How does userfrosting protects itself from bots registering new users?

[sotiris84]

I did some digging in the code, but I did not find what the script is doing to protect itself from bots submitting the registration form.

[lilfade]

register.php lines 150, 207

api/create_user.php lines 117, 128

Check these files / lines.

[sotiris84]

Great, thanks!

[alexweissman]

Yeah right now we're using the basic captcha system that originally came with Usercake. It's pretty weak though, as it could easily be circumvented with some basic OCR.

Two things we could do would be to:
A. Use a more rigorous captcha, such as reCAPTCHA.
B. Add a "honeypot" hidden field with a value that the registration code checks for tampering before creating the new account. See http://solutionfactor.net/blog/2014/02/01/honeypot-technique-fast-easy-spam-prevention/ for an example.

[sotiris84]

Yes, I was going to mention the hidden input field. It is working great for me in my contact form I have in my website. I also have a captcha that prints random lines making it more difficult for bots to read it (and humans of course). You can check my website if you like and I can also give some source code and links, although its super easy to implement. ( http://karagiorgis.info/#contact )

[alexweissman]

Ok, honeypot is added in latest push.