to the CAPTCHA test are actually sent to ReCAPTCHA. Your visitors' messages are not transmitted to them.
This means that if the ReCAPTCHA service is bogged down in some way, the display of your feedback form will become very sluggish (because the picture containing the question won't load). If the network connection between your website and the ReCAPTCHA service has problems, your form will not work (since the script won't be able to get the answer checked). If the ReCAPTCHA service ever closes, your visitors will no longer be able to successfully send you feedback.
And you can't rely on your users to tell you that there's a problem with your feedback form. After all, it's your feedback form that has problems, so they won't be able to reach you at all.
Having said that, before you give up in despair, the ReCAPTCHA service appears to be used by lots of websites all over the world, seemingly without problems. It has also worked flawlessly when I tested it. But that doesn't mean bad things can't happen in the future. You'll just have to decide for yourself whether you want to take the risk or not.
Most CAPTCHA tests have a major flaw. Because of their visual nature, the blind are unable to answer them. The good thing about the ReCAPTCHA test (and one of the main reasons why I chose this particular CAPTCHA implementation over the others) is that it has an audio facility for the blind. A blind person, encountering your form, should theoretically be able to click the audio link and hear an audio message which he/she can transcribe into the test field. So in that sense, the ReCAPTCHA test does not exclude the blind from using your form.
Unfortunately, in spite of this, it still excludes those who are both deaf and blind, who surf the web using tactile displays (eg, Braille displays). That is, if you can neither see a picture nor hear words spoken in the audio file, the form is completely inaccessible to you.
Please bear this in mind before you rush out to enable the CAPTCHA option in the Wizard. As you scrabble about under an avalanche of spam, looking for a way to solve your spam problems, remember that this solution may cause others problems. It is not ideal, since it excludes some people from your form.
If your email server and software have sufficiently good spam filters that have warded off spam in the past, and you think you don't really need the CAPTCHA facility, consider holding off on it. Otherwise, you may be introducing a problematic cure for a non-existent disease. But it's up to you, of course. I just wanted to make sure you have enough information to make an informed decision.
To enable the CAPTCHA option in the feedback form generated by the wizard, do the following.
Go to the ReCAPTCHA website, and sign up for an account. The service is free, or at least it was when I wrote this article. (If it ever stops being free, please let me know and I'll modify the wizard to use a different CAPTCHA facility.) You'll be required to supply a username, password, your email address and your website's domain name.
Important: After you sign up, you will see a section with the heading "Register a new site". You will be given two choices for the type of CAPTCHA used: "reCAPTCHA V2" and "Invisible ReCAPTCHA". For now, click the checkbox for "reCAPTCHA V2" to select that. I have not yet implemented support for the "Invisible ReCAPTCHA" option.
When you've finished signing up, you will be given two strings of cryptic letters and numbers. These are your Site and Secret keys. You will need to enter these keys into the Feedback Form Wizard, so I recommend that you keep the ReCAPTCHA web page open, so that you can just copy and paste the strings. Don't type them manually or you may introduce typing errors and give the wrong keys to the wizard.
When you reach the "Advanced Options", enter your ReCAPTCHA Site and Secret keys in answer to the question "To enable the CAPTCHA test, please enter both your ReCAPTCHA Site key and your ReCAPTCHA Secret key". Be sure to enter them into the correct blanks: that is, make sure that your Site key goes into the "Site key" field and your Secret key goes into the "Secret key" field. These keys have to be integrated into the form and script that is created by the wizard, which is why they are requested.
(Don't worry. Like all the other data you enter into the wizard, they are not recorded anywhere, not even in my web logs. I'm trying to help you block spam, not introduce it. In addition, just in case you're panicked by the term "Secret key", it is a "secret" only because if a spam bot discovers it, it can pretend to be a human being to your feedback form and send you spam. That's all. It isn't the key to your kingdom or anything like that.)
Follow the rest of the instructions in the wizard to create your feedback form HTML code and feedback form script. Do not close this window.
Do the rest of the stuff mentioned by the feedback form wizard for creating your
feedback.php file and inserting your form code into your
web page. Then upload (publish) everything to your site.
Detailed instructions for doing this can be found in the usual feedback form tutorials (as well as in the results page of the Feedback Form Wizard):
You may also want to modify your "Error" page to help people failing the CAPTCHA test (it happens). See the error page on the Feedback Form with CAPTCHA Demo for an example of the sort of things you can say.
That's it. Once the form is "live" on your website, test your form by sending yourself a message.
Important: you can only test the CAPTCHA in a browser on your "live" website. The CAPTCHA test will probably not display correctly, if at all, in your web editor (or anywhere on your own computer). Test it on your actual site, at the domain that you gave ReCAPTCHA when you requested the keys and not elsewhere.
If the feedback form without the ReCAPTCHA test works fine, but fails (ie, always leads to your error page) after you add the test, it may mean that you have used the keys for the Invisible ReCAPTCHA test that I said not to use. Follow the procedure given above to get the normal ReCAPTCHA keys instead.
It could also mean that you typed the keys into the Wizard incorrectly, interchanged the Site and Secret keys, put your Error page URL into the Wizard's Thank You page field, failed to enter the name, email and comments fields correctly, or that you failed the ReCAPTCHA test but submitted the form anyway.
If you ever want to remove the CAPTCHA test from your feedback form, you will need to return to the Feedback Form Wizard to generate a new form and script. Do not use your web editor to delete the CAPTCHA question from your web page. Doing so will only remove the question; the feedback form script will still be expecting a CAPTCHA answer. You need to regenerate everything, that is get a new script that doesn't test for the CAPTCHA answers and new HTML form code that does not have the CAPTCHA question. This time, when you use the wizard, do not enter your Site and Secret keys, or the wizard will think you want the CAPTCHA test.
It's all free, so don't be lazy, or you'll waste even more time trying to get your self-made modifications to work.
If you are upgrading your feedback form script from a version created by the wizard prior to March 2015 (ie, version 2.16.12 and earlier) to the current version, you will need to go back to the ReCAPTCHA site and generate a new set of Site and Secret keys. (Don't worry, Google will let you create more than one set if you wish.) Use that new set of keys in the Feedback Form Wizard.
Explanation: Google changed the way their ReCAPTCHA operates in 2015 (or thereabouts), requiring scripts that use the new keys to interface with ReCAPTCHA using a different method. This new method is not backward compatible with the old. As a result, I had to modify the Wizard so that newer feedback form scripts use this new method, otherwise no one will be able to enable the ReCAPTCHA facility with the script. The old scripts will continue to work fine with the old ReCAPTCHA keys, but the new scripts will only work with the new keys.
For those who are confused by my explanation, here it is in a nutshell. If you use the old ReCAPTCHA keys along with my old version of the feedback form script, everything will work fine. If you use newly-created ReCAPTCHA keys with a newly-created version of the feedback form script, everything will also work fine. Just don't mix the old and new stuff together.
As mentioned above, the CAPTCHA facility needs to be able to connect to the ReCAPTCHA site for the latter to check the CAPTCHA answers made by your visitors. Many free web hosts do not allow PHP scripts to open any connection to other sites. As such, if you use a free web host, there is a chance that enabling the CAPTCHA option will cause your form to fail to work.
In such a case, go back to the wizard and generate a new form and script, this time without CAPTCHA support (that is, don't enter your ReCAPTCHA Site and Secret keys into the form).
This doesn't mean that the CAPTCHA-less script will work either, since a large number of free web hosts also do not allow scripts to send mail either. If this is the case, you may either have to dispense with a contact form, or move your site to a commercial web host.
If you get an error message that says "Could not open socket" or "unable to open socket" or the like, it means one of two things.
If the error occurs every time you use the form, it probably means that your web host does not allow the feedback form script to connect to other sites. This will effectively prevent the CAPTCHA portion of the script from getting the CAPTCHA answers checked, since the script relies on the ReCAPTCHA site for checking the correctness of those answers. See my discussion on the use of the script on free web hosts above for more details. The solution in this case is to either move to a different web host, or return to the feedback form wizard and generate a script without entering your CAPTCHA keys. This will create the standard feedback form script that does not have CAPTCHA support. The standard script does not attempt to connect to the ReCAPTCHA site (or any other site for that matter) so you will no longer receive this error message.
If the error only occurs some of the time, while the script works on other occasions, it's possible that at the times the message appeared, your web host's system was overloaded, the network connection was saturated, the ReCAPTCHA site was down, or something like that.
The ReCAPTCHA Secret key that you enter in the wizard is embedded into your customized feedback form script (the computer program). The Site key is inserted into the feedback form itself (the HTML code for the web page). The Site key is used to get the CAPTCHA test from ReCAPTCHA for display. It is only used to retrieve the test which your visitor has to answer to prove he/she is human. The answer to the test will not be supplied to any program using that key. The Secret key, on the other hand, is used by the feedback form script to tell ReCAPTCHA that it is really your own legitimate feedback form that is asking it to check the answer. ReCAPTCHA needs a Secret key so that it can distinguish between a legitimate program running on your website from a spam bot sneakily trying to find out the CAPTCHA answer.
You don't have to worry when you see your Site key in your HTML form code. That's the way it's supposed to be. However, if you see your Secret key in your HTML form code, that means you've entered the wrong keys into the wizard. That is, you may have entered your Secret key into the Site key field. Note that the wizard is not omniscient. It doesn't know what your keys are supposed to be. It blindly uses whatever you enter. If you supply it the wrong keys, then your form and script will contain those wrong keys.
This item is for those who get the following message on your feedback form page:
Another possibility is that you have incorrectly modified important parts of the HTML form code generated by the Feedback Form Wizard. If this is the case, the solution is to return to the wizard and generate a fresh copy of the feedback form HTML code. Plug that pristine copy, unmodified, into your form page and test again. If the error disappears, it probably means that your changes caused the error. If you really must modify the form, please use one of my detailed feedback form tutorials as a guide, so that you don't accidentally change critical portions that are needed for it to work properly.
If the entire CAPTCHA test does not appear in your feedback form, and all you see is the plain feedback form without any CAPTCHA test at all (the whole CAPTCHA section is missing), it probably means one of three things:
You created your feedback form (at least) twice. The first time you did it, you created a form without the CAPTCHA test and tried it out on your site. Then you changed your mind and created a new form with a CAPTCHA test. However, the second time round, you failed to update everything.
If you change your mind and switch from a CAPTCHA-less form to one with a CAPTCHA, you must update everything on your website:
feedback.php script as well as the HTML code for your
feedback form. To reiterate, not only must the new php files be uploaded, you must also change the HTML form code
on your web page. The code is different.
The second possibility is somewhat similar to the first. You created your feedback form at least twice, the first time without the CAPTCHA and the second with it. Your web browser could be showing you an old copy of your web page, from the time when you didn't have the CAPTCHA test. Web browsers usually save a copy of recent web pages you accessed in their internal cache. If you revisit a page you recently checked, it's possible that your browser is still displaying that cached version. You will need to reload (or refresh) the page in your browser. On most browsers, hitting Ctrl+R should do the trick (where "Ctrl+R" means to hold down the Ctrl key and type "r").
You are looking at your page in your web editor, and thinking that the CAPTCHA test will show up there. It won't. It will only show up on the domain you specified when you signed up for the ReCAPTCHA keys. Upload (publish) your site to the Internet, to that domain, and test it in a browser.
If you change the domain name of your website, you will find that ReCAPTCHA will refuse to test the CAPTCHA words on your new domain. For example, you may get an error message like "Input error: Invalid referer". This error occurs because the ReCAPTCHA service expects a different set of Site and Secret keys for every domain. To solve this, do the following:
Log into your ReCAPTCHA account and go to the page on their system that lists all your sites using ReCAPTCHA.
Add your new domain to that list using the appropriate link on that page. At the time I write this, there is a button or link on the page that says something like "Add a new site". You will be given a new set of Site and Secret keys that will only work on that new domain.
Return to the Feedback Form Wizard and generate a new form and script using the Site and Secret keys for that domain.
Insert the new form code into your web page, and republish (re-upload) both that web page and the new script that is provided.
If you encounter other types of errors or problems, please check out the Frequently Asked Questions (FAQ) about the Feedback Form Wizard.
The CAPTCHA test is probably one of the most frequently requested feature for my feedback form script, probably because there are so many beleaguered webmasters struggling with spam. Following the steps given in this CAPTCHA guide will allow you to add the test to your web form without having to learn any programming at all.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as: