Skip to Content

CAPTCHAing the moment with Forms

Occasionally, we come under attack.

For once, it’s not for our dress sense. Instead, it’s a malicious cyber-attack. This occurs a few times every year: a malevolent entity out there (in the form of a bot) finds a form on a Carleton website and bombards that form with multiple submissions. In the latest attack, in less than twelve hours, 76,000 submissions were made to one event sign-up form. We are a popular university, but we aren’t that popular. These spam attacks by bots are becoming much more frequent and we have to take them seriously.

Ways to fight spam

Thankfully, there is a very simple and effective solution. We can add a CAPTCHA field to a form. This is a small checkbox that the person completing the form must click on to prove they are human. If they are human, then they can proceed. 

The captcha field is a checkbox, asking if the user human.

Great news! Unfortunately, it is not quite that simple. We have literally thousands of forms on the 700 websites we help manage and maintain at Carleton. For each website we need to turn on a special application, which is a three-step process for us. Then someone has to go in and add the CAPTCHA field in each and every form.

Yes, thousands of form edits are required. For this, we must mobilize you to add the CAPTCHA field to as many forms as possible.

How to solve the problem

There are a few steps to take to address the vulnerability in your forms using CAPTCHA.

Firstly, you can request we enable CAPTCHA – there are hundreds of sites and we have to go through a process with each site individually to enable CAPTCHA. Initially therefore we will only enable it on sites where an administrator is keen to get rolling and place CAPTCHA on their forms. To start the ball rolling please request this from us with a list of all the websites you administer.

Secondly, you might find that there are several forms in the back end of your site. Some sites have 250 forms. Not all these forms are still required. Some are test forms built by you, your colleagues, or by Web Services. Others were used for a specific purpose and their day has come and gone. To save yourselves a lot of time you might wish to run an audit of these forms now, so that you don’t have to add CAPTCHA to forms that are no longer in use. Please read our tips on how to safely decide if a form can be deleted or switched off.

Lastly, you can add the CAPTCHA field. That is the easy part:

  1. In the back end of your site, click on Forms and then click on whichever form to which you wish to add the CAPTCHA 
  2. Once you are in the form editing screen, click on the panel on the right hand side marked Advanced.
  3. Towards the bottom of the list of fields you should see CAPTCHA. Click on that. This will automatically add the field as the last field before the Submit button on your site*.
  4. Update the form.
  5. You can view the front end of your form to check that CAPTCHA is switched on

That is it: rinse and repeat on all of your live forms. This will protect your forms from non-humans (until the machines become sentient and start to take over).


*If you add a CAPTCHA field to the form and it reads the following, then please request we switch on CAPTCHA for your site(s): 

To use the reCAPTCHA field you must do the following:

1 – Sign up for an API key pair for your site.

2 – Enter your reCAPTCHA site and secret keys in the reCAPTCHA Settings section of the Settings page