on
6 minutes to read
How to minimize damage from fake sign-ups: practical measures
Intro
If you run a business with a website and a signup form, you may already be getting spam signups. From a custom SaaS application to a WordPress blog, almost everyone is affected in one way or another. Here are some of the ways bot signups hurt businesses:
- More chargebacks
- Damaged account reputation with payment processors like Stripe, Paddle.
- Signup reports that are misleading
- Damaged domain reputation
- Increased chance of your emails ending up in spam folders (email deliverability)
- Poor email list
- Increased database usage
No matter what your use case is or how it may negatively impact your business down the road, you need to have some sort of protection against fake signups from day one. In this post, we will go through some of the measures you can put in place to minimize the damage.
- Intro
- Using CDN (DNS level protection)
- Using client-side protection
- Complete protection: Cloudflare + OOPSpam + Honeypot
- Final Notes
Using CDN (DNS level protection)
If you are using a CDN for your website, check if they have a bot protection feature. One of the most popular and free CDN is Cloudflare or a paid alternative KeyCDN. Cloudflare comes with Bot Fight Mode. The Bot Fight Mode will help you reduce bot traffic to your site and potentially reduce fake registrations. You also get DDoS protection and faster load times.
Using client-side protection
Honeypot
Honeypot is the oldest trick in the book with 0 impact on your website performance, accessibility and privacy. It is considered client-side protection. It involves creating a hidden field in a form and hoping that bots won’t notice it and fill it in automatically. The hidden honeypot field will not be visible to humans, but bots will consider it a valid field. Bots scan web pages and fill in all fields, including the hidden field in your form. You can then reject any submission that contains an entry in a hidden field. We previously talked more about How the honeypot technique prevents bots from spamming your forms. Although it’s less effective now, it still works to some extent.
Captcha
If you are not using Cloudflare or another CDN that comes with bot protection. You can use Cloudflare’s Turnstile on your sign-up forms. Another option is to add reCaptcha or hCaptcha to your forms.
Be aware of the complication with this approach, as all of them inject javascript into your website. This will negatively impact your site’s speed and may cause accessibility issues.
Implementing Turnstile, hCaptcha or reCaptcha on your website involves similar steps:
- Generate Site Key and Secret Key for your website
- Add javascript file to your website
- Server-side validation
Here is the detailed documentation for each of them:
- Turnstile: https://developers.cloudflare.com/turnstile/get-started#new-sites
- hCaptcha: https://docs.hcaptcha.com/
- reCaptcha: https://developers.google.com/recaptcha/docs/v3
Which one to use: hCaptcha, reCaptcha or Turnstile?
Here is a simple table comparing these tools.
| reCaptcha | hCaptcha | Turnstile | |
|---|---|---|---|
| Accessibility | Partially | Partially | Partially |
| Slow website | Worse | Bad | Better |
| Can be bypassed | Yes | Yes | Yes |
| Privacy | Worse | Better | Better |
| Made by | Intuition Machines | Cloudflare |
They are partially accessible because they all come with an invisible mode that you can use. However, if your visitors are detected as suspicious, they will likely be stuck with endless loop puzzles to solve.
Anything you add to your site’s HTML will negatively impact your site’s performance, but Turnstile’s JS file seems to have the least impact compared to reCaptcha and hCaptcha.
Do you get fake signups despite reCaptcha, hCaptcha, Turnstile?
You are not alone. Captchas are effective against simple bots, but advanced bots can bypass reCaptcha. There are also “captcha farms” (e.g. 2Captcha) where people are paid to solve reCaptcha at low cost.
This is where we come in. Another way to protect your sign-up forms without using captcha solution is to use server-side solution OOPSpam. To put it simply, your registration form will have no challenge, no javascript or cookies, so no accessibility issues, no slow website.
We already have WordPress, Bubble, Make and Zapier applications, so no need to implement. But if you are building a custom site, use the OOPSpam API to reject or allow new users before confirming or sending a welcome email. For more implementation tips, see Building a complete contact form with PHP & HTML.
Complete protection: Cloudflare + OOPSpam + Honeypot
Best of both worlds, we can combine Cloudflare with OOPSpam and Honeypot to increase our chances against fake account creation and just get a clean sign-up form without all the errors and frustrated users.
OOPSpam: Process your submissions with OOPSpam on your server. This is your last line of defense against bots and manual spammers.
Cloudflare: We recommend using DNS level protection with Cloudflare. You get the same benefit as Turnstile without the website performance and accessibility issues.
Honeypot: This is easy to implement and free.
Final Notes
All websites get hit by spammers eventually. As a site grows and gets more traffic, it attracts more serious spammers with advanced bots. Both honeypot and captcha will protect your site to a certain extent, but they are not enough against targeted spam sign-up attacks, manual spam and sophisticated bots. Using a couple of tools will harden your forms.
I hope this article helps you find a solution to your bot signup problem.
Have a spam-free day!
