Google’s new Invisible reCAPTCHA system can reduce the amount of spam submitted to WordPress sites without asking users to decipher obscure images, click a button, or even be aware that their “humanness” has been tested at all.
Spam continues to be a huge problem for WordPress sites with forms, including comment forms. Whenever a site publishes a form on the web, it’s hammered by spambots that submit fake information. Typically, forms collect far more spam than authentic data, and site owners have to use spam filtering tools to sort the wheat from the chaff.
Spambots and automated scrapers attack any login or registration form they can find to harvest email addresses, steal content, and even use stolen credentials to gather information for identity theft.
The original reCAPTCHA system was, for its time, a novel and useful solution to the problem of distinguishing humans from bots and scripts. reCAPTCHA displayed difficult-to-read images of text. Humans didn’t have much trouble reading them and entering what they said into a text box. Bots simply weren’t sophisticated enough to pass the test. But, in the last few years, advances in machine learning and image recognition have made it possible to defeat the original reCAPTCHA without a human.
The main problem with the original reCAPTCHA was that users hated it. I know I was never thrilled to be asked to squint at a barely legible scribble every time I wanted to log into a site. It wasn’t just an annoyance, though. reCAPTCHA discouraged users from completing forms and registering for services, negatively impacting conversion rates.
Although a small number of sites — frustratingly — still use a version of the old reCAPTCHA system, most have moved to the more recent iteration which asks users to click a checkbox to assert that “I’m a human”. The newer reCAPTCHA’s uses sophisticated algorithms to analyze mouse movement and other factors to determine whether the user is human.
The new Invisible reCAPTCHA system goes a step further. Users don’t have to do anything to prove they are human other than behave like a human. Invisible reCAPTCHA has no user-facing interface. The work of identifying humans is done in the background as the user interacts with a web page. Google is being tight-lipped about how the new system works, only saying that it uses “advanced risk analysis technology to separate humans from bots”.
It’s likely Google is using its machine learning and artificial intelligence expertise, huge quantities of data about how humans and bots behave, and threat data about bot networks to develop sophisticated pattern recognition algorithms that can discriminate humans from bots.
At the time of writing, Invisible reCAPTCHA is still in Beta, but it can be used on WordPress sites with the excellent Invisible reCaptcha for WordPress plugin. For developers, Invisible reCAPTCHA is relatively straightforward to implement, as Google details on its help pages.Posted in: Security, Webmaster