Review Gravity Forms and reCAPTCHA v3 for accessibility

[kevindherman]

Builds

• prod

Source

KH

Is your feature request related to a problem? Please describe.
There are newer versions and different approaches to reCAPTCHA that we should consider.

https://www.gravityforms.com/add-ons/recaptcha/

What feature would you like to improve
reCAPTCHA

Additional context
Currently we use reCAPTCHA v2 with the checkbox. The checkbox is more accessible than the image selector which is why we've stuck with it. There is also an invisible option but that has been buggy in my experience, potentially we're not using the desired v3.

We need to make sure we're finding the right balance of accessibility, security and implementation (so it's used all the time).

Possible code to enforce captcha

add_filter(‘gform_validation’, ‘force_captcha_validation’);
function force_captcha_validation($validation_result) {
    $form = $validation_result[‘form’];
    $captcha_present = false;
    // Check if CAPTCHA field exists in the form
    foreach ($form[‘fields’] as $field) {
        if ($field->type == ‘captcha’) {
            $captcha_present = true;
            break;
        }
    }
    // If no CAPTCHA field is found, prevent submission
    if (!$captcha_present) {
        $validation_result[‘is_valid’] = false;
        foreach ($form[‘fields’] as &$field) {
            // Apply validation failure to the first field to show an error
            if ($field->type != ‘captcha’) {
                $field->failed_validation = true;
                $field->validation_message = ‘CAPTCHA is required for form submission.’;
                break;
            }
        }
    }
    // Return the validation result
    $validation_result[‘form’] = $form;
    return $validation_result;
}

• add a check if CAPTCHA is even setup and ping slack once if it's not so we can get a list of sites that are not setup with CAPTCHA

[curtismchale]

Cloudflare also has a CAPTCHA option that we could look at. I've started using it on my site and it's stopped all spam registrations.

[kevindherman]

@curtismchale interesting. If it's that much better that could be the carrot to get people on Cloudflare.

Maybe worth testing on PC.com since that has cloudflare and payment forms.

Petaluma has asked about CAPTCHA a few times and have Cloudflare so they could be a good test case after that.

[curtismchale]

Recommendation

For our standard setup we should use reCAPTCHA v3 now and make clear to users to check their SPAM from time to time to see if submissions are getting flagged. This is likely the most accessible option we have currently. Existing customers would need to have V3 setup and then have all the V2 fields removed from their forms for V3 to work as expected. The only con I see with V3 is that it requires a badge on the whole site to be displayed about V3. We could also add it to a step in each form, but that seems less practical to add the V3 branding and links to the privacy policy for V3 so the badge is my recommended way.

If users want a "challenge" on each form I like Turnstile most as it requires no puzzle solving and is thus more accessible. Users with V2 now would need to have the GF Turnstile plugin installed and then the field added to the forms.

Notes

reCAPTCHA v2 (including invisible)

• we need a form label because the field may show up sometimes
• v2 requires user interaction with a challenge and the more you "fuzz" the challenge to make it harder for bots the harder you make it for users that need accessibility affordances to complete the challenge.
• v2 accessibility affordances increase the likelihood a bot completes the form as they can use the audio challenge and speech recognition which is highly reliable. This is rare, but now seems to be available in public libraries for spam bots
• you must know English and be familiar with US centric things like a "cab" which is Yellow in much of the US, but black in other countries and more often called a "taxi" around the world. This harms the accessibility of forms for users that didn't grow up in North America and may not have English as a first language.

reCAPTCHA v3

• no field: enable it in settings with the GF plugin and it's everywhere so there is no accessibility issues with the challenge needing to be solved
• no user interaction: Scores a form between 0 - 1 with 0 being a bot and 1 being a person. Default is 0.5 and below is marked as spam in GF and then would need customer interaction to check the form
• we can tweak the site wide threshold for this from a central spot if we want to say score a 0.6 as a bot

CloudFlare Turnstile - read more

• requires a field and the GF addon so existing forms need to be modified for each customer that moves
• is just a field with a checkbox and does a bunch of stuff in the background measuring a user's browser, proof-of-work, and other stuff to see if it's dealing with a bot
• pro: doesn't send information to google about users but to CloudFlare instead
• users with a CloudFlare account can integrate Turnstile into their security rules for access which will enhance security

[curtismchale]

Issue for next steps created: #2632

[curtismchale]

Deployed recaptcha v3 gf plugin to sites

Build: https://github.com/proudcity/proud-recipes/releases/tag/2025.01.09.1514
composer: https://github.com/proudcity/wp-proudcity/releases/tag/2025.01.09.1514