Operating a website is much like operating a storefront business. Our websites have an open door with both customers and prospects visiting to do business with us. Visitors may submit contact inquiries, make purchases, or even login to check their order status, download digital products, or manage their accounts. While being open for business for these activities, we also have to be vigilant for malicious actors that may want to access our sites. These attackers can attempt carding attacks, spam submissions, or even malicious brute force login attacks.
Attackers are clever, and as site owners, we have to be just as clever to stay one step ahead of them. After all, we have a responsibility to protect our customers and our websites, and that requires being vigilant about the traffic coming through our website’s open doors.
Luckily, Ninja Forms offers a number of tools that help us protect our sites from malicious actors, no matter what their motive. In today’s blog post, we’ll take a look at some of these malicious actors, their motive, and how to use the tools Ninja Forms offers to help keep our sites free of spam, brute force attacks, and even lower the prevalence of carding attacks.
Malicious activity on WordPress sites
First, let’s look at some of the malicious activity targeting WordPress sites. With WordPress running over 40% of the internet, our sites are attractive targets for those looking to make a quick buck.
Contact form spam
If you’ve got a contact form on your website, you’ve likely received contact form spam. Whether they are submissions promising you better SEO for your site, millions from cryptocurrency scams, or even inheritances from Nigerian princes, contact form spam has never stopped. WordPress sites both big and small are targets from automated spam sending bots looking to find that one person who will respond. The greatest impact of contact form spam is usually just irritation, but these bot-driven attacks also use server resources that can better be used to serve customers and site visitors.
WordPress brute force login attempts
If you’ve been using the internet for a while, you probably remember the good old days when using the same password everywhere was acceptable. You may have even had a fun, easy-to-remember password using your pet’s name or a favorite vacation spot. Unfortunately, reused passwords are the cause of many breaches. One hack discovering a trove of usernames, email addresses, and passwords will lead a creative hacker to wonder where else they can use this sensitive information. From bank accounts to our WordPress websites, reused passwords are no longer safe. These reused passwords are used in bot-driven brute force login attempts. A reused password used on a WordPress site, or even a site connected to your WordPress site, can lead to a site intrusion that can be costly to remedy. And these brute force attacks also use our server resources.
eCommerce carding attacks
Passwords and other personally identifiable information aren’t the only thing hackers find in breaches. They also find credit card details of millions of customers from insecure eCommerce sites. These collections of credit card numbers, cardholder information, and expiration dates are, of course, incredibly attractive to thieves. Determining whether or not a stolen card is still active and usable is often their first step. As such, automated “carding attacks” plague any eCommerce site with a credit card purchase form. If successful, this fraudulent credit card purchase via an eCommerce form is alarming, not only for eCommerce store owners but also for their credit card processing companies.
Why do malicious actors target WordPress forms?
All of these attacks have two things in common: profit motive and automation. Attackers use automated tools to scale their attacks, targeting WordPress sites large and small, for the goal of making money off of WordPress sites. It doesn’t matter if our site is serving content to millions of people or if our contact form is just connected to our inbox. WordPress, and the forms we serve on our sites, are incredibly attractive tools for malicious activity.
Even if you don’t believe your site has anything of value, your site’s resources can provide value to an attacker looking to use your site functionality to ultimately make money.
How does Ninja Forms protect your forms?
There are a number of features available to Ninja Forms users that can help you make life more difficult for would-be WordPress attackers. Of course, as site owners, we can never stop malicious activity if an attacker truly want to attack our forms. But if we can make things more challenging, these automated bots will be pointed elsewhere, keeping our sites free of spam submissions, brute force attacks, and carding attacks.
Ninja Forms built-in honeypot protection
Every form you build with Ninja Forms, whether you’re using the free version of Ninja Forms or a paid add-on to extend site functionality, receives built in honeypot protection. This is one of the greatest benefits of using Ninja Forms for your forms, and it requires no configuration on your part. The Ninja Forms built-in honeypot is an invisible blank form field included in every form you build with Ninja Forms. Spambots unaware of this unique, blank form field will complete this field thinking it is a valid field. Submission of values in this field will cause the form submission to fail.
In most cases, the Ninja Forms built-in honeypot is an incredibly effective tool to suppress spam submissions and other malicious bot activity.
ReCAPTCHA
Many site owners might want to add an additional layer of protection, especially in cases where suppressing malicious activity is more vital. In cases where protecting customer, student, or even site contributor logins is a factor, using Google’s reCAPTCHA service is an additional layer of protection from malicious activity.
reCAPTCHA is a free service offered by Google that any site owner can use. A “CAPTCHA” is a turing test designed to distinguish human activity from bot activity on a site. These protections are easy for humans to solve, but difficult for bots. There are two versions of reCAPTCHA, v2 and v3.
What is the difference between Recaptcha v2 and Recaptcha v3?
ReCAPTCHA v2
ReCAPTCHA v2 has historically been the puzzle-solving interruption asking you to identify boats, bridges, fire hydrants, or traffic signals. It can often feel like we’re training our new AI overlords to navigate our world with some of the reCAPTCHAs on sites, making this implementation of reCAPTCHA clumsy and undesirable. Older implementations of reCAPTCHA added friction to the experience of submitting forms. This is why we have previously recommended not to use reCAPTCHA in order to create better experiences for customers and site visitors.
Over the years, reCAPTCHA v2 has improved its functionality, offering more user-friendly options that provide protection while also offering a seamless experience for the end user.
There are now 2 different versions of reCAPTCHA v2 that can be used, the “I’m not a robot” checkbox and an invisible badge. The invisible badge does not require a site visitor to click on a checkbox. Instead it is triggered when the site visitor completing your form clicks submit. Any visit to your site that looks like a bot will be prompted to solve a captcha.
ReCAPTCHA v3
ReCAPTCHA v3 detects abusive traffic on your website without any interaction required from your site visitors. Instead of showing a CAPTCHA puzzle to complete, reCAPTCHA v3 returns a score so that the site owner can choose the most appropriate action for their website. These scores allow you to perform risk analysis for various use cases, and you have full control over what to do with the results of that analysis. This may require some tuning, and there is no option for an end user to override a false positive. Instead, a user may be presented with an error message fully interrupting their form submission or purchase. As such, reCAPTCHA v3 should be tested thoroughly before implementation in a full production environment.
(If you’re wondering what happened to reCAPTCHA v1, it was shut down in 2018.)
Additionally, Google offers reCAPTCHA Enterprise. The enterprise solution is built on the same API as reCAPTCHA but offers enhanced detection as a part of the Google Cloud product. There is a charge for this service from Google, but it comes with advanced reporting that might be of interest to enterprise users of Ninja Forms. If you have already used reCAPTCHA, there are steps to migrate your existing reCAPTCHA site credentials to Google reCAPTCHA Enterprise. If not, you will still need to start with either reCAPTCHA v2 or reCAPTCHA v3.
Which version of reCAPTCHA should you use?
Determining which version of reCAPTCHA is best for your site is dependent upon your site’s individual needs. No matter which version you choose, monitor and test to ensure that your site visitors are not negatively impacted by reCAPTCHA. If you choose to use reCAPTCHA v3, you may need to tune the implementation to ensure that site submissions are not blocked by reCAPTCHA v3 false positives identifying valid human traffic as bot traffic.
Getting started with reCAPTCHA
Getting reCAPTCHA set up might seem daunting at first, but we’ve made these steps easy to follow here. Both Ninja Forms and Google have provided easy-to-use tools to integrate this capability into your forms.
Step 1. Turn all site caching off
If you’re using any kind of caching on your site, whether through a CDN, page caching, or a caching plugin, ensure that your site is in development mode prior to adding reCAPTCHA to your forms. We’re adding additional functionality, and any caching of your forms may cause issues as we add reCAPTCHA to our forms.
Step 2. Setup an account and your site with Google reCAPTCHA
First, you’ll need to set up an account and obtain site keys. Head over to Google’s reCAPTCHA admin pages and set up a site. You’ll have to enter a few details about your site and tell reCAPTCHA which service you’d like to use for your website. Use the primary domain, as all subdomains will work with the primary domain.
If you’re setting up the site for a client, you can add their email address and let reCAPTCHA know that both you and your client would like notifications about configuration issues or increases in suspicious submissions.
Step 3. Obtain your reCAPTCHA site key and secret key
Once you’ve agreed to Google reCAPTCHA’s terms of service, click the gear icon to obtain your reCAPTCHA keys. There will be two keys that you’ll use, one called the site key, another called the secret key. You’ll need both, so keep this window open.
Step 4. Enter your reCAPTCHA keys into your Ninja Forms installation
In your WordPress Administration dashboard, head to Ninja Forms > Settings. On that page, you’ll see a form where you can paste your reCAPTCHA site key and secret key. These values will be used by any form you create on your site with Ninja Forms. Also, select whether you want light or dark mode on your forms.
Make sure you click “Save Settings” once you have your keys entered.
Step 5. Add reCAPTCHA to your form
Navigate to your form and click the big blue plus sign on the bottom right hand corner of your screen. Next, scroll to the bottom of the form fields. You’ll find “reCAPTCHA” at the bottom under “Miscellaneous Fields.”
In this example, we’re adding reCAPTCHA to a contact form, but reCAPTCHA can just as easily be added to a customized WordPress login form if you’re using the Ninja Forms User Management add-on or any one of our payment form add-ons such as for Elavon Payment gateway, PayPal Express, or Stripe. In future articles, we’ll look at these specific implementations to protect your site from carding attacks.
Step 6. Add email actions for reCAPTCHA v3
If you chose reCAPTCHA v3, navigate to “Emails & Actions” within your form and click the big blue plus sign on the bottom right hand corner of your screen. Once there, click the reCAPTCHA v3 option to add it to your form actions.
Once that is done, you can determine which scoring you’d like for your form. Start with 0.5 as a place to begin your testing. For reCAPTCHA v3 scoring, 1.0 is very likely a good interaction, 0.0 is very likely a bot.
This step is not required for reCAPTCHA v2.
Step 7. Test your forms!
As with all changes to your forms, make sure you test to ensure you’ve got desired results. Ensure you reload your page with a hard refresh, and clear your browser’s cache. Here’s how to do that on the Chrome browser. Your site will need to reload new assets including JavaScript provided by Google reCAPTCHA, so you’ll want to ensure your browser has loaded everything it needs in order to use reCAPTCHA properly. Submit your form and check your submissions page under Ninja Forms > Submissions to ensure you received the submission.
Step 8. Monitor your forms
If submission frequency changes, double check your site’s reCAPTCHA data in Google’s reporting. In the same area where you created your site keys, reCAPTCHA will provide you with analytics to show you how reCAPTCHA is working for you.
Especially if you are using reCAPTCHA v3, monitor your site page speed and analytics. If anything looks like it might be impacting user experience, try changing the reCAPTCHA scoring. You can also implement different versions of reCAPTCHA to see if that ameliorates problems. As with all site features, test to determine the right balance of security and usability.
Conclusion
In today’s blog post, we reviewed how attackers target WordPress forms, why they attack WordPress forms, and specific strategies using reCAPTCHA to protect your forms from malicious activity. In future articles, we’ll dive deeper into additional implementations of reCAPTCHA to help you secure even more of the forms you publish on your site.
If you’d like notification when our next blog post is published, as well as news about Ninja Forms and helpful content to get the most out of our software, subscribe via the form below.