Sorry to bubble this one to the top again. I am getting a ton of fake creations on a daily basis.

Mike521w and others,
Does anyone know if the module is still working? When I enable it, every request is shuffled to the 403 page.

Possibly I am doing something wrong with my utilization? I have added the MVC and it appears in System Extensions. I set the site and secret keys. For now, I set watched page to LOGN at .3.
On the LOGN page, I put the JS with the site key embedded, towards the end, but still within the </HTML> tag. In the login form, I put the hidden GoogleReCaptchaResponse line, right under the hidden Action LOGN line.
It is probably important to add that on the reCAPTCHA admin console, I am not seeing any hits when I try to login.

Tom

Hi,

Posting this for anyone else that is struggling with bots and fake form submissions. I have been using a random math equation for years and obviously they figured out a way around it. The number of submissions was getting to be a lot of work for us to sort through all day. All I did was remove the + sign in the form that is in html, replaced it with an image of a plus sign. Named it "minus.gif" and changed the alt to alt="-". That worked for me and instead of 20+ submissions an hour we have not received one fake submission.

Hope that helps anyone looking for something quick and simple.

Mike

Hi @Mike521w! Thank you for creating this module, I have been trying to get reCaptcha set up on my forms for a while now and this is the closest I've come.

I only dabble in development, but I'm trying to implement this on my ICSQ form on my LOGN page and I'm not getting it to work.

I have my API keys, set to reCaptcha v3. My form has the ID="ICSQ". Here is my code:

and in my form:
And then in the module I have it set to monitor ICSQ, and have played with lots of tolerances but I can't get it to let me pass through the form without a 403 no matter if I set to the tolerance as low as 0 or 0.01. I get a 403 no matter what.

I was also able to view the module code and can see where it sets the return page to 403 - I was thinking I'd like to set this to my 404 page instead. Is that a bad idea? Any assistance would be appreciate!

Thank you,
Sami

Hi @sidFeyDesigns, sorry for the delayed response, it's been a while since I logged in.

Your setup sounds good to me. I agree, if your customer looks at the product page for a while before adding to cart, then the token will expire. The solution would be to run the `grecaptcha.execute()` on form submit.

This should still work even if you're using ajax to submit the form, and the customer might re-submit the same form later. For example maybe something like:

I just wrote this off the top of my head, syntax etc may be wrong and I'm not sure about the setup for jQuery.ajax, I could have things reversed. But anyway that's a general idea

Mike521w I just stumbled upon this thread and was thinking I could try to use your module to help protect our cart from protecting our site fraudulent bot "carding" by trying to prevent them from even adding something to the cart.

Already have reCaptcha v3 set up and installed your module using ADPR in the action list and 0.3 as the tolerance level.

On the PROD page I added this inside the add to cart form:

And this directly after the form element:

It works great as long as the customer adds a product to the cart before the token expires which I believe is 2 minutes.

I would assume a fix for that would be to run the recaptcha function with on submit or on click.

But it gets tricky (for me at least). Since this form uses an ajax add to cart function I also need it to run the recaptcha function again so a new token is given on the next attempt to add the same product to the cart again.

I can send the ajax code privately since it will not let me post here.

Any help would be greatly appreciated.

Not opposed to hiring someone to help with this either.

We are seeing a massive spike in fake accounts on account creation page, and a salesforce form handler.. but only on one of our 9 miva stores. Very odd!

Well, yea...if you have that going on you'll need an Account Creation link, but that's rare.

I've appreciate your honesty to that you have always accustom us all to.

The only reason I can think of for creating an account without a purchase is for signed-in customer price groups related scenarios, or I'm I missing something something else?

Interesting call. And yes. Basically there is little value (IMO) to offer creating an account for people who are not ordering something. So, having a method (several themes have this built in) that asks to create a account during or after ordering makes sense.

Being that I now have a very similar problem, countless of fake affiliate accounts ...it's only a matter of time before they create fake customers accounts on our site, wouldn't a solution like "Phosphor Media Easy Account" address the issue?

Essentially speaking, they would have to buy something before they can create the account.

For a affiliate accounts one one have to come up with something different.

Hi William Davis - the module I wrote should be able to stop these from being created. The download links / details / instructions are all on this thread, let me know if you have trouble

Fake affiliate accounts started in 11/04/2019, averaging 3 accounts a day for months. Then is slowly increase to an average of 6 accounts a day for months, then 9, etc... Its now averaging 40 accounts a day -consuming bandwidth $.

No unusual Authorization Failures found during this period.

We just discovered someone is creating fake Affiliate accounts on our website, over 1,700!

1. Why, what do they gain?
2. Is there a way to determine IP address for those accounts?

We are already already taken the following measures for now:

1. Disable affiliate program option in Admin.
2. Disabled affiliate log-in page from ReadyTheme navigation set.
3. Disabled affiliate AFCL page. However, page is still being displayed. How would I stop from that page being displayed?

Any other suggestions?

Mike521w Thank you. I understand. When I find some time I think I'll give it a whirl. Appreciate your time.

aimcmc sorry for such a late response, I was having trouble posting a response to you a while back and finally gave up, and today I remembered to give it another shot.

Anyway, I understand the trouble! As far as finding developers, I think there's a Help Wanted section on this forum where you can make a post and people will respond if they can help you.

About where to put the Google javascript, basically you'd put that anywhere on the page that you're checking. So for example if you're checking the ICST page, you'd find the ICST page template in the User Interface section of your Miva admin, and add the code there, somewhere before the closing body tag.