Protect Your Membership Site from Spam and Abuse Using reCAPTCHA

reCAPTCHA is a service provided by Google that aims to block abusive, automated traffic. Paid Memberships Pro allows you to easily integrate this service on your membership checkout process. This post covers when and why to use reCAPTCHA, how to create your reCAPTCHA account and configure it for your membership site.


When and why to use reCAPTCHA

By default, Paid Memberships Pro uses a “honey pot” technique to catch most automated spammers. This method relies on a hidden form field that valid visitors cannot see, but an automated “bot” visitor will attempt to populate, thereby throwing an error on checkout form submission.

For this reason, we generally recommend that site owners only activate reCAPTCHA for free levels if they are seeing a problem with spam signups. Your paid levels require a credit card (or successful PayPal checkout), so there is less opportunity for spammers to get in — they aren’t going to spend real money spamming your site.

Recently, we’ve seen a different kind of user who WILL use credit cards to create invalid accounts on your site: people testing stolen credit cards. These attackers are using your membership checkout form as a “credit card validator” to test different names, addresses, card numbers, zip codes, and CVV numbers. Once they find the right combo that is successful on your site, they can then use that validated card to make purchases elsewhere.

If this is happening to you, you may want to activate reCAPTCHA for all memberships.


Payment Gateway Fraud Detection

Your payment gateway has built in fraud detection that will monitor repeated attempts with similar data. But no fraud detection process is 100% perfect and some charges will get through. Sure the cash that comes into your account looks nice, but these charges are inevitably going to be refunded or, if you don’t catch them in time, charged back. See this post on chargebacks for more information.

If you are using Authorize.net as your payment gateway, inquire about the free Advanced Fraud Detection Suite, which enables you to set up “rules” for types of transactions that appear fraudulent.

Additionally, Stripe allows you to customize the default fraud detection via custom risk evaluation rules configured in your Stripe account.


Is this happening to me?

The easiest way to confirm if your membership checkout form is being used for fraudulent checkout attempts is via your payment gateway’s “charges” dashboard. For example, if you are using Stripe, your “Payments” dashboard shows all attempted charges. If you see a large number of charges labeled “failed” you may be at risk. We’d advise turning on reCAPTCHA for all memberships in this case.


How reCAPTCHA works (for my members)

The Membership Checkout page will include a new section that looks like the image below:

If the user is logged in to a Google service, such as Gmail or Drive, they will simply need to check the box labeled “I’m not a robot”. Google’s reCAPTCHA service will validate them and this is (most often) the only step needed.

Anyone that the service identifies as “suspicious” will have to solve a visual puzzle to get through. These range from “pick all the pictures with a number in them” or “select all the images of a cat”. Here’s the “test” I got when getting a screenshot of the process for this post. If you fail the first test, you’ll be given another test. At most, I’ve had to complete two screens of image identification before successful validation.

Humans will be able to solve the puzzle, but a bot will not.


Sign up for reCAPTCHA. Get your API Keys.

  1. Click here to sign Up for reCAPTCHA.
  2. Under “Register a new site”, enter your site’s name as the label. This is only used to identify the site in your reCAPTCHA dashboard.
  3. Select “reCAPTCHA 2” for the setting Choose the type of reCAPTCHA. Jason is looking into adding support for the Invisible reCAPTCHA.
  4. Under “Domains”, list the domain name of your membership site. You may want to include both the “www” and “non-www” domains (i.e. domain.com and www.domain.com).
  5. Agree to the terms, and, optionally, opt-in to receive reports.

After submitting the form, you will be redirected to view the Keys for this reCAPTCHA site. Under the heading “Adding reCAPTCHA to your site”, toggle to display the “Keys”. The keys you will need for Paid Memberships Pro are the Site Key and the Secret Key. You do not need to do anything with the “client-site” or “Server side” integration.


Configure Paid Memberships Pro to use reCAPTCHA

  1. Navigate to Memberships > Advanced Settings in your WordPress admin.
  2. Under “Use reCAPTCHA?” select either to use for free memberships only or for all memberships.
  3. Enter your Site Key in the reCAPTCHA Public Key field.
  4. Enter your Secret Key in the reCAPTCHA Private Key field.
  5. Save the Settings.


Now test it!

We always recommend running a test membership checkout after making changes to your Paid Memberships Pro settings (even if you only test a free membership level signup or use a discount code to make your paid level free). reCAPTCHA does rely on JavaScript as well as successfully copied/pasted keys in order to work. This FAQ published by Google identifies common errors or issues if you are not able to successfully validate using reCAPTCHA.


Closing Thoughts

If you think your membership checkout has been used as a “credit card validator” but an attacker, you should actively locate any successful charges and process a refund immediately. This will save you from the chargeback fee imposed by your payment gateway when the rightful card owner identifies the fraudulent charge.

In our case, the charges all used the same email domain, so I simply did a search in our Members List (and All Users list) for that “@domain.com” to isolate the members. See this post on how to process a refund for more help.

Email Confirmation Add On – Require Members to Validate their Email

The Email Confirmation Add On adds an additional step to membership checkout, requiring members to click a validation link in the confirmation email in order to activate their membership. Continue reading to learn about the features and setup.

View the Add On


How it Works

When a member completes checkout on your site, their membership is automatically activated after successful payment or free checkout. You can use this add on to require members of designated levels to click a validation link in their membership confirmation email in order to complete the membership checkout and “activate” their account.

Unvalidated members will still appear in your members list, but access to members-only content will fail until their email address is validated. The pmpro_has_membership_access_filter, pmpro_hasMembershipLevel() function and instances of the [membership] shortcode will return false and all members-only content will be hidden.

Note: v.4 of this add on includes the additional filtering of pmpro_has_membership_level to users who aren’t confirmed. If you are using an earlier version of this add on, please update from the Plugins admin in WordPress.

Installation

  1. Upload the ‘pmpro-email-confirmation’ directory to the ‘/wp-content/plugins/’ directory of your site.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  3. Edit your levels under Memberships > Membership Levels > Edit Level. Check the “Email Confirmation” checkbox to require email validation for this level.
    pmpro_email_confirmation-edit-level

This confirmation step is best used for free membership levels. A paying member has less incentive to purchase your membership and provide a false email address. Adding this additional step for paying members may be more hassle/pain than benefit.


How to Manually Validate a User (as Administrator or Membership Manager)

The Administrator or Membership Manager can manually validate any user through the dashboard by clicking the “Validate User” button on the Memberships > Members List or Users admin page.

You can validate a user from the Memberships > Members List or the Users admin page. Just hover over the username and a link to “Validate User” will appear.

pmpro_email-confirmation


Screenshot

pmpro_email_confirmation-membership-confirmation
Membership Confirmation page with note to check email for validation link