Webxopt

Turn a Website into a Business

T 07 3103 3259
M +61 409 825 759
E info@webxopt.com

  • Home
  • Why Us?
  • What We Do
  • B2B Websites
    • Case Study
  • REST API
  • Cybersecurity
  • Consulting
  • Articles
  • Contact
    • Privacy
    • Help Page

Cybersecurity for Australian Small/Micro Business – Mobile, Part 1

October 7, 2022

Your First Line of Defence – Securing Your Mobile

Our first topic on securing your business may seem like an odd one, after all mobile phones aren’t really your primary way of integrating with a work-related network. However, with all security it’s necessary to look at potential weak point where your accounts can be broken into, and that is often your mobile phone. 

To understand the importance of your phone, think about how you would recover a password from say your webmail account. Typically you would visit a website and say that your password is lost and the webmail operator would often send you a text message with a link to set a new password. An attacker that had access to your phone or your text messages, they could simply request the same SMS reset, change your password and you would be locked out and they would have full access. From there, the world would be their oyster! They could reset email accounts and from there banking passwords, business accounts etc. All that just from access to your phone. 

This section aims to provide details on how to secure your phone and ensure that the weakest link isn’t the device you are most likely to lose. 

Updating 

Really there are 2 choices for you when buying a phone and that is iPhone or Android. The first thing to consider even at this initial purchase stage is will it be secure and for how long. 

With the iPhone you have a safe bet that there will be security support well into the future. At the time of writing Apple has just updated a phone 5 years old to the latest version of it’s operating system. That is well past the average length of time a phone is kept, so an iPhone is pretty safe. It’s also worth noting that security updates happen on iPhones even after that.

Android phones can be a bit of a mixed bag. Some of the major manufacturers are now guaranteeing 3 operating system updates and security updates during this time. Google, guarantees OS and security updates for 3 years (Google, n.d.) on it’s latest Pixel phones which to be honest isn’t that great when you consider Apples doing twice that. Samsung now guarantee security updates for 4 years.

Samsung, Motorola and Nokia are generally pretty good for Android in that they offer similar guarantees to Google, but other manufacturers can be a bit spotty. We should also add here that all these manufacturers run customised versions of Android, so security updates might take a while to apply. 

Unfortunately you can see where this is heading! Really if you want a phone that see’s regular security updates over a prolonged period of time, the iPhone is an obvious choice for you. If you will happily change your phone after 2-3 years, the choice is much wider. You should probably avoid some of the less well known manufacturers even though they often seem to offer great value for money. It really isn’t worth the risk if security updates only last a year (yes I’ve bought some of those myself).

I guess the other thing to mention is that once you see an update, particularly a security update, run it as soon as you can. The way an attacker looks at updates is that they can compare before and after code, work out what the problem is and use that to infect as many devices as possible in the time before the update is applied to fix a device. If you update early, the risk is therefore much lower. Again, unfortunately iOS has a big advantage over Android here. Apple updates are usually there and waiting the next day, Android updates can take weeks or months on none Google devices.

Your PIN – how secure is it? 

Once you have settled on your phone, you will need to set up security. Most phones now have facial recognition, fingerprint sensors or both, and you should definitely set those up. However they also have a fallback to a PIN or pattern. Patterns are often guessable by looking at the smudges on the phone and there are typical patterns that people use (https://arstechnica.com/information-technology/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/), so they may not as secure an option you may think.

PIN codes are also problematic because a 4 or 6 number PIN is just not long enough to guarantee security and again typical PINs are common (https://www.datagenetics.com/blog/september32012/index.html). You can see from this list that common PINs are single digits, easy to type sequences, birthdates etc. All sadly very guessable. In fact this was one of the things I had to change when initially writing this article. Although my PIN certainly wasn’t in the top 20, or even the top 100, it was definitely in the top 1000. The long and the short of it is that if you have a PIN code, it probably isn’t that secure. If you have one of the below, change it immediately!

PINFreq  PINFreq
#1123410.713% #1199990.451%
#211116.016% #1233330.419%
#300001.881% #1355550.395%
#412121.197% #1466660.391%
#577770.745% #1511220.366%
#610040.616% #1613130.304%
#720000.613% #1788880.303%
#844440.526% #1843210.293%
#922220.516% #1920010.290%
#1069690.512% #2010100.285%

Many phones will have a setting to wipe the phone after 10 unsuccessful password attempts. That seems like a secure option, but as you can see from the above, a lot of peoples PIN numbers are very guessable and there are techniques available that interrupt that reporting back the unsuccessful password attempt (Cellebrite, n.d.). Essentially that means infinite attempts in an automated system that can guess multiple times a second. The result is cracking a PIN in “no more than 13 minutes for a 4-digit passcode, 22 hours for 6 digits, and 92 days for 8 digits. The default length prompted by iOS is 6 digits.” (World Socialist Website, 2020).  

When thinking about our PINs we are really going back to the early days of smartphone when we all tended to use short PINs because that was all that was available, and you had to enter it multiple times a day to unlock your phone. However in a world of facial recognition and fingerprint sensors, that is no longer the case. To make your phone far more secure swap your PIN for a password and make it reasonably long, maybe a short sentence with capitals and numbers. That will make your phone almost impossible to crack within a reasonable lifetime even with advanced hacking software like Cellebrite. 

The way to do this with an iPhone is simple, when you know how, but weirdly well hidden.

  • Go to Settings, then do one of the following: –
    • On an iPhone with Face ID: Tap “Face ID & Passcode”
    • On an iPhone with a home button: Tap “Touch ID and Passcode”
  • Tap “Turn Passcode On” or “Change Passcode”
  • After you have added in your old passcode, you will probably see the typical iOS 6 digit PIN and number pad at the bottom (see image 1)
  • Tap the “Passcode Options” and you should see the options as shown in image 2
  • Tap the Custom Alphanumeric Code option and type in your new password.
  • While you are in this area, check to make sure you have “Erase Data” switched on, so that 10 failed attempts at your passcode will erase your phone data.
Image 1 – Changing the Passcode type to a Password not a PIN
Image 2 – Select the Alphanumeric option for a password

Having lived the “Alphanumeric” life for the past 6 months or so, I can tell you that you hardly notice the difference. For the vast majority of the time FaceID or TouchID do the unlocking, and you only every need to enter your password very occasionally.

I should note here that there is strong integration between an iPhone and an Apple Watch, so you should similarly strengthen your Apple Watch security. That is a more painful experience, so you might like to take the alternate approach of switching off mobile network coverage, so that if your watch is lost, it’s hopefully out of range of your phone and can’t receive reset text messages. Alternatively, just buy the cheaper Apple Watch!

On Android the change from a PIN to a password is more obvious. Although note that depending on the version of Android and the phone you have, this procedure may be different.

  • Go to settings, then tap “Security and Location”
  • In the Device Security section tap “Screen Lock”
  • Enter your existing PIN and you should be taken to a “Choose screen lock” menu
  • Tap Password
  • Agree that this password should also be used for Secure start-up, then set your password.

Why is this so important? Well the fallback security method in all cases is that PIN, so if you have set your bank, password manager or authenticator app to use say Face ID and your camera is covered, it will ask for your PIN instead, so an easy-to-guess PIN opens up every app you want to keep secure on your phone. 

Restrict Access to Messages 

Another convenience that is also a security issue is that ecosystems such as iOS often let you access messages, from other devices. So it’s important to make sure that you have similar PIN/Password setting security on other devices or if that’s too much of a problem (say it’s you child’s iPad), then check your iPhone settings to make sure verification messages are only appearing on your device: – 

  • In iOS go to Settings then scroll down and tap Messages.
  • Tap “Text Message Forwarding”
  • You should see a similar screen to the below (image 3). Make sure all of these are off and your recovery messages will only appear on your phone.
  • While you are here, go to Settings, Phone and make sure “Calls on Other Devices” is off so that recovery calls can’t be picked up on other devices.
  • Lastly, and this one can be a bit of an inconvenience, you need to make sure messages that may reset accounts aren’t visible via a notification when the screen is locked. To do that go to
    • Settings
    • Notifications
    • Scroll to Messages
    • Scroll down to Lock Screen Appearance and make sure Shows Previews is set to “When Unlocked”. You still get a notification that you have received something, but you can’t read exactly what it is until the phone is unlocked.

Password Managers – an essential tool 

Ok, so I am going to say the unthinkable. I would rather change browsers than change my password manager. I really think that much of them. What do they do? It’s really all in the name, they allow you to: – 

  • Store all your passwords in one location. 
  • Have access to your passwords in a way that you only ever have to remember the password to your password manager. 
  • Set long, strong and non-repeating passwords easily for any site. 

Most people not using password managers choose a potentially insecure method of setting passwords. They either have a standard password they use on almost everything, or they have a technique that used a standard password part and something that is customised to the site. For example in Google they might choose the password “MyPasswordOnGoogle”.  

Both of these methods of choosing passwords are fundamentally flawed if ANY sites you use are compromised. If you use a standard password and that becomes know, it’s very likely hackers will try that password on other sites. Even worse, if the email associated with the account is say a Gmail account, they will likely try the password there too. Once you lose control of your email, all bets are off as they will be able to reset bank passwords and more using your email as verification. A password technique that includes the site name would suffer from the same issues. 

These days you are very likely to have your email address on 2 or 3 sites that have been compromised, so you can see how important it is not to duplicate passwords. Don’t think these need to be small sites that are compromised either. Yahoo, Adobe, Optus and many other large corporations have been compromised. Recently, T-mobile in the US had a data breach for 50 million customers (CSO Online, 2021 ). This included names, date-of-birth, email, phone numbers, social security numbers, driver license numbers etc. The Optus hack currently in the news is very similar. In other words everything needed for identity theft and to apply for credit at other locations. If you have the same password on that account as you have used elsewhere, you can be sure that there will be compromise attempts on other accounts you own too. Don’t think large companies are any more secure than the smaller ones when it comes to protecting your security, they may have more procedures in place, but as we know, they are bigger targets and all companies can make mistakes and leave account details open. 

Password managers are a great solution to the problem of password management though now have some add on features such as: – 

Automatic generation of long, strong passwords

Phishing protection as a password manager won’t be fooled by lookalike domains that are often used to try to get you to login to a fake site so that they can steal your password details

  • Automatic password completion on a site.
  • Secure note storage
  • Secure file storage
  • Secure password sharing
  • Security alerts on compromised accounts

As a business, secure password sharing is a great feature. It allows you to give others access to sites, without giving them the password. These features can come at a cost, but it is generally small and well worth it. 

Recommended password managers include: – 

  • Lastpass 
  • 1password 
  • Dashlane 
  • Bitwarden
  • Apple’s keychain – which is now available cross platform as long as you are a Chrome user (Apple, n.d.)

There are now moves to create a passwordless login system based on your mobile phone. This will help significantly with password management, as essentially you won’t need to have passwords to manage. This will take time to roll out, but in the meantime, get a password manager, they are one of the few things that both increase your security and convenience.

Account Data Breach Checking 

One of the features of many password managers is that they check the dark web to make sure that your account hasn’t been involved in a data breach. Lastpass include this feature in their Security Dashboard, Dark web monitoring section as an example. What they will do is look at all the email in your account and check to see if they have been involved in any known data breaches. They actually check email against the “have I been pwned” site (have I been pwned, n.d.) databases. 

Have I been pwned is a site that has been around a long time and is maintained by Troy Hunt (a Gold Coast resident). As good as the email checks through a password manager is, as a business it’s a good idea to know more about the business domain, and that is where the “have I been pwned” site has some great features. The Domain search (https://haveibeenpwned.com/DomainSearch) feature is invaluable for business. It allows you to add in your business domain name and your email address, it will then monitor your domain and let you know if any email in that domain has been compromised. Even better this is a free feature on the site. 

If you do see a notification email from the have I been pwned site, it very important to jump on it quickly and either change the password for the site you have been warned about, or delete your account on the site if you are no longer using it. 

Securing Your Mobile Part 2!

At this point I’m realising that this article is pretty long and we still need to cover SIM Jacking, Authentication Apps and Security Keys. That means a part 2 next week!

Summary

A quick summary of the above: –

  • Update your phone as soon as updates are available
  • PINs are the fallback method of identification and are not secure enough. Change your PIN for a password. With face and fingerprint security taking over most of the time it’s only a slight inconvenience for a massive bump in security
  • Limit access to text messages that may include reset codes for accounts
  • Get yourself a password manager, one of the few devices that make security more convenient
  • Check your domain for compromised accounts using https://haveibeenpwned.com/DomainSearch
  • Read next weeks article on SIM Jacking, Authentication and Security Keys! I had to add that one!
Join Our Cybersecurity for Small Business Newsletter
  Thank you for Signing Up
Please correct the marked field(s) below.
1,true,6,Contact Email,21,false,1,First Name,21,false,1,Last Name,2

Filed Under: Articles, Cybersecurity for Small Business

Cybersecurity for Australian Small/Micro Business – Introduction

September 29, 2022

Recommendations to reduce the risk of ransomware in your business

Cybersecurity - Intro

With the Ukraine conflict increasing the risk of a cyber war, and the Optus hack on everybody’s mind, we are constantly being told to improve the cybersecurity of our businesses, but as a small or micro business, how do you do that?

Work with me every week as I run through some of the basics of cybersecurity, through Australia’s Essential security recommendations and into some of the more advanced cybersecurity recommendations from NIST in the US.

So, who are these recommendations for? Small business, and when I say small, I actually mean small! If you have a team of 50 and IT department staff, these recommendations aren’t for you as we will not be covering centralised management. If you are in this larger category, I would recommend hiring a security consultant. However, if you have a team of 1-8, such that computers are individually managed, that’s where this newsletter will help.

We will cover: –

  • Mobile phone security
  • Network devices
  • Personal Computers
  • Websites and Hosting
  • Centralised information management
  • Others – password management, updating, training, testing, physical security etc

Every week, I will look at a topic and show settings, and sometimes recommend software or equipment that will help you stay protected. How do I know what to look at? I’m a micro business just like you, and have a long-time interest in cybersecurity. I have just finished a Graduate certificate in Cybersecurity at Griffith University on the Gold Coast, where my final assignment was looking at small business cybersecurity.

At this point you probably are thinking, “so what is he going to gain from this”? Well, this isn’t marketing, you won’t go on any spammy lists and after you are finished, your contact details will be deleted from my system. The only thing I am hoping for is your participation and the benefit of your experience in your network. My aim is to learn from you, as much as I hope you will learn from me.

Each week, I will post about securing your system in easily manageable chunks. If you follow along making the changes I recommend, you will dramatically improve the security of your devices and network. I will also post the same content in a newsletter you can subscribe to at any time. This will send the content weekly too, so if you want the content delivered to your inbox so you can start when you want, that’s a good way to go.

The first post will be on your mobile phone, and will go live next week. This seems like an odd place to start, but it is a very important first step. If all your password recovery can be sent to your phone and your phone is compromised, that means an attacker in possession of your phone can reset… well, everything. So let’s start at the start and look at our phone security, from Face ID, passkeys and fingerprint detection to SIM jacking.

Posts will be available on: –

https://www.webxopt.com/category/cybersecurity-for-small-business/

LinkedIn – Simon Griffiths

or subscribe to our newsletter using the form below to get the latest post delivered to you (note that you will not go on any marketing lists when you do this and you can fully delete your information at any time).

Join Our Cybersecurity for Small Business Newsletter
  Thank you for Signing Up
Please correct the marked field(s) below.
1,true,6,Contact Email,21,false,1,First Name,21,false,1,Last Name,2

Filed Under: Articles, Cybersecurity for Small Business

Load Page Data into Gravity Forms

June 26, 2021

One of the things I’ve always wanted to do was to be able to load data from a page into a Gravity Form so that instead of having to make multiple forms, you can have one form and just load content from the page. That makes both the form and consolidating data far simpler.

The type of forms this is good for include enquiry forms where there are lots of products on a page and perhaps accessories too. In the case I was looking at, the site had over 100 product groups, each with multiple products and accessory ranges. In the past, we had used separate forms for the popular products and loaded them in a modal box after clicking an icon in the product table: –

This obviously meant that each form had to be individual and created with all the products and accessories. That’s a lot of work to both create and manage.

The new approach is a single Gravity Form that dynamically loads in both the product and the accessories, so the form is less complex and a single form can cover all products.

NOTE: Before you go any further, this will not work well if your product needs conditional logic to say match an accessory with the product. Once you start adding in conditional logic like that, the form starts to get very confusing, very quickly. Instead if you do need to do that you can clone the form and add your conditional logic to the new form only.

The particular site I was looking at used 2 approaches to collect the data need for the form. One method was to just read the data from the page using jQuery, the other method extracted the accessories from a variable in PHP. For a standard WordPress installation, probably the first method is what you would want to go with. The second method was just easier!

Read Gravity Forms Article

The place to start is reading Gravity Forms article on this subject as https://docs.gravityforms.com/using-dynamic-population/ and https://docs.gravityforms.com/gform_pre_render/.

The first technique we are going to use just simply extracts the part number from the table line that has been clicked and therefore only uses the first of those Gravity Forms posts.

Extracting Page Data From Clicked Line

Step 1

Firstly I need to set the scene of this particular application. The product tables are stored in tablepress and in this case the form opening is initiated using a fancybox modal box. Therefore in a table similar to the above, in the theme page template, we would have a link in the table cell such as: –

<a href="#fancyboxID-3" class="fancybox table-enquiry-buttons"></a>

So in the above, we are linking to the fancyboxID-3, which is added into the page and the classes add the button background image etc. The fancyboxID-3 is further done the page and is something like:

	<div style="display:none" class="fancybox-hidden">
		<div id="fancyboxID-3" class="hentry" style="width: 680px; max-width: 100%;">
			<h2>Product Enquiry</h2>	
			<?php gravity_form(32,false,false,false,'',true,80); ?>
		</div>
	</div>

You can see that the first div hides this form, the second div sets the id and some dimensions and the form is added using php.

I used this method mostly because this was the method we were using anyway, but note the important point, the form loads AFTER the click on the page. I am not sure how this would work if the form loads before the click.

Step 2

Once you have your form set up on the page and have built your form in Gravity Forms, the important thing to do is on the field where you want your page-loaded-data to show, you need to enable dynamic population. You do this by selecting the field, then in the sidebar, Advanced section, check “Allow Field to be Populated Dynamically”, then add your parameter name, which you can select. In my case I have called it “part_number”.

Step 3

So you are now all setup for some jQuery. There are various ways to add jQuery or javascript in general to the page. These include via a custom plugin or via javascript being loaded into the page elsewhere. I’m not going to cover enqueuing scripts here, but there are plenty of articles on how to do this.

In my case I actually had a few scripts already enqueued on this page, so I added my jQuery code to that.

The code to add is as follows: –

// This section adds the part number clicked on into the enquiry form
// Get part number from product table row click
jQuery('table.product tr').click(function() {
  var partno = jQuery(this).children('td:first-child').text();
  jQuery('#input_32_29').val(partno);
}); 

To Change

The first line of the code is to detect the click in the table row (note the form only shows on clicking the enquiry icon). In my case the table has a class of product hence “table.product.tr” if you have any other classes on your table, you can change that accordingly.

The second line of code sets the text you are going to extract from the line. In my case it’s the first table cell, so hence “td:first-child”.

Lastly the third line, the “#input_32_39” is the cell id of my particular form. You get this data from the form number (first number) and the second number (cell number) in Gravity Forms. You will need to change those to your particular form and cell number.

Note that you don’t seem to need to have the same value that you specified in Gravity forms as your parameter name. In my case I just have partno.

After these steps your form should automatically load the part number from the table line you clicked on.


Extracting Data from a variable in WordPress

This next section is a bit more complicated! We are going to extract data from am array in php and populate a multiselect field (you could do checkboxes instead) with any accessories that are listed by displaying this variable on the page. This relates more to the second Gravity Forms article above.

Note that this is populated into the form as the page is built, so doesn’t require settings in Gravity Forms itself. Note that this code is in the theme template file.

/ Start of section to add accessories to the intable non-specific form
		add_filter( 'gform_pre_render_32', 'populate_accessories' );
		add_filter( 'gform_pre_validation_32', 'populate_accessories' );
		add_filter( 'gform_pre_submission_filter_32', 'populate_accessories' );
		add_filter( 'gform_admin_pre_render_32', 'populate_accessories' );
		function populate_accessories( $form ) {
			foreach ( $form['fields'] as &$field ){
				if ( $field->type != 'multiselect' || strpos( $field->cssClass, 'populate-accessories' ) === false ) {
					continue;
				}

				global $tab_4_content1;
				$choices = array();
				$accextracts = array();

				
				$dom = new DOMDocument;
				$dom->loadHTML($tab_4_content1);
				foreach($dom->getElementsByTagName('li') as $node)
				{
					$accextracts[] = $dom->saveHTML($node);
				}
				
				if (empty($accextracts)) {
					echo "<style>li#field_32_30{display:none !important;}</style>";
				  }
		
				

				// Create the array from the line items in here. Save them into $choices created above
				foreach ($accextracts as $accextract) {
					$final = strip_tags($accextract);
					$choices[] = array( 
						'text' => $final, 
						'value' => $final 
					);
				}
		
				// update 'Select a Post' to whatever you'd like the instructive option to be
				$field->placeholder = 'Optional Accessories';
				$field->choices = $choices;
		
			}
			return $form;
		}
// End of section to add accessories to the intable non-specific form

I can’t pretend to follow all this code however, the following needs changing for your installation: –

add_filter( 'gform_pre_render_32', 'populate_accessories' );
add_filter( 'gform_pre_validation_32', 'populate_accessories' );
add_filter( 'gform_pre_submission_filter_32', 'populate_accessories' );
add_filter( 'gform_admin_pre_render_32', 'populate_accessories' );

This section includes the Gravity Forms ID. In my case this was 32, but you will need to add your form in.

if ( $field->type != 'multiselect' || strpos( $field->cssClass, 'populate-accessories' ) === false ) {
		continue;
			}

This section identifies the field you are going populate in the form. In my case it’s the multiselect field. NOTE that you need to pick a field type that isn’t used elsewhere on the form, otherwise it will fill all multiselects on the form and you’ll need to find another way to identify it. Essentially though this code is saying run this code only in that multiselect field.

global $tab_4_content1;
	$choices = array();
	$accextracts = array();
			
	$dom = new DOMDocument;
	$dom->loadHTML($tab_4_content1);
	foreach($dom->getElementsByTagName('li') as $node)
		{
			$accextracts[] = $dom->saveHTML($node);
		}
				
if (empty($accextracts)) {
	echo "<style>li#field_32_30{display:none !important;}</style>";
			}
// Create the array from the line items in here. Save them into $choices created above
		foreach ($accextracts as $accextract) {
			$final = strip_tags($accextract);
			$choices[] = array( 
				'text' => $final, 
				'value' => $final 
			);
		}

In this section we are extracting the $tab_4_content1 variable already loaded into php. In this case this contains an unordered list of the product accessories. You can see in this section I am extracting these elements. This may not be appropriate to your variable so I won’t go into that here.

// update 'Select a Post' to whatever you'd like the instructive option to be
		$field->placeholder = 'Optional Accessories';
		$field->choices = $choices;
			}
			return $form;
		}

This last section updates the placeholder etc and returns the form.

Result

You can see the result at https://www.brenclosures.com.au/products/ausrack-txd/. Click on the orange enquiry icons in the table to load the form. You will see that the product number of the line you click on is loaded as the Enclosure Selection and Accessories Available is filled with the accessories available in the accessories section on the page.

Note not all of the forms on this site use this system.

Filed Under: Uncategorized

Replacing reCAPTCHA in Gravity Forms

August 15, 2020

UPDATE 2: If you are a fan of HCAPTCHA, and why wouldn’t you be, I have a much easier solution. Rather than Gravity Forms, try the also excellent Forminator from WPMU (https://wordpress.org/plugins/forminator/). I have the Pro version on a couple of sites and that has an HCAPTCHA setting along side reCAPTCHA.

Nice one WPMU – We salute you for offering a non-tracking alternative! It’s also a pretty nice alternative to Gravity Forms!


UPDATE: The G-Forms hCaptcha seemed to stop working on my site. There were no settings showing and the Gravity Forms system wasn’t showing hCAPTCHA. To make things worse it also disappeared from my site. For the moment I’ve had to suck it up and go back to the big bad CAPTCHA.

If you are having trouble with reCAPTCHA you are not the only one. I have multiple sites using reCAPTCHA in Gravity Forms where the reCAPTCHA code loads multiple times for reasons best known to Google.

I have asked Gravity Forms to look at this and their answer is always that they have no control over what Google is doing, but as you can see from the below, a single form with reCAPTCHA can add significantly to a sites downloads: –

Note that this is a single form and recaptcha_en.js is loading 4 times.

If this was one site having this problem I’d think it was the site, but I see it on multiple different systems and different sites.

Alternatives to reCAPTCHA

In Gravity Forms the main alternative would be Really Simple CAPTCHA. I like this system because it’s light weight and easy for users. However, I have found 2 issues. These are: –

  1. It can have issues with cache that prevent the code images from showing and therefore your forms can’t get completed. I don’t see this a lot, but occasionally this can be a problem.
  2. It seems that it’s increasingly not stopping spam. I’ve now started to see a lot of spam arriving from these forms. Not so much as it’s likely to be bots, but enough that I’m thinking they are becoming too easy to guess.

The latest alternative is hCAPTCHA. This came to my attention after I heard that Cloudflare had started to use it. So what is hCAPTCHA? Essentially it’s like reCAPTCHAv2, but with better privacy and customisable CAPTCHA subjects.

In your form it looks like: –

When you select that you are human, you get a similar grid of images to reCAPTCHAv2: –

You can see this working on my site contact form.

I have tested for downloads and this is what I found: –

reCAPTCHA – 0.172MB, but may load multiple times for no obvious reason.
hCAPTCHA – 0.25MB and loads that size for as many forms as you have on the page.

Note that although neither of these has a huge effect on the DOM load time, the weird thing is that Google might well punish you for a large page size due to their poor product!

Obviously what this means is that if you have multiple forms on a page, I would perhaps think seriously about using either of these systems over Really Simple CAPTCHA, but for a single form, the fact that hCAPTCHA’s size to download is consistent, puts it way ahead of reCAPTCHA.

How to Install hCAPTCHA in Gravity Forms

Actually this is the easy part. Just install G-Forms hCaptcha and follow the instructions to create an hCAPTCHA account. Then in Gravity Forms, set your secret key in Gravity Forms settings. You can then just drag the hCAPTCHA field into the form and delete the old CAPTCHA.

The one gotcha I did find is that you have to set a site key in the Advanced Tab of the hCAPTCHA gravity form field: –

You get that Site Key by adding the site into your account at https://www.hcaptcha.com/.

Conclusion

I would definitely recommend switching over from reCAPTCHA to hCAPTCHA if you have a single or maybe even 2 forms on your page. The signup process is quicker and easier, and you don’t need a credit card on your account (unlike Google) and there is good integration with Gravity Forms via a plugin.

The user experience of the hCAPTCHA system is similar to that of reCAPTCHAv2, but has the advantages that there is more focus on privacy, and you can set broad subjects for the CAPTCHA’s that match your sites subject matter.

Filed Under: Articles

Coronavirus Update – Work From Home Tools

March 26, 2020

There are a lot of different tools available to remain productive at home. These include: –

  • Microsoft Teams – https://teams.microsoft.com/downloads which now has a 60 day free trial
  • Zoho Remotely – https://www.zoho.com/remotely/ which also has a free trial period

If you want to collaborate on ideas etc, Microsoft Whiteboard – https://www.microsoft.com/en-au/p/microsoft-whiteboard/9mspc6mp8fm4?activetab=pivot:overviewtab might be the way to go.

For meetings etc a great option might be to use an iPad. You then then use Microsoft Whiteboard and Onenote and Facetime to video conference.

Filed Under: Uncategorized

  • « Previous Page
  • 1
  • 2
  • 3
  • Next Page »

Recent Posts

  • AliCloud (Aliyun) Server Crashes Fixed with the Help of Site24x7
  • S/MIME Certificate – Sectigo Usage
  • Cybersecurity for Australian Small/Micro Business – Networks 2 – DNS
  • Cybersecurity for Australian Small/Micro Business – Networks 1 – Routers
  • Cybersecurity for Australian Small/Micro Business – Mobile, Part 2

Advanced Help

Enter your code in here. You will need to contact me first for a code!

Simon Griffiths in San Francisco

Webxopt was formed in 2009 by Simon Griffiths, who was at the time working as the Marketing Manager of a medium sized company in the electrical industry. Simons background includes study of both … Read More

Awards – Graduate Certificate in Cybersecurity

Robina Town Centre - Webxopt

Webxopt Pty Ltd
PO Box 16
Robina Town Centre
QLD 4230, Australia

T 07 3103 3259
E info@webxopt.com
ABN: 24 624 264 951

© 2025 · Webxopt · Built on the Genesis Framework