Over the years, I have received many requests from webmasters to add some sort of spam filtering capability to the contact form generated by the Feedback Form Wizard. The reason, of course, is that spammers nowadays send automated computer programs, often called "spam bots", to scour the web for contact forms to dump spam into. As such, if your email software or email service doesn't have extensive spam removal facilities, you will probably be inundated by spam submitted through your own contact form.
This article shows you how to add a basic spam reducing facility, called a CAPTCHA test, to the contact form generated by the wizard. You have probably encountered such tests before: after filling in a form, you are required to complete some task, such as enter a string of letters or click pictures of a particular object from a selection of images, to prove that you are a human and not a spam bot. If you don't know what I'm talking about, take a look at the hCaptcha demo.
CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The idea is to create a test that any human can pass easily but computer programs will fail. It is useful for things like contact forms since you want humans to be able to send you feedback, but don't want spam programs to send you junk mail.
There are many different types of CAPTCHA tests around. One common test places a series of words in a graphical image and asks your human visitor to enter the words he/she sees. Another displays a set of pictures and asks the user to choose the ones that depict a particular object (eg cars, signs, etc). The hope is that most computer programs will fail it, since they can't actually "see" anything.
Of course this is not foolproof. There are a number of ways to defeat it, such as to incorporate optical character recognition (OCR) technology into the spam bots, employ cheap (human) labour to decode it, etc. However, the plan is that having such a test will at least reduce some of the spam entering your mail box by weeding out the less advanced spam bots surfing the Internet.
This article is for the ordinary non-technical webmaster, who simply wants to add a CAPTCHA test to his/her web form. It is NOT for programmers who want to learn how to implement their own CAPTCHA test.
If you are a programmer, looking for a way to create your own CAPTCHA test, you may want to read the following, more relevant, articles:
If you don't want to reinvent the wheel, you may also be interested in the Free PHP CAPTCHA Scripts page to see how others have implemented it.
Before you rush out to add a CAPTCHA test, note that there are important disadvantages to adding it.
By default, the standard form created by the Feedback Form Wizard (when you don't enable the CAPTCHA test) is totally self-reliant. That is, as long as your website is running, your feedback form will also be running. If your website is down, then of course your form will also be down. But then, so will the rest of your site, so you don't have to worry about visitors going to your feedback form and finding that it doesn't work.
However, if you enable the CAPTCHA test, the latter will become dependent on a third party service, namely hCaptcha. They supply the pictures and questions that will be shown on your form. The answers given by your visitor to the CAPTCHA challenge will also be sent to them for checking. The service will then inform the feedback form script whether the user has answered the question correctly.
This means that if the CAPTCHA service is bogged down in some way, the display of your feedback form will become very sluggish (because the pictures will load very slowly, or perhaps even fail to load). If the network connection between your website and the CAPTCHA service has problems, your form will not work at all (since the script won't be able to find out how the visitor performed). If the CAPTCHA service ever closes, your visitors will no longer be able to successfully send you feedback.
And you can't rely on your users to tell you that there's a problem with your form. After all, it's your contact form that has problems, so they won't be able to reach you at all.
Having said that, before you give up in despair, hCAPTCHA appears to be used by lots of websites all over the world, seemingly without problems. They have also worked flawlessly when I tested them. But that doesn't mean bad things can't happen in the future. You will just have to decide for yourself whether you want to take the risk or not.
Most CAPTCHA tests have a major flaw. Because of their visual nature, the blind are unable to answer them. Fortunately, hCaptcha provides what they call a "Privacy Pass" option to address this. The blind, as well as the deaf-and-blind, can use it to pass the CAPTCHA test.
The CAPTCHA test requires your visitors to have JavaScript enabled in their web browsers. This is a built-in facility in modern browsers that is enabled by default, so this requirement should not affect the majority of your visitors.
However, there are some people who surf the Internet with JavaScript disabled (possibly for security reasons, since it is sometimes used by malware-infected sites to attack visitors, and maybe also to speed up the loading of websites). As such, these users will be unable to send you any feedback.
Where the standard feedback form script (that is, one without any CAPTCHA test) is concerned, nothing your visitors send to you is ever transmitted to me. You also get to download the script and host it on your website, giving you physical control over it. That is to say, I will not be able to reach into your copy of the script and make it do something different. If you are programming savvy, you can even examine the underlying source code of your copy, and once you are assured it is harmless and does only what it says, you know it will remain so, since I no longer have any access to it and cannot change it.
If you enable the CAPTCHA facility, the CAPTCHA script from the service you select will load directly on the web page containing your form. This script, however, is hosted on the CAPTCHA service's site. Neither you nor I have physical control of it. By including it on your page, it now has (potentially) the power to do anything it likes. For example, it can modify your page (which it has to, in order to issue the CAPTCHA test). If it wants to, it can even do things like record your visitors' typing and so get access to the messages they send to you.
In fact, even if it doesn't do anything nefarious now, you cannot have the same level of assurance that you have with a script over which you have physical control, since at any point, the person hosting it can change it behind your back without notice to you.
Note that I am not saying anything new that experienced webmasters don't already know. It applies to any JavaScript that you load on your page that is hosted elsewhere (and is thus controlled by someone else), including the Google AdSense advertisements that you see everywhere on the Internet, such as this very page itself.
Whether this point matters to you or not probably depends on how you expect your feedback form to be used. It also depends on how much you trust the person or persons hosting the script, not only to act with integrity (and continue to do so over time), but also to have sufficient competence in making sure that the script is not hacked by others.
I find CAPTCHA challenges annoying at the best of times. And I am sure I am not alone. To add insult to injury, although these tests are meant to be easy for people to complete, some of them can prove difficult for humans to do as well. The latter include challenges that require some local cultural or linguistic knowledge that are specific only to a certain part of the world.
That said, I have not encountered such problems with the hCaptcha tests. The ones that I have tried have invariably showed a sample picture of what they are talking about, so I could understand what they are referring to. (Or, at least, this was what happened whenever I used it. I have no idea if it is true all the time.)
If your email server and software have sufficiently good spam filters that have warded off spam in the past, and you think you don't really need the CAPTCHA facility, consider not including it. Otherwise, you may be introducing a problematic cure for a non-existent disease. But it's up to you, of course. I just wanted to make sure you are aware of these caveats, so that you can make an informed decision.
To enable the CAPTCHA option in the feedback form generated by the wizard, do the following.
Go to the hCaptcha site and sign up with them. (For those who are thinking, "How? Where do I go?", just click the relevant link in the first sentence of this paragraph to get there.)
If you want to take a look at what their CAPTCHA challenges look like on a form before deciding, see the the hCaptcha demo.
At the time I wrote this, the hCaptcha service is free. You will be required to provide them your email address.
Note that you can also set the difficulty level of the CAPTCHA challenge. At the time I write this, this can be changed in the "Settings" section of their website. There are four difficulty levels, Easy, Moderate, Difficult and Always On. My demo is set to the Moderate level, since that is the default setting, and I didn't bother changing it. You don't have to change it either, if you don't know which to choose. The easier settings apparently lead to less user frustration, since your visitors may not even need to complete a picture challenge when they click the checkbox, provided hCaptcha thinks that they are most likely to be human. The harder settings are useful for sites that experience a lot of spam, and they will cause hCaptcha to pop up a challenge more frequently (for Difficult) or all the time (for Always On). Their documentation also says the challenges also become harder for the higher difficulty settings.
When you have finished signing up, you will be given two cryptic strings of letters and numbers. These are your Site and Secret keys. You will need to enter these keys into the Feedback Form Wizard, so I recommend that you keep the CAPTCHA service's website open, so that you can just copy and paste the strings. Do not type them manually or you may introduce typing errors and give the wrong keys to the wizard.
Go to the Free Feedback Form Wizard. Read the instructions and the terms of use and fill in the details requested. You will have to choose the PHP script because I did not implement the facility in the Perl version.
When you reach the "Advanced Options" section, select "hCaptcha" from the drop down box for the "CAPTCHA test to use" option.
Once you choose one of the options from the drop down box, two additional fields, "Site key" and "Secret key", will appear. Enter your keys in the appropriate fields. These keys will be integrated into the form and script that is created by the wizard, which is why they are requested.
(Don't worry. Like all the other data you enter into the wizard, they are not recorded anywhere, not even in my web logs. I'm trying to help you block spam, not introduce it. In addition, just in case you're wondering about the term "Secret key", it is a "secret" because it is meant to be used by the feedback form script and not published on a web page.)
Once the wizard has produced its results, insert the script code into your feedback.php file and the form code
into your web page. Remember also to create the Thank You and Error pages. Then upload (publish) everything to your site.
Detailed instructions for doing this can be found in the usual feedback form tutorials (and a brief version is also
mentioned on the results page itself):
That's it. Once the form is "live" on your website, test your form by sending yourself a message.
Important: you can only test the CAPTCHA in a browser on your "live" website. The CAPTCHA test will probably not display correctly, if at all, in your web editor (or anywhere on your own computer).
If the feedback form without the CAPTCHA test works fine, but fails (ie, always leads to your error page) after you add the test, it may mean one of the following things:
You typed the keys into the Wizard incorrectly. This includes the situation where you entered the Site key into the Secret key field, and the Secret key into the Site key field.
You entered the Error page URL into the Wizard's Thank You URL field.
When you tested your form, you failed to enter the name, email and comments fields correctly, or you did not put a tick into the "I am human" box.
Another possibility is that you did not update either your form HTML code or the script. You must update both, whether you're changing from the standard non-CAPTCHA form to one with CAPTCHA or vice versa. The options require different form and script code.
This error may also occur if you have improperly modified the HTML form code and removed or changed certain values that are needed by the CAPTCHA service. In general, if you want to customize the appearance of the form, stick to things like changing its colours, the width of the various fields or even the visible words that are displayed on the web page (ie, the "Name", "Email", and "Comments" descriptions that appear before each field). If you change anything else under the hood, your modifications may inadvertently alter something that either the feedback form script or the various CAPTCHA services rely on.
And of course if you have modified the feedback form script itself, then all bets are off. Anything can happen in such a case. To fix it, revert to the pristine, unmodified script by returning to the Wizard and generating a new set, and use that instead.
If you ever want to remove the CAPTCHA test from your feedback form, you will need to return to the Feedback Form Wizard to generate a new form and script. Do not use your web editor to delete the CAPTCHA code from your web page. Doing so will only remove the visible CAPTCHA box; the feedback form script will still be expecting a CAPTCHA answer. You need to regenerate everything, that is get a new script that doesn't test for the CAPTCHA answers and new HTML form code that does not have the CAPTCHA code. This time, when you use the wizard, leave the "CAPTCHA test to use" field set to "None".
It's all free, so don't be lazy, or you'll waste even more time trying to get your self-made modifications to work.
As mentioned above, when using the CAPTCHA facility, the script needs to be able to connect to the CAPTCHA service to find out if the form submitter had passed the CAPTCHA test. Many free web hosts do not allow PHP scripts to open any connection to other sites. As such, if you use a free web host, there is a chance that enabling the CAPTCHA option will cause your form to fail to work.
In such a case, go back to the wizard and generate a new form and script, this time without CAPTCHA support (that is, leave the "CAPTCHA test to use" field set to "None").
This doesn't mean that the CAPTCHA-less script will work either, since a large number of free web hosts also do not allow scripts to send mail either. If this is the case, you may either have to dispense with a contact form, or move your site to a commercial web host.
If you get an error message that says "Could not open socket" or "unable to open socket" or the like, it means one of two things.
If the error occurs every time you use the form, it probably means that your web host does not allow the feedback form script to connect to other sites. This will effectively prevent the CAPTCHA portion of the script from finding out if your visitor had completed the challenge correctly, since the script relies on the CAPTCHA service for such information. See my discussion on the use of the script on free web hosts above for more details. The solution in this case is to either move to a different web host, or return to the feedback form wizard and generate a script without CAPTCHA. The standard script (ie, one without CAPTCHA) does not attempt to connect to any site at all, so you will no longer receive this error message.
If the error only occurs some of the time, while the script works on other occasions, it's possible that at the times the message appeared, your web host's system was overloaded, the network connection was saturated, the CAPTCHA service was down, or something like that.
The CAPTCHA Secret key that you enter in the wizard is embedded into your customized feedback form script (the computer program). The Site key is inserted into the feedback form itself (the HTML code for the web page). The Site key is used to get the picture challenge from the CAPTCHA service for display. It is only used to retrieve the test. The answer to the test will not be supplied to any program using that key.
The Secret key, on the other hand, is used by the feedback form script to ask the CAPTCHA service if your visitor completed the test correctly. The CAPTCHA service will only provide this information to scripts that have this Secret key.
You don't have to worry when you see your Site key in your HTML form code. That's the way it's supposed to be. However, if you see your Secret key in your HTML form code, that means you've entered the wrong keys into the wizard. That is, you may have entered your Secret key into the Site key field. Note that the wizard is not omniscient. It doesn't know what your keys are supposed to be. It blindly uses whatever you enter. If you supply it the wrong keys, then your form and script will contain those wrong keys.
If the entire CAPTCHA test does not appear in your feedback form, and all you see is the plain feedback form without any CAPTCHA test at all (the whole CAPTCHA section is missing), it probably means one of the following things:
You are looking at the page in your web editor, and thinking that the CAPTCHA test will show up there. It probably won't. Upload (publish) your site to the Internet, and test it in a browser.
You used the wrong keys. For example, you mixed up the Site and Secret keys. Or you entered the keys into the Wizard manually, and made a typing error.
Both the feedback form script and the Feedback Form Wizard do not know anything about the keys you are supposed to have. They will obediently use whatever you enter, and do whatever you tell them to do, even if the keys are wrong, or are of the wrong type. However, the CAPTCHA service will reject invalid keys, resulting in the test not working on your site.
You created your feedback form (at least) twice. The first time you did it, you created a form without the CAPTCHA test and tried it out on your site. Then you changed your mind and created a new form with a CAPTCHA test. However, the second time round, you failed to update everything.
If you change your mind and switch from a CAPTCHA-less form to one with a CAPTCHA, you must update
everything on your website: the feedback.php script as well as the HTML code for your
feedback form. To reiterate, not only must the new PHP file be uploaded, you must also change the HTML form code
on your web page. The code is different.
Another possibility is somewhat similar to the one above. You created your feedback form at least twice, the first time without any CAPTCHA and the second with it. Your web browser could be showing you an old copy of your web page, from the time when you didn't have the CAPTCHA test. Web browsers usually save a copy of recent web pages you accessed in their internal cache. If you revisit a page you recently checked, it's possible that your browser is still displaying that cached version. You will need to reload (or refresh) the page in your browser. On most Windows browsers, hitting Ctrl+R should do the trick (where "Ctrl+R" means to hold down the Ctrl key and type "r").
If you have modified the form or script in any way (eg, to delete stuff or even to change the order of things), and you experience this problem, the issue could also be due to your modifications. See this answer for a step-by-step guide on how to locate the source of the problem and fix it.
The Feedback Form Wizard used to support both the the checkbox and invisible ReCAPTCHA versions. However, since Google no longer provides ReCAPTCHA for free, I have removed the facility.
If you encounter other types of errors or problems, please check out the Frequently Asked Questions (FAQ) about the Feedback Form Wizard.
The CAPTCHA test is probably one of the most frequently requested feature for my feedback form script, probably because there are so many beleaguered webmasters struggling with spam. Following the steps given in this CAPTCHA guide will allow you to add the test to your web form without having to learn any programming at all.
Copyright © 2009-2025 by Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as:
How to Add a CAPTCHA Test to Your Feedback Form Script: Reducing Spam in Your Contact Form
