Thank you Mike521w Yes I did see that. I have been through it. Your instructions are understandable and reasonable. Where I fail is this ...

"add Google ReCaptcha javascript to your site"

I understand the google part, not the site (miva) part (where and how to put it on miva). I've searched for examples, instructions, don't see it.

Where can I find more instruction how to do that?

Finally, where and how to find a developer if necessary? Personally I've been a developer for over 49 years... from fortran, cobal, c, pascal, php, you name it, so I can still understand some things, but i'm now old and slow and don't have the energy ... so i need handholding in anything new, but i can comprehend when i can see it. That said, of course I value developers but our budget is stretched, so i need to do what i can if i can.

Hi aimcmc, not sure if you saw it but I have step-by-step instructions on the github page: https://github.com/MWScripts/Miva_GoogleReCaptcha

It might still be easier for a developer to follow along

Mike521w so, so happy to hear from you. I've been trying to make sense of this thread and how to fix this problem but wasn't sure what's what and where exactly where to go. I'll dig back and search for your messages. I appreciate your help. Will message again if I can't grab the concept. Thanks again. -Ron

Followup....

I looked back. Found your discussion, but honestly, not being a miva developer, rather just a longtime user, it doesn't make a lot of sense to me. I wonder - 1) could someone provide a step-by-step instruction, text or video. I'd need from step one to the finished product. 2) if I'm eventually able to accomplish this, will future miva upgrades break it and we'll have redo any changes? 3) if this is an ongoing and horrid problem for all miva users, why doesn't miva corp make this fix for us? This, to me, seems to be a "must" fix, asap. Am I missing something? Is not this a fairly serious problem?

I'll keep trying to figure out how to fix this, but more importantly we need to continue making sales rather than wasting time fixing problems that should not be our concern as a user. Miva?

Followup 2...

Looked again, a couple of times, wasting too much productive time -- I'm LOST, and don't have the time to figure this out. If Miva doesn't feel this is a problem, I guess we just let the fake users be created and ignore them.

aimcmc the Google ReCaptcha module I created has been working for the websites I manage with no problem. See earlier posts on this thread for details

David's Cloudflare solution is easy to implement in under five minutes:

First time users will see a brief testing screen.

Where are we at with this? We're getting slammed with fake registrations. Is there some convenient, effective solution to stop this?

It would be possible to add a recaptcha to that screen; this is not a built-in feature of the account login screen, so would require adding some code to the page rather than a checkbox. Personally I'm not a big fan of that option because it could inconvenience some shoppers. The cloudflare option where you could apply the few second javascript-based browser check to your account registration URL would be preferable because there's no click here to confirm you're a human, or check which boxes contain traffic lights.

Also have the shadow theme and discovered 100's of weird customer accounts tonight. The name looks like parts of encryption. No address. Is the new miva 10 able to do something about this?

Just an additional thought for the thread. Cloudflare, even the $20/mo plan, allows you to create custom web application firewall rules and apply them to specific URI's. A very useful first step for sites that are being attacked with credential testing is the ability to place a javascript challenge in front of the customer login page alone; legit customers who click on it will see a 'testing your browser' screen for a few seconds then the login page will appear like normal. Most bots cannot make it past that because they don't behave like real browsers, and then real shoppers don't have to deal with the captcha hassle. You can also dial up captcha as an option, without code changes on the site side.

alphabet no problem, I'm glad it's helpful so far! : )

Just want to thank Mike521w for sharing his module code and answering all the questions. I haven't installed the module but I did appreciate reading the code and learning from it.

CSRF tokens are an extra bit of validation that prevents cross site scripts from forging first party cookies. Yet, a sophisticated bot can penetrate CSRF. GoogleReCaptcha works but as you know needs to be validated on the server. Your module is the only and best solution.

I know that you have invested a lot of time in this thread and it is sometimes a thankless job -- but THANK YOU!

Hi lesliekirk sorry for the slow response,

I just tested the Recaptcha module on the LOGN page of one of the sites I manage and it worked with no problem. Can you show some code and/or screenshots of your setup? Just be sure to block out the site key and secret key if you screenshot the admin setup.

For me the setup was:

1. add google's script:
   (asdfasdf = my ReCaptcha v3 site key)
   
   Code:

   script src="https://www.google.com/recaptcha/api.js?render=asdfasdf" /script
   	script type="text/javascript">
   	        grecaptcha.ready(function() {
   	           grecaptcha.execute( "asdfasdf", {action: 'AccountLogin'}).then(function(token) {
   	             jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
   	          });
   	       });
   	       /script

2. add the form field to the form with id LoginForm:
   
   HTML Code:

   <input type="hidden" name="GoogleReCaptchaResponse" value="">

3. In the module admin, my new settings were:
   Watched Action List: ICST,LOGN
   Tolerance Levels: 0.3,0.3

Since the watched action list and tolerance levels are comma separated, basically this means that I'm watching ICST and I want a value of 0.3, and I'm watching LOGN and I also want a value of 0.3.

I was able to log in before and after adding ReCaptcha. For argument's sake I then changed the Tolerance Level setting to 0.3,5 - which means for LOGN I want Google's score to be 5, and that basically makes it impossible to validate since Google only returns a value between 0 - 1. As expected, on my next login attempt I got a 403 error.

This was the first time I tested it with multiple actions being watched, so it looks good to me. Anyway let me know what your setup was and I'll see if anything stands out to me

About the CSRF token, I think Miva support mentioned the same thing to me when I was discussing ReCaptcha with them on the ticket I opened when I was trying to stop the fake account creation. I don't know much about CSRF, but the response from ILoveHostasaurus on this thread doesn't seem to indicate that it has much to do with validating human vs bot. In my situation it did nothing to stop the fake accounts from being created on the site I was working on at the time. To be honest, I thought at the time that the Miva support reps were just kind of hoping that the CSRF token would do something that (from what I can tell) it's not intended to do

Following up on this - I had to disable the module because when someone was trying to log into their account they were greeted with a blank screen. I obviously had it misconfigured. Before I even had a chance to disable the module the store owner had opened a support ticket (understandably so). In the email conversation with support I was asked why I was trying to implement reCaptcha on these submit forms and was given this recommendation:

Has anyone tried this?

lesliekirk Google's docs for this suggest a few ways to verify the token, one of which is to place the token in a form field. From there it will be passed to the backend system when the form is submitted. Their documentation (https://developers.google.com/recaptcha/docs/verify) suggests naming the field "g-recaptcha-response".

So when you submit the form, the backend system (in our case, the Miva module) look for that field by name. But for some reason I had a problem with that when writing the module. I think it was the dashes if I remember right - having a field name with dashes was a problem. So the module is coded to look for a field named "GoogleReCaptchaResponse" instead.

So the front end code might look something like this:

(the system wouldn't let me post the script tags like normal so I changed then to [script])

Now when the page loads, google creates a token, and sets that token as the value for the "GoogleReCaptchaResponse" field. That gets passed to Miva when the form is submitted, and the module reads it and sends it to Google for validation / score retrieval.

Hope that makes sense, let me know

Thanks Mike521w I'm stuck at in the instructions for your module.