Anti-spam & reCAPTCHA
Protecting your site against spam registrations is an important part of running an event site. Some webservers have safeguards against spam registrations while others do not. This guide will cover what you can do — both within Event Espresso, as well as with the help of your web hosting provider — to make sure you are covered.
You can find more information about spam and methods to counter act it in our blog post – Protecting your events against spam.
ModSecurity
The best defense against spam (comment spam, spam form submissions, spam user registrations, and spam event registrations) is an Apache (and IIS, and nginx) module called mod_security. From the website:
ModSecurity™is an open source, free web application firewall (WAF) Apache module…WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
ModSecurity is available and active on many webhosts without any configuration needed. On other hosts, you may need to enable it manually or contact your host to ask if they can enable it. DreamHost has set themselves apart from other webhosts by adding an easily-configurable toggle in your domain settings to enable Extra Web Security which turns on mod_security. If mod_security is not a toggle-able setting in your control panel, and it is not active on your site, contact your webhost and ask them to enable it.
reCAPTCHA
reCAPTCHA helps prevent automated abuse of your site (such as comment spam or bogus registrations) by using a CAPTCHA to ensure that only humans perform certain actions. You must sign up for a free reCAPTCHA account to use it with this plugin.
The reCAPTCHA settings in Event Espresso can be found in Registration Form –> Reg Form Settings. This page has the following options:
- Use reCAPTCHA (Yes / No) – allows you to require people registering to correctly enter the letters in the reCAPTCHA message to complete the registration
- Public Key – this unique key can be found by logging into your reCAPTCHA account and going to My Account –> My Sites and selecting your site
- Private Key – this unique key can be found by logging into your reCAPTCHA account and going to My Account –> My Sites and selecting your site
- Width – set the display size of the reCAPTCHA on the registration form
- Theme – choose the color theme of the reCAPTCHA form (Red, White, Blackglass, Clean)
- Language – select your websites’ primary language
If you do not have an account on reCAPTCHA, go to google.com/recaptcha and click on the “Use reCAPTCHA on Your Site” link. To use reCAPTCHA, you will need to be signed into a Google account. Clicking Sign Up Now on the next page will ask you to log in if you aren’t already. Once you are signed in, you can specify the domain you are going to use reCAPTCHA on. You can also create a global reCAPTCHA key pair if you plan on using it on many different sites. This is somewhat less secure, and really only advisable if you are having problems with your domain-specific key pair. Click Create Key and you’ve got your key pair. Enter these into your reCAPTCHA settings in Event Espresso’s Reg Form Settings page and turn on reCAPTCHA.
WP User Integration
Another way of blocking access that doesn’t require reCAPTCHA is to have a member-only site. Require your users to register for your site before registering for events and make your events member-only with the WP User Integration add-on. This requires bots to not only spam-register for your site, but also spam-register for your event with the same username and password it used to create the spam user account. There are many plugins that can then be used to verify your users are human that do not use reCAPTCHA. Again, the best solution is to enable mod_security for the most protection.