CloudFlare CAPTCHA blocks 90% organic traffic of millions of site around the world lost real traffic in Africa due to CAPTCHAs security feature. In countries like South Africa and Nigeria there is high computer literacy the majority don't have knowledge of CAPTCHAs. If the hit a page need that security feature they choose tom skip the page.
How do I turn the CloudFlare captcha (challenge page) off?
You can change the CloudFlare challenge page settings to "Essentially Off". The setting will only challenge the most threatening visitors to your site based on their threat score. To get to your security settings for your site, please go to:
I also not a fan of CAPTCHAs (you know, those squiggly bits of impossible to read text you have to fill out before you can do anything on some websites). I think all of us can relate to the experience of trying to register for a service or comment on a blog only to be stopped cold by an impossible CAPTCHA. Maybe you got it on the second or third try, but chances are you’ve also had occasions when you’ve bailed and decided it just wasn’t worth the effort. Today I want to convince you to never add a CAPTCHA to your site.
My biggest problem with CAPTCHAs is that they are so freaking annoying for users. They add an incredible amount of friction to the process — friction that you probably can’t afford. Sure, some CAPTCHA’s are better than others, but none are great. I understand you want to protect your site from spam and abuse, but are you ready to lose potential users over it? The trade off just isn’t worth it, especially if you are a startup!
One of the things I’ve noticed is that many people use CAPTCHAs when a simple non-intrusive spam-stopper would suffice. For example, say you have a blog and notice you are starting to get a large amount of spam comments. You decide to add a CAPTCHA to fix the problem. The thing is, you’re not big enough to be a victim of a targeted attack, you’re just getting generic spam bots. You don’t need a CAPTCHA.
It’s far easier to stop generic spam bots than a targeted attack. There are a lot of different techniques you can employ, but a simple option is to add an extra field with a tempting name like “email” to your form that is then hidden using CSS. Humans can’t see the field and as a result will never fill it out. Any request that comes in with the field completed can easily be eliminated as spam. The beauty of this is you have a pretty effective spam-stopper without ruining the user experience or adding any friction to the process. A simple technique like this is probably enough to stop the majority of spam bots.
But what if you really are big enough to be at the receiving end of a targeted attack? What if you’re Facebook or Google? They might not be fun, but aren’t CAPTCHAs a necessary evil? I don’t think so. CATCHAs still aren’t going to protect you. The bad news is that most CAPTCHA systems have already been cracked using OCR software making it trivial for your system to be compromised. For the rest, hackers have been known to set up sites that require you to enter a CAPTCHA in exchange for access to the adult content. What are you going to do to prevent that? Not to mention, there’s a booming business in India right now for breaking CAPTCHAs. The going rate is $2 per 1,000. Can you compete with that? If someone wants into your site, I’m sorry, but your annoying little CAPTCHA isn’t going to stop them.
Some people have taken more creative approaches to the CAPTCHA problem. Joe Stump tweeted the other day about one solution he discovered. You’ll see a lot of these around the web, often added by people who hate CAPTCHAs but haven’t stopped to think through the details. I remember seeing one approach that Hot or Not used that asked users to pick the 3 most attractive people out of 9 pictures. While these sort of solutions are more fun for users than a traditional CATPCHA, they are usually still pretty worthless at providing any real security. For example, with Hot or Not, the odds of a computer correctly guessing the 3 attractive people are 1 in 84. While those aren’t great odds for a human, they’re not bad for a computer — especially if you have a botnet at your disposal! Other approaches like the ones that ask you to do simple math or ask simple questions like “what is known as man’s best friend?” are vulnerable too. In most cases, all you’d need to do to crack the CAPTCHA is throw the question at Google and analyze the responses that come back. These systems are often also vulnerable by having a limited list of questions to ask so it doesn’t take long for a hacker to build up a dictionary of correct answers to feed to the bot.
reCAPTCHA from Google is another anti-bot alternative. They proudly talk about all the good they are doing by using the technology to help digitize books. But even reCAPTCHA can be broken with 23% accuracy and it’s just as frustrating for users as the other alternatives.
So where does that leave us? CAPTCHAs are annoying, you probably don’t need one and even if you did it could still be broken pretty easily.
A balanced approach would be to add some basic security to stop generic bots but get rid of the CATPCHA altogether. Instead, watch out for suspicious IP’s and monitor for nefarious behavior (like spam links being sent to multiple users, large # of requests from one IP, etc).
There are services like Ellipsis Human Presence that offer non-intrusive human behavior analytical modeling to attempt to identify non-human site traffic. They use other heuristics like how you navigate the site or how you move your mouse to detect whether you act human or not. I’m sure their detection system can be circumvented with enough effort, but they significantly increase the cost for bad actors without pissing off your actual guests.
We live in a world where spammers are a real problem and must be addressed, but CAPTCHAs are not the answer. You simply can not afford the friction. By using a CAPTCHA you are making the internet a whole lot less fun for all of us.
Spam Is Bad but Captchas Aren't Better Either
When the Web began to develop at rocket speed at the end of the last century, so did spam. Spam quickly turned into a nightmare for many sites and webmasters desperately sought a solution to the spam problem. Such a solution was offered quickly and it was called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). The function of captchas was to stop spambots from doing their jobs.
As it turned out pretty soon, spambots (and their creators) aren't that stupid and they quickly figured out ways to outfox captchas. Nevertheless, captchas still manage to filter at least a portion of the spam a site is getting and this is why they are still in business.
However, this comes at a price. Captchas stop not only spambots but they are an obstacle to legit human visitors as well. What is worse, captchas stop only humans but search engine bots as well. If you have content that is accessible only after a captcha is entered correctly, it's quite obvious this content is out of reach for search engine spiders who even if they could, wouldn't bother with filling in captchas �?? they just move to the next site that is more welcoming.
In the worst case, the most annoying thing about captchas is that when they are not implemented properly, there is data loss. Consider the case when your captcha is next to illegible and/or when after the captchas is filled incorrectly, all the data on the form is wiped out and the mad user has to start from scratch. What do you think - how many of the users will bother to refill the form just to buy something from you, for example?
Captchas Hurt Conversions
Captchas are bad from usability point of view and as already mentioned, if they stop search engine spiders from indexing pages behind the captcha, they are bad for SEO as well. However, the real damage is done when you consider conversions. Captchas simply kill conversions and probably this is their worst disadvantage in terms of SEO.
Lost conversions matter more than spam. Spam might be irritating but it doesn't kill your business the way lack of conversions does. While the results vary from site to site, when captchas are on, this could decrease conversions big time. For instance, if you have a captcha on a newsletter signup form, this could cut your subscribers in half because many users won't even bother to try their luck with the captcha. If you have a captcha on a shopping site, this might spare you some fake orders but the number of frustrated customers will be times higher than this.
Basically, the more difficult and illegible the captcha, the higher the drop in conversions. If you don't believe it, experiment on your site with captchas with varying difficulty and take notes of the results.
Standard captchas that require the user to fill in letters and numbers are the most acceptable of all but they still are quite of a hurdle. Audio and video captchas are a real kill because they might require up to a minute of your users' time to listen to or watch and fill in. This is why it's hardly surprising that audio and video captchas are the ones with the highest give up rates.
Captcha Alternatives
Unfortunately, no matter how much technology advances, the real captcha alternatives are yet to be seen. This doesn't mean you are completely helpless against spam. Here are 3 captcha alternatives you might want to try:
- Use a less annoying captcha variation. Out of the numerous captcha variations, there are some that are more acceptable to users, for instance the variation where a user has to solve a simple math problem (like 3+4) and enter the result. This captcha variety eliminates the illegible letters that piss users most and if you use simple math problems all your users can solve, this might solve the captcha problem for you.
- Get Akismet, or other third-party anti-spam solutions. The next alternative you have is to use a dedicated anti-spam solution. The choice here is overwhelming and your options vary depending on what you need the spam filter for. One of the universal spam filters that is available for multiple platforms is Akismet, so if you haven't tried it so far, now is the time to do it.
- Apply the honeypot technique. The honeypot technique includes a field that is to be left empty by the user. This way it is supposed that humans won't fill the field, only robots who don't understand the instructions will. However, the honeypot technique is everything but fool-proof. Absent-minded or visually impaired users could fill the field and smarter robots could avoid it. These are the reasons why the honeypot technique is not that popular in practice.
Time to Get Rid of the Captcha?
As you see, captchas are bad but their alternatives aren't much of a solution either. Therefore, the only option you might have is to get rid of the captcha. In many cases this could be your best move?? i.e. if you don't get huge volumes of spam but captchas kill your conversions, then you'd better part with it. On the other hand, if you do get huge volumes of spam and the captcha isn't that much of a problem for your users, the answer is obvious -? leave the captcha. You just need to analyze your situation in particular and decide what works in your case and what doesn't.
Source: onlineaspect