Winning Strategies for Online Success!

CAPTCHA and Other Form Security Options


In the previous post, we discussed options for discouraging spammers and black hat posts, such as replacing hyperlinks to email addresses with contact us forms and reviewing blog replies before setting them live. Out of this, a question was asked regarding the use of CAPTCHA and alternative methods for form security.

First, let’s explain CAPTCHA. The acronym stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. Basically, CAPTCHA is a program that protects websites by weeding out Internet bots, which are software applications that run automated tasks and troll the web looking for forms to exploit. There are many websites that offer free CAPTCHA scripts for various programming languages. The CAPTCHA most recognized can be found at Besides sight recognition they also offer voice recognition for your seeing impaired visitors, as well as an option for object recognition instead of character recognition.

I had the good fortune of attending a web accessibility training where the presenters suggested trying alternative methods to CAPTCHA. They mentioned that even with the sound option, blind and seeing impaired users accessing websites with screen readers had difficulties navigation forms. If you find that CAPTCHA is slowing down or stalling your users to the point that they leave without filling out your forms, then consider replacing CAPTCHA with back end programming.

Personally, the last time I bought performance tickets online, it took me three tries to satisfy the CAPTCHA portion of the form. I understand that large ticket agencies need extra protection due to the high volume of users and the security issues involved in credit card purchases. However, your forms can satisfy your security concerns without discouraging your users.

Here are two options for adding back end programming security that you or your web developer can implement.

Hidden Empty Form Field

This option requires knowledge of html and CSS.

Add a field to your form that must stay empty for your form to complete. Use display:none; in your CSS file to hide the field from your visual users so they do not enter content in that field. Add a note for your screen reader users, which is also hidden from visual users, to tip them off to leave the field empty. The idea here is that the bots will see the field and assume it needs content.

Try the example below. You can change the class names and the explanation text to suit your needs.

ol.form li.empty {display:none;}

<li class="empty"><label for="check">Leave this field empty.</label><input type="text" name="check" id="check" value="" /></li>


This option requires programming knowledge.

The bots typically send request to fill out forms remotely. Use HTTP_REFERER to check the website page that is sending the request to see that it matches your website URL. If it does not match or if it is empty, set your form to not complete and to empty all fields.

Here are samples for requesting the HTTP_REFERER.

Use the reply form below to tell us what solutions you have successfully implemented to discourage spammers and black hat posters.

Posted on January 23, 2013 | Permalink | Join email list

More WebTip Posts