From kiwitrees version 3.3.7 this tab provides some tools to assist in combatting attempts to insert spam content into your web site.

Kiwitrees has always had effective controls against this built-in, but spammers are becoming increasingly annoying, and require constant vigilance to prevent their intrusion. Most spam is just annoying. It is unlikely if your site and your kiwitrees settings are correctly configured. Even so, there are additional things that can be done, so these tools are additions to your defence.

Secret field

There are two major types of computer-automated spammers: those that read the displayed registration page and fill in each field; and more sophisticated ones that operate at the HTML source code level. These look at the code for typical registration fields such as user name, email, password etc..

The first group will normally be blocked by the Google reCaptcha option below. This works (in simple terms) by testing the response behaviour of the machine, rejecting any registration attempt that presents with Google’s interpretation of “robot” behaviour. But the second group bypass the Google feature completely. If you enable Google reCaptcha, but still see significant numbers of spam registration, try enabling this “secret field” option.

This works by including, in the HTML code only, an extra registration field. Humans will never see this field, but to these robots, it appears just like another field. We then include code that simply rejects any registration that includes an entry in this field. We also log such attempts, so you can see if it is working. All you need to do is enable (tick ‘yes’) this field.

Google reCaptcha v2

As described above, reCaptcha can be effective for some types of computer-automated spammers. To use it you will need to register with Google and obtain two “keys”, which you enter in fields that will disable once you enable this feature.

(Note: Google offer two versions, reCaptcha v2 and reCaptcha v3. This kiwitrees option can only use reCaptcha v2)

To use reCAPTCHA you must generate api keys from the Google’s recaptcha website. Api keys are free.

  1. Navigate to the recaptcha website
  2. Click on the “Get reCAPTCHA” blue button in the top right corner of your screen.

  3. You are now required to login with your Google account, if you do not have one, register for a free account.
  4. Once you’re logged in with your Google account, you will be presented with an interface to generate api keys for your website

Register your website

  • In order to register a website, simply type anything into the “label” field of the form. For example you can type the name of your website.
  • Type your website domain into the “Domains” field of the form, like displayed above.
  • Enter your email address into the “owners” area of the form.
This image has an empty alt attribute

Once you’ve filled the whole form, press the “Register” button. 

If everything is correct, you will be redirected to a new page with your new API keys ready to be used. 

Take note of the site key and secret key:

This image has an empty alt attribute; its file name is 5d6cf2d471db5.jpeg

Copy these two keys into the fields provided in kiwitrees at Administration > Site administration > Site configuration > Login & Registration tab, after first clicking the “yes” option to the item “Use Google reCAPTCHA v2”.

Days allowed for new user to verify email address

When a new user registers an account on your kiwitrees site the system requires that they verify their email address. This happens immediately the click the “send” (or”continue” button on the registration form. An email is sent to them continuing a message like this:

Hello John Smith …
You (or someone claiming to be you) registered an account at Our Families using the email address [email protected]
Follow this link to verify your email address.
Username: jonny
Comments: Test1
If you didn’t request an account, you can just delete this message.

If they don’t use that link to verify their email address, then the registration attempt stops (unless you choose to manually complete the process). A period of time is set to allow them to respond to the email, after which their details will appear on the list at Administration > Users > Delete inactive users, which allows you to easily delete large blocks of users with a single click. Originally this period was hard-coded at 7 days. Now, there is a setting at Administration > Site administration > Site configuration > Anti-spam tab where you can change that period to whatever you prefer.

On my own system, I have lowered it to just 2 days. This gives genuine registrations enough time to very their email, even across international time-zones, or to contact me to query why they did not receive the verification link (usually due to anti-spam blocking at their own mail system).

This clearly does not block the spam registrations, but it does make clean-up easier and quicker for you.