If you have any web forms in your Magento 2 store to collect information from the customers you are probably very aware of spam. Spammers use web forms to try and promote their own businesses and sites and they use them for more malicious purposes as well.
In order to protect your Magento 2 web forms, you need to make it difficult or impossible for an automated tool to fill in or submit the form while keeping it as easy as possible for your customers to fill out the form. The most effective ways to protect your web forms is to use a CAPTCHA.
What is CAPTCHA?
A CAPTCHA, which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart", is a type of challenge-response test used in computing to determine whether or not the user is human.
There are three different types of CAPTCHA : Regular CAPTCHA, Simple math CAPTCHA and No CAPTCHA reCAPTCHA
- Regular CAPTCHA - the user has to type a few letters that are displayed on the screen to complete the form submission
- Simple math CAPTCHA - a very easy arithmetic test e.g. "what is 2 + 7?"
- No CAPTCHA reCAPTCHA - an improved form of CAPTCHA developed by Google that simply requires your user to click on a check box which means it is extremely user-friendly. reCAPTCHA provide an advanced security, low friction, effortless interaction for users.
CAPTCHA in Magento 2
CAPTCHA can be used in Magento 2 admin (sign in and forgot password page) and storefront (customer account login, register, forget password, checkout and contact us page)
Admin CAPTCHA
For an extra level of security, you can add a CAPTCHA to the admin sign in and forgot password page to protect back office password of your store where orders, catalog, content, and configurations are managed.
To configure an Admin CAPTCHA:
- On the Admin panel, click
Stores
. In theSettings
section, selectConfiguration
. - Select
Admin
underAdvanced
in the panel on the left - Open the
CAPTCHA
section, and continue with following:
- In the
Enable CAPTCHA in Admin
field, select “Yes” to enable CAPTCHA in Admin - In the
Font
field, select the name of the Font to be used for the CAPTCHA symbols. The default is LinLibertine. -
In the
Forms
field, select one of the following forms where CAPTCHA is to be used- Admin Login
- Admin Forgot Password
-
In the
Displaying Mode
, choose one of the following- Always
- After number of attempts to login
-
In the
Number of Unsuccessful Attempts to Login
field, enter the number of unsucessful attempts to login before captcha appears. If you enter Zero, the Captcha will be always available -
In the
CAPTCHA Timeout (minutes)
field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page to generate a new CAPTCHA. -
In the
Number of Symbols
field, enter the range number of symbols that CAPTCHA will be changed in, for example: 3-7. The maximum number of symbols is eight. -
In the
Symbols Used in CAPTCHA
field, specify the symbols that can be used in the CAPTCHA. Set only letters (a-z and A-Z), or number (0-9) to enter into box. No spaces or other characters are allowed and the similar symbols is not used in the default. -
In the
Case Sensitive
field, selectYes
if you require that the user enter the upper-and lowercase characters exactly as shown - When complete, click
Save Config
By default if you enable Admin Login CAPTCHA and don’t change its settings, it will appear after 3 unsuccessful attempts to login.
Storefront CAPTCHA
Customers can be required to enter a CAPTCHA each time they log in to their accounts, or after several unsuccessful attempts to log in.
To configure a Storefront CAPTCHA:
- On the Admin panel, click
Stores
. In theSettings
section, selectConfiguration
. - Select
Customer Configuration
underCustomers
in the panel on the left - Open the
CAPTCHA
section, and continue with following:
- In the
Enable CAPTCHA on Frontend
field, select “Yes” to enable CAPTCHA on Frontend - In the
Font
field, select the name of the Font to be used for the CAPTCHA symbols. The default is LinLibertine. -
In the
Forms
field, select the forms where CAPTCHA is to be used- Create User
- Login
- Forgot Password
- Checkout as Guest
- Register during Checkout
- Contact Us
- Change password
-
In the
Displaying Mode
, choose one of the following- Always
- After number of attempts to login
-
In the
Number of Unsuccessful Attempts to Login
field, enter the number of unsucessful attempts to login before captcha appears. If you enter Zero, the Captcha will be always available -
In the
CAPTCHA Timeout (minutes)
field, enter the number of minutes before the CAPTCHA expires. When the CAPTCHA expires, the user must reload the page to generate a new CAPTCHA. -
In the
Number of Symbols
field, enter the range number of symbols that CAPTCHA will be changed in, for example: 3-7. The maximum number of symbols is eight. -
In the
Symbols Used in CAPTCHA
field, specify the symbols that can be used in the CAPTCHA. Set only letters (a-z and A-Z), or number (0-9) to enter into box. No spaces or other characters are allowed and the similar symbors is not used in the default. -
In the
Case Sensitive
field, selectYes
if you require that the user enter the upper-and lowercase characters exactly as shown - When complete, click
Save Config
You can reload the CAPTCHA as many times as is necessary.The CAPTCHA is fully configurable and can be set appear every time, or only after a number of failed login attempts.
The extension currently supports reCAPTCHA to:
- Contact page form
- Product Review form
- Customer Registration Form
- Product Send to friend form
- Login Form
- Forgot Password Form
- Newsletter Subcription Form
More details here