Wordpress Plugin: Login and Register Anti-Spam Captcha
It is time to update my Anti-Spam robot for wordpress registration page. The hack presented here for spambots is still working for me but I’m getting a bunch of emails from peoples who can’t backup a file and insert a few lines in their register form. So, let’s cut to the chase: I’ve made a plugin that will insert the captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) image automatically in the Login and/or Register page of your wordpress installation. And that is not all, you can play around with 5 different captcha algoritms and customize them the way you want. Hence, ocr geeks have managed to automatically read the image? no problem… change your captcha fonts, color, add some random lines or dots or switch to a different captcha algorithm and you are done.
You will find 5 captcha algorithms in this plugin:
-
(1) PNG-Raz MiXed Fonts : fully customizable
(2) JPG-Tiny Mini : a mini customizable captcha
(3) PNG-GOTCHA from Sol Toure
(4) PNG-phpBB3 8bit Grey from phpBB Group
(5) PNG-PNG-phpBB3 Advanced from phpBB Group
Just use the one you want or you can customize one just for your site. I’m using the PNG-GOTCHA, here is how it looks on my site : register or login. If the captcha alg will mess the image you can refresh/generate another one by clicking on it.
Requirements
This plugin requires Wordpress 2.x.x with PHP 4 (v4.3.0 or newer) and GD Library. GOTCHA alg requires the additional FreeType Library to be installed on your web host for loading the fonts. GD and FreeType Library are usually installed already on your host but if they are not just ask your web host to install them…
Installation
The plugin can be installed in 3 easy steps:
1. Download the plugin (see below).
2. Decompress the .zip archive into your plugins directory (/wp-content/plugins/) keeping zip folder structure intact
3. Enable the plugin in the WordPress Plugins admin page -> Raz-Captcha.
* Go to Options -> Raz-Captcha, adjust the options if necessary and save.
* That’s All! check your login and register pages 
Download
Donate
Download
Details
Report*You can find this plugin on Wordpress.org as well (thank you wordpress!)
Final words
If you have the registration hack installed please restore wp-login.php from your backup or remove the “hacked” lines from wp-login. If you don’t, you will end up with two captcha checks on the registration page.
This plugin is work in progress, the first beta release, and any shouts from you are welcomed. Stay safe and clean 
Programmers should be trusted. If your brain surgeon told you the operation you need takes five hours, would you pressure him to do it in three?
Richard Blair
Installed it. Seems to be working well. Thanks for the plugin!!
Kees
Installation went OK. I could activate the plug-in, but the image with the generated comments does not show
, and log-in is no onger possible!
A picture of what I get is shown on this page: http://www.chc-telraam.nl/?page_id=3
I hope you can help!
Raz
@Richard: thank you
@Kees: Well if that happens just remove or rename the plugin folder and Wordpress will deactivate the plugin automatically. Have you changed the folders structure/names? because a part of them are hardcoded, so the image will not get generated because is not found in the same relative path: wp-content\plugins\raz-captcha. If you can get me a source code of your generated login/register page after the plugin is activated will help me out to find out what is going on
Thanks
Kees
Thanks for the feed-back. I used your gmail account to mail you the information you requested. I really hope you will be able to help out, because the registration spam is starting to become irritating!
Could the cause be found in the GD and/or freetype library? I’m not sure how to find out if these are installed (other than asking the provider!)
Raz
Hi Kees,
.
Thanks for your mail, I’m on my way with the tests.
Yes, if you don’t have the GD or FreeType lib it will not work because the image can’t get generated. I will update the plugin in the feature versions so that it will warn you if it cannot find them.
I have a question about your installation: what captcha engine did you used? Try switching to another engine. The default one : PNG-GOTCHA needs the freetype lib but the rest of them need only the GD lib. The safest one is PNG-phpBB3 8bit Grey because it doesn’t need GD or FreeType lib but the engine itself is not so strong against spam-bots, ocr geeks, hackers or whatever you call them
Thanks
Raz
Checking what extensions are installed on your host it’s easy, just create a php file with the following code on your server: < ?php phpinfo(); ?> and then open the file thro your browser and search for the GD and free library support, if you can’t find them then they are not installed…
Hope it helps.
Kees
Raz,
. Thanks a lot for your support! The problem was not your plug-in, but my Wordpress Install 
.
The plug-in is working now
Tkanks again for a great plug-in
Raz
You’re welcome! Glad it got fixed and glad I could help
Dicontas
Hi,
Thanks for plugin, but when I activated plugin, then go to Options tab, the plugin has an error in the homepath with double foward slahes between the root directory and the plugin path to the fonts directory:
i.e. //wp-content/plugins/raz-captcha/fonts/
My blog home is http://www.dicontas.co.uk/blog/ so it may be that it is not at the domain root that is causing the error in your plugin.
Dicontas
realized the error - you need to keep the plugin folder called raz-captcha. I missed out the dash in the folder name.
I consider this a small bug as other blog admins may also choose to change the name for increasing security.
Raz
Hi Dicontas.
This is still beta and in the second install step I’ve warned you: “Decompress the .zip archive into your plugins directory (/wp-content/plugins/) keeping zip folder structure intact“. By renaming the folder you’ll don’t get much security, your folder path/script renamed name will be visible in the page browser source anyway. Bots would not be stopped if they just need to do a simple parse job, trust me
Good luck and thanks for your feedbak.
Jared
Hello, I am using the themed registration plug in here:
http://www.jameskelly.org/wordpress-plugins/custom-login-and-registration-forms-plugin/
Because of that your plug in isn’t showing up on the registration page. I think I would be able to hack that plug in and add your code into it to make it work. What code do I need to add to the form?
Thanks!
Raz
Hi Jared,
The themed plug you’re using, as far as I can see, it doesn’t install the same hooks as wordpress does on login and register pages, is not plugin aware. The only way i can see it working is to modify the themed plug so that it will call the hooks just like wordpress does (see wp-login.php file actions/filters). Not sure if it works but give it a try. If you’re a coder have a look in the wp-login.php of your wordpress instalation, raz-captcha needs this hooks actions:
do_action(’login_head’);
do_action(’wp_authenticate’);
do_action(’registration_errors’);
do_action(’register_form’);
I will have a look at the themed plug when I’ll have some free time tho, Good luck!
emre murat
Hi, Raz.
This is very good plugin.
I did download and just click activate. It’s working on my site.(i’ll install my other sites on bluehost)
I want to send a some donation for easly and goog plugin but Paypay is say to me:
Currently PayPal accounts in Romania are only able to send payments. This recipient is not eligible to receive funds
Then, i stumble it
Thanks.
Raz
Hi emre murat,
PayPal didn’t support my country for a while. But it is supported now, see Donations page here. Thank you very much for your support and donation!
Kretzschmar
Great, just installed your plugin. Are you interested in a gettexted version of your plugin? I could make all changes and translate it to german. Just mail me if you are interested.
Kretzschmar
It is a great plugin but isn’t working for me. I am using Wordpress 2.3 beta. Options pages is working. Although I tried it several times, I couldn’t log in. I really spelled the captcha correct. Is support for Wordpress 2.3 planed?
Raz
Hi Kretzschmar,
Yeah, you can modify/translate the plugin for your needs. I don’t mind as long as you keep the original authors in place
I didn’t do tests with v2.3 of wordpress, but it should work… If you can get the image to generate but not validate make sure you don’t clear the $_SESSION var where the random code hash is saved ( $_SESSION['raz_captcha_gen'] ) when accessing the login/register page.
Thanks
Kretzschmar
I don’t want to make my ‘own’ version. I would like to send you my changes so you could use them in future versions.
I don’t know if you are familar with gettext but the base language would be english and only if tranlsation files are used, the plugin would translate those.
Do you mean that some plugin could alter this var? Why and how should I change the session var in the login screen?
Raz
Hi Kretzschmar,
) has just entered in the box and fails, I don’t see other reason for failing…
Is not the var itself that is changed, it’s kinda unique name (i guess) but the entire $_SESSION could be cleared … do an echo test before the register validations / image generation in your login/register page, see if the var is there: echo $_SESSION[’raz_captcha_gen’]; It should print the password hash, if it doesn’t then your $_SESSION is cleared for some reason.. because it doesn’t find the previous generated hash to match with the one the user (or spammer
Yes, send your changes on my gmail.com account: razvaR -at- gmail -dot- com and I will include them in the next release (not sure when that will happen tho)
Thanks
m1chu
Hello, i think that i was discover some kind of bug in your script. In file raz-captcha.php in line 198 and 199 you firstly load class method and than you set hashed $password to the session. And there is a problem, because $_SESSION['raz_captcha_gen'] is empty or incorrect after token was type. I saw through execute method and at the end of them you are killing the script (exit
. And script can’t set session value. You should replace line 198 with 199 and vice verse’a, for example:
$_SESSION['raz_captcha_gen']=md5($password);
$captcha->execute($password, time());
Than you firstly set session than you execute your method and at the end you will stop the script. Everything should works fine.
It’s very unkind bug…
Tested on 2.2.3 version of Wordpress. If you want to know something more, type to my email.
Raz
Hi m1chu,
Thanks for your fix
qwe
this magnificent
it works good
but just on firefox ? on Internet Explorer show empty ?
Enni
@qwe: For me it works fine with IE. At least with version 7.x.
Raz, indeed this is a superb plugin. Seems I don’t get any spam registration anymore. Yipiiieh! I only installed it 2 days ago so it might be too early to give a final OK but so far I’m just happy! Thank you sooo much!
The only little sad thing is that it doesn’t work with James Kelly’s Themed login plugin. The same story Jared wrote about. May be one day you will have some free time and check that out. Will have a look on the news from time to time.
Raz
@qwe: Thanks, works fine on IE (6 or 7) , what captcha engine are you using?
. I can’t do much about James Kelly’s Themed login plugin, as far as I can see the themed login does not let other plugins (like my captcha) to interact with the login/register forms as wordpress does. So, i think you should ask the plugin author to add the same actions/hooks request as wordpress does to support wp plugins.
@Enni: Thank you for your feedback. If you’re geting registration spammers just change your image generation engine, or customize one with the custom engine: PNG-Raz MiXed Fonts
Enni
Hi Raz, unfortunalety I rejoiced too soon. Still I get those registrations. Also with the mixed fonts.
Don’t know how they overcome the CAPTCHA, but obviously they do. It might have something to do with a forum plugin, because always the entry page is /forum. Next step either /wp-register or /forum?action=register.
If I call those pages manually I’m always forced to enter the code. So I don’t have any idea how it is possible to register without filling that field.
Only thing which helps is to block the according IPs. But I don’t have them always as with registration the numbers are not transfered. So I just find them by coincidence in the stats.
Regarding the James Kelly plugin: I deactivated it since I found another way of having nicer registration pages.
Raz
Hi Enni, sorry to hear about that, my only guess is that they are maybe ‘manually’ registred, you may be a target of those kind of spam that are registred by a human not a bot? Not much I can do about that, except to save the IP of the registred user and ‘manually ‘ ban him from the admin, something like: “disallow registration from this IP list”, I think that will be a nice feature
later: I see you are using numbers only in your captcha, try including some chars, some special ones like @ or $
In the plugin settings you have the option to set what type of chars to random generate in your captcha, by default it has numbers only but you can set any type of character. Just add @!#$�CDEFGHIJKLMNPWRSTUVWXYZ to the Accepted Chars box and hit the save button to make your captcha stronger…
Enni
Dear Raz,
Thanks a miilion for caring so much. Actually, I really can’t believe that the registrations were done manually. Although also to me it seems to be the only explanation how they are able to register. Because for the forum they need to register via the usual process as well. So it’s not that logical why they choose this specific path. Doesn’t make sense to me.
Maybe I will get in contact with the developer of the forum. He should have heard about this problem already. All people I know who are fighting with these spammers too are using the forum plugin.
But I’m going to do other investigations as well. Even if I’m not a programer and don’t know much about coding I should be able to detect a pattern of those registrations.
So far all I can say is that the used systems are very old. An example from this morning:
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10
This is brand new compared to some others (Browser versions from 2002 for example). If there would be a way o say ‘browser versions before 2006 are banned from registrations’ that might be working. Don’t have a clue if that is possible.
What strucks me is that it is not enough to ban a domain from registration (deadbolt or wp-ban plugin). For example ‘domain.com’ or just ‘*.com’. They still can register with such a domain! As I wrote before: Only thing that helps is to ban the IPs.
Ooops … what a long story I wrote. :”> Hopefully the information is useful for you.
Honestly spoken I don’t want to have a stronger CAPTCHA as it also constrains desired people while registration process. And most of all I don’t have the feeling that it will help a lot in fighting with the undesired.
However, will keep you updated.
Thanks again and have a nice day. Enni
Raz
Dear Enni,
Thank you for your detailed informations and for keeping me updated, they will help me out in the process of improving this little project for spam fighting. On my to do list I will include a user “black” list for registration/login IP/Browser/Domain/Name pattern match. It may not stop all of them but you will have more control over them.
Have a nice and spam-free day
Raz
Enni
Thank you!
Enni
Raz, before you are overloaded with work: I just was in contact with the forum developer. In the latest version of his plugin he added some simple calculation as spam protection option which is automatically been used for the WP registration!
That version I’m using only with another website and indeed for that I don’t get that much spam registrations. First I thought the reason was a different one but now it seems that’s the main one.
For you it means: you don’t have to add complex items to your plugin which uses plenty of your time. The plugin probably works very well for users who don’t use a forum.
As I promised I will keep you updated and let you know about my experiences once I have upgraded my private site to WP 2.3 plus the latest version of the forum.
Bye for now but not forever.
Enni
Raz
Thanks Enni, current version of the plugin doesn’t work with v2.3 as reported/fixed above by m1chu (thanks!) , I’ll update the plug with more features and the fix for wp 2.3 as soon as I get my hands on some free time, till then you may “hack” the plug a “little bit” to work with your wordpress 2.3 installation
Thanks again for your feedback
Raz
m1chu
No problem
I was testing my exchange on your mod (this from my last entry) in Wordpress 2.3 version and it’s should works fine. I think it may help you in your works with update.
m1chu
Marc
Thanks, this is a really good plugin and it works, no spam anymore!!!
Matt
Hi Raz
Excellent plugin. I have one small problem that I’d like to get to the bottom of.
Google is indexing raz-captcha.php often with interesting results, for example http://www.myhappymedium.net/wp-content/plugins/raz-captcha/raz-captcha.php?captchagen= sometimes returns a captcha image on a page (nothing else) and sometimes returns a headers already sent error.
I would be happy to provide more info if need be. I know I can stop google from indexing these pages but just wondered what was happening? A quick Google suggests a few people have the same problem (or maybe its not a problem!)
Thanks and keep up the great work
Raz
Hi Matt,
Thanks for your feedback. My guess is that google ‘thinks’ it’s a standard image and he will add it to his database… erros are displayed because the script is accessed directly and vars are not ready yet. Sometimes you can see the image generated because the session was already initialized in your browser. It’s not a problem as far as I can see, it’s just a small glitch which I intend to fix
I will add in the feature versions additional checks to show some standard errors or not let google crawl to the script …
Not sure if this will do the trick but you can add the below lines in your Robots.txt file to disallow crawlers from accessing the captca script:
Have a nice day
@Marc: Thanks for your feedback, glad it works
Narcis Garcia
- Will this plugin can be used to filter anonymous comments?
- Which CAPTCHA plugin are you using here?
- How can I customize the message “Please enter the code shown above:” ?
Thanks a lot.
Narcis Garcia
- Will this plugin can be used to filter comments in Wordpress?
- Which plugin are you using here?
- How can I customize the message “Please enter the code shown above:” ?
Raz
Hi Narcis Garcia ,
1) It doesn’t filter the wordpress comments, it’s only used on register and login forms of your blog to stop automatically registrations with spam bots
2) On the plugin comment I use the same plugin, Raz-Captcha, it’s in beta stage not released yet, work in progress
3) It can’t be customized from the plugin config window, yet …
Nisse
Hello!
I have i separate comment.php and the only thing I want is to put a CAPTCHA for the commnets.
I have no registration and no login.
Which code will I put where?
And - of cource - Happy New Year!
Raz
Hi Nisse, raz-captcha doesn’t support wp comments form yet, I will release an update for this plugin which includes captcha test on comments as well . But that will happen when I’ll get back home from vacation, if you want a beta (the same used on my comments form here) let me know
Happy New Year!
Nisse
Raz:
Hi, yes I want your beta, thanks.
Regards.
Lesiu
Which captcha algorithm do you suggest to use? Which one is the strongest against bots and spammers? By the way, you wrote that you use PNG-GOTCHA on your blog but it looks absolutely different than GOTCHA image generated with your plugin.
Raz
Hi Lesiu,
. When I’ve wrote this post GOTCHA algorithm was set on my blog and because I’ve made some changes to the plugin core (to include a captcha image on comments as well) I’ve switched to a weakest one: JPG-Tini Mini. This one proved not to be that weak, it works just great for both comments and registrations. So peek any captcha engine and give it a try 
My best guess is on the GOTCHA algorithm: it features different font for each character, sizes, colors, grid and it’s more human readable
Lesiu
Raz, this GOTCHA is so strong, that people might have some trouble reading it. Maybe this is the way it should be.
Raz
The image can be refreshed/re-generated on click if the image generated with PNG-GOTCHA (or any other engine) is not to human readable, it’s up to you to use it or not. The most readable and a little week against ocr spammer geeks is the JPG-Tini Mini and PNG-phpBB3 8bit Grey engines.
Good luck.
Lesiu
Yes, I know that I have to click to refresh it. Raz, it’s really good plugin for WP, that’s for sure. I just wrote about troubles, because I had some. I think the best way to use it is just to implement it only on registeration page. If a human wants to register, he will succeed.
dqj
Hi -
I am a bit new to Wordpress, but I am a seasoned programmer and PHP hacker. I was sondering if your code can or will soon work within the Ajax sidebar login plugin? Using the mini-jpg there would be great!
Thankss.
Krystal
Hi There I have been using Raz for about 3 months on WP 2.2.2 without problems but recently the image box thingy has gone black so no one can read it!! I tried a fresh install same deal. Please help as this seriously affects my site.
Oh and to dqj - I use ’sidebar login’ with Raz-captcha and a custom login page as well and it (until now) works just fine!!
Raz
Hi Krystal,
Try another engine, I’m not sure what is going on, it should not generate black image unless modifications where done to the captcha generator, let me have a look at your blog, give me a link
.
Here is the latest beta build, not released yet do to lack of time (not all plans finished), give it a try and let me know how it works on your side.