Protect Your Membership Site from Spam and Abuse Using reCAPTCHA

reCAPTCHA is a service provided by Google that aims to block abusive, automated traffic. Paid Memberships Pro allows you to easily integrate this service on your membership checkout process. This post covers when and why to use reCAPTCHA, how to create your reCAPTCHA account and configure it for your membership site.


When and why to use reCAPTCHA

By default, Paid Memberships Pro uses a “honey pot” technique to catch most automated spammers. This method relies on a hidden form field that valid visitors cannot see, but an automated “bot” visitor will attempt to populate, thereby throwing an error on checkout form submission.

For this reason, we generally recommend that site owners only activate reCAPTCHA for free levels if they are seeing a problem with spam signups. Your paid levels require a credit card (or successful PayPal checkout), so there is less opportunity for spammers to get in — they aren’t going to spend real money spamming your site.

Recently, we’ve seen a different kind of user who WILL use credit cards to create invalid accounts on your site: people testing stolen credit cards. These attackers are using your membership checkout form as a “credit card validator” to test different names, addresses, card numbers, zip codes, and CVV numbers. Once they find the right combo that is successful on your site, they can then use that validated card to make purchases elsewhere.

If this is happening to you, you may want to activate reCAPTCHA for all memberships.


Payment Gateway Fraud Detection

Your payment gateway has built in fraud detection that will monitor repeated attempts with similar data. But no fraud detection process is 100% perfect and some charges will get through. Sure the cash that comes into your account looks nice, but these charges are inevitably going to be refunded or, if you don’t catch them in time, charged back. See this post on chargebacks for more information.

If you are using Authorize.net as your payment gateway, inquire about the free Advanced Fraud Detection Suite, which enables you to set up “rules” for types of transactions that appear fraudulent.

Additionally, Stripe allows you to customize the default fraud detection via custom risk evaluation rules configured in your Stripe account.


Is this happening to me?

The easiest way to confirm if your membership checkout form is being used for fraudulent checkout attempts is via your payment gateway’s “charges” dashboard. For example, if you are using Stripe, your “Payments” dashboard shows all attempted charges. If you see a large number of charges labeled “failed” you may be at risk. We’d advise turning on reCAPTCHA for all memberships in this case.


How reCAPTCHA works (for my members)

The Membership Checkout page will include a new section that looks like the image below:

If the user is logged in to a Google service, such as Gmail or Drive, they will simply need to check the box labeled “I’m not a robot”. Google’s reCAPTCHA service will validate them and this is (most often) the only step needed.

Anyone that the service identifies as “suspicious” will have to solve a visual puzzle to get through. These range from “pick all the pictures with a number in them” or “select all the images of a cat”. Here’s the “test” I got when getting a screenshot of the process for this post. If you fail the first test, you’ll be given another test. At most, I’ve had to complete two screens of image identification before successful validation.

Humans will be able to solve the puzzle, but a bot will not.


Sign up for reCAPTCHA. Get your API Keys.

  1. Click here to sign Up for reCAPTCHA.
  2. Under “Register a new site”, enter your site’s name as the label. This is only used to identify the site in your reCAPTCHA dashboard.
  3. Select “reCAPTCHA 2” for the setting Choose the type of reCAPTCHA. Jason is looking into adding support for the Invisible reCAPTCHA.
  4. Under “Domains”, list the domain name of your membership site. You may want to include both the “www” and “non-www” domains (i.e. domain.com and www.domain.com).
  5. Agree to the terms, and, optionally, opt-in to receive reports.

After submitting the form, you will be redirected to view the Keys for this reCAPTCHA site. Under the heading “Adding reCAPTCHA to your site”, toggle to display the “Keys”. The keys you will need for Paid Memberships Pro are the Site Key and the Secret Key. You do not need to do anything with the “client-site” or “Server side” integration.


Configure Paid Memberships Pro to use reCAPTCHA

  1. Navigate to Memberships > Advanced Settings in your WordPress admin.
  2. Under “Use reCAPTCHA?” select either to use for free memberships only or for all memberships.
  3. Enter your Site Key in the reCAPTCHA Public Key field.
  4. Enter your Secret Key in the reCAPTCHA Private Key field.
  5. Save the Settings.


Now test it!

We always recommend running a test membership checkout after making changes to your Paid Memberships Pro settings (even if you only test a free membership level signup or use a discount code to make your paid level free). reCAPTCHA does rely on JavaScript as well as successfully copied/pasted keys in order to work. This FAQ published by Google identifies common errors or issues if you are not able to successfully validate using reCAPTCHA.


Closing Thoughts

If you think your membership checkout has been used as a “credit card validator” but an attacker, you should actively locate any successful charges and process a refund immediately. This will save you from the chargeback fee imposed by your payment gateway when the rightful card owner identifies the fraudulent charge.

In our case, the charges all used the same email domain, so I simply did a search in our Members List (and All Users list) for that “@domain.com” to isolate the members. See this post on how to process a refund for more help.

Advanced Category Techniques for Filtering Searches and Archives to Members and Non-Members

If you’ve set the option “Filter Searches and Archives” to “Yes” under the Memberships > Advanced Settings page, all of the posts in your members-only categories will be hidden from the main page, archives, and search queries. This code gist allows you to add specified categories back into the query.


Why would I want to do this?

This is useful for sites that want to totally exclude posts from certain categories from being seen by a visitor or indexed by search engines, while keeping posts in other restricted categories discoverable.

Note that the posts in these categories will still be locked to members-only, they’ll just appear in the appropriate places as teaser content for your membership offering.


The Code Recipe

This code recipe requires a PMPro Plus Account or higher.

View Membership Options

About Excerpts and Using the “Read More” Tag for Posts and Pages

This article discusses a few methods to denote the post or page “excerpt”, which you can use to specify the portion of members-only content that’s “teaser text” for non-members.


The Decision to Show or Hide Excerpts

Under the Memberships > Advanced Settings admin page, there is a setting labeled “Show Excerpts to Non-Members”. When set to “Yes”, all of your members-only posts and pages will show the “excerpt” to a non-member, whether that’s a logged out “visitor” to your site or a logged in user or member that doesn’t meet membership requirements.


But what is the excerpt?

For a WordPress post or page, the excerpt can be one of the following:

  • For posts (only) this is the specific content you have placed in the “Excerpt” meta box on the Edit Post screen.
  • For pages and posts, this is the portion of content up to the defined “excerpt length”. By default, excerpt length is 55 words. You can filter excerpt_length using this method from the WordPress Codex.
  • For pages and posts, this is the portion of content up to the defined “Read More” tag. <!--more-->

So, your options for defining the excerpt are:

  • Do nothing and let the excerpt_length filter set the excerpt (Default: 55 words).
  • Write specific content for the post excerpt in the “Excerpt” meta box (posts only).
  • Use the “Read More” tag (my recommended method for posts and pages).

Note that your theme may handle the post excerpt in its own unique way so if the methods outlined in this article do not work in your current theme, contact your theme author or open a topic in our members forum for support.


What’s the “Read More” tag and how do I insert it?

Think of the “Read More” tag as a way to “cut” your content – defining what portion is shown in archives and searches vs. the full content’s “single” view. For a members-only post, you can think of the content before the “Read More” tag as the teaser text, defining which piece is “public” and which is “private”.

The “Read More” tag can be inserted via a button in the Visual and Text editor or by entering this: <!--more-->. See the button highlighted in the Visual editor in the image below. For the Text editor, it’s just a button that says “More”.

pmpro_read-more-tag

When you view a post in excerpt form (on the page for posts or in archive or search form), only the content before this tag will appear, followed by a default, “Continue Reading” link. You can change the text of this generated link by editing the post, click to the Text Editor and look for <!--more-->. Add a space after “more” and insert the custom message like <!--more Keep Reading!-->.

On the single view, the full content (including the content above the <!--more-->) will show. If your post requires membership and you have “Show Excerpts to Non-Members” set to “Yes”, only the excerpt will appear on the single view, followed by the appropriate “Message for Logged-in Non-members:” or “Message for Logged-out Users:”.

If your post requires membership and you have “Show Excerpts to Non-Members” set to “No”, no excerpt will appear on the single view. The single view will only display the title followed by the appropriate “Message for Logged-in Non-members:” or “Message for Logged-out Users:”. Posts that require membership will still appear in the page for posts, archives, and searches, they will simply contain the post title and message defined under Memberships > Advanced Settings.


Taking This to the Next Level Using the [membership] Shortcode

So now that you’ve mastered the art of defining post and page excerpts, how can you do even more to appropriately “tease” members-only content, without taking away from the experience for your paid members? Welcome to the big leagues: the [membership] shortcode.

You can use the [membership] shortcode to show a unique excerpt to your members and non-members. Here’s an example:

Title:

Post Content:

In this example, I’m using the shortcode to show a different excerpt to my member and non-member. More information on using the [membership] shortcode. Neat!


Time to Kiss Your Brain

I hope this tutorial has broadened your WordPress and Paid Memberships Pro knowledge. For those of you that were already clued in to the excerpt methods above, try using the shortcode example to further enrich your membership site’s user member experience.

I’m working on the new MemberLite theme and have been using the “Read More” tag to not only denote excerpts, but to enhance the page appearance without adding (needless) custom meta boxes and database table rows. Get started using the tutorial above, and you’ll be ahead of the game when the theme is released!

If you’re using excerpts in other unique ways for your membership site, I’d love to hear about it in the comments below.