CleanTalk's blog

    Sign up

    Author: Anthony M

    • Recaptcha v3 always returns 0.9 score – research by CleanTalk

      Recaptcha v3 always returns 0.9 score – research by CleanTalk

      Who is this article for?

      We’ve been closely following the thread https://github.com/google/recaptcha/issues/235 and noticed that, despite being closed, users continue to report issues.

      We’ve decided to investigate the problem and share our findings with you.

      • How ReCaptcha v3 works
      • What is a score
      • Why you might get a score other than 0.9 in ReCaptcha v2
      • Why you always get a score of 0.9 in ReCaptcha v3
      • Our testing process
      • How to get an accurate score in a test environment
      • CleanTalk’s solutions

      Research Objective

      Users complain that when testing ReCaptcha v3, they always receive the same score of 0.9. However, in the same environments with ReCaptcha v2, the score varies.

      What is a Score?

      The score is the result of the ReCaptcha check. The closer it is to 1, the more likely the visitor is human. The closer it is to 0, the more likely the visitor is a bot.

      How ReCaptcha v3 Works

      Note: The following findings are based on publicly available code and our interpretation.

      1. A user integrates the ReCaptcha script on a form page.
      2. A unique frontend token is added to each form.
      3. The script loads additional obfuscated code.
      4. The obfuscated code collects frontend data (a “black box” not accessible due to Google’s code obfuscation).
      5. Aggregated and encoded data + frontend token is sent to Google’s cloud to get a result token.
      6. The result token is sent to the backend of the testing environment.
      7. The backend validates the token via Google’s API, sending the backend token, result token, and the visitor’s IP address.
      8. Based on the score result, the backend environment can decide whether to allow the visitor to proceed.

      The backend environment decides whether to allow the visitor to proceed based on the score.

      We believe ReCaptcha v3 relies on machine learning based on the traffic environment. The exact decision-making algorithms are proprietary and remain a trade secret of Google.

      Why You Get Score <> 0.9 in ReCaptcha v2

      ReCaptcha v2 does not use machine learning for decision-making.
      It operates in one of two modes:

      1. in the user interaction mode (presence of click-the-flag mechanism on the page).
      2. In silent mode (reCaptcha v2 badge on the page).

      The data collection and processing occur in real time, allowing for accurate, immediate results. Learn more: https://developers.google.com/recaptcha/docs/versions.

      Why You Always Get a Score = 0.9 in ReCaptcha v3:

      ReCaptcha v3 relies on machine learning based on traffic data.
      A consistent score of 0.9 indicates the system lacks sufficient data about your typical traffic to make an accurate decision. To avoid false positives, the system grants a 0.9 score to all visitors until trained.

      Our Testing Process

      Test Environment

      • A PHP website running WordPress 6.2.
      • ReCaptcha v3 integrated according to instructions.

      Bot

      A simple bot created in Python using Selenium.

      The bot was run from three IP addresses, emulating the following parameters

      • headless
      • user agents
      • headers
      • clicks
      • form submissions

      Process

      The bot ran for 24 hours, performing sequential visits and form submissions with random parameters.

      No live traffic was sent to the site.

      Results

      • All bot requests returned a score of 0.9.
      • The score did not change over time.
      • No statistics appeared in Google Analytics.
        We hypothesize that traffic presence, volume, and quality in Google Analytics may act as a training marker for the ReCaptcha system.

      How to Get an Accurate Score in a Test Environment

      The recaptcha v3 model assumes long-lasting training on live traffic.

      This means that the test environment must be loaded in the same way as the production environment. Which will undoubtedly cause some difficulties in deploying such an environment and getting the payload.

      We believe that to get the right score a user will have to turn to testing in a productive environment.

      However, the policy of most companies we know of (including CleanTalk of course) restricts any testing in a production environment.

      Unfortunately, we couldn’t find specific terms for the duration of training in Google’s official documentation. We believe that the duration of training depends on the following parameters:

      • Traffic load
      • Ratio of bots to real users
      • Percentage of “intelligent” bots among total bot traffic

      Without live traffic, no settings or configurations will yield an accurate score in a test environment.

      CleanTalk’s Solutions

      CleanTalk Check Bot

      • Decisions are made online without machine learning.
      • Simpler integration—no need to manually add tokens to forms.
      • Extensive documentation available: GitHub CleanTalk API
      • Immediate and relevant testing results.
      • Technical support response within 24 hours.

      Anti-Spam SAAS for CMS

      CleanTalk provides a cloud-based anti-spam service for websites, blocking spam in real time without CAPTCHAs. It integrates with CMS platforms like WordPress and Joomla, securing comments, registrations, and contact forms. Features include SpamFireWall to block spambots, email validation, and detailed logs, ensuring seamless protection and improved user experience.

      Anti-Spam CleanTalk API

      CleanTalk offers a suite of APIs that integrate anti-spam functionalities into various applications. The Anti-Spam API includes methods like

      • check_newuser() for registration checks;
      • check_message() for evaluating comments and contact form submissions;
      • send_feedback() for moderator inputs.

      The Database (Blacklists) API provides

      • spam_check() to verify IP and email records against CleanTalk’s database;
      • backlinks_check() to detect domains associated with spam;
      • the ip_info() method returns country codes for IP addresses.

      For managing personal lists and uptime monitoring, the Dashboard API offers dedicated methods. These APIs enable developers to enhance their applications’ security and spam prevention capabilities effectively.

    • Malware Auto-Cure Update: Enhanced Threat Treatment and Logging

      Malware Auto-Cure Update: Enhanced Threat Treatment and Logging

      The latest update to Malware Auto-Cure System in the CleanTalk Security Plugin introduces significant improvements in threat detection and remediation, ensuring a more effective and reliable security solution.

      • Fixed the treatment process when a file may contain multiple threats.
      • Fixed the treatment process when a file can only be partially cured.
      • Added detailed logging of automatic treatment results.
      • Added responses to the initiation of manual treatment.
      • Fixed an issue where a file could never be treated due to missing instructions. Now, if an instruction becomes available after a failed treatment attempt, the treatment will succeed.

      The update strengthens our commitment to proactive cybersecurity, reducing infection persistence and ensuring a higher success rate in malware remediation.

    • FiboSearch Spam Protection

      FiboSearch Spam Protection

      CleanTalk added spam protection for FiboSearch Search Forms for WooCommerce in the CleanTalk Anti-Spam plugin using direct form integration. So in case, you prefer using search forms be sure to use the most effective Anti-Spam plugin. Read the guide below and learn 4 steps to protect all your contact forms from spam.

      Once the CleanTalk Anti-Spam plugin is installed it starts to protect all of the existing forms on your WordPress website. It may not only be FiboSearch but also many others.

      Download CleanTalk Anti-Spam plugin | Download FiboSearch 

      How to install CleanTalk Anti-Spam plugin

      To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

      Then enter «CleanTalk» in the search box and click the Install button for «Spam protection, Anti-Spam, FireWall by CleanTalk».

      After installing the plugin, click the «Activate»‎ button.

      After it is done go to the plugin settings and click the «Get Access Key Automatically» button. Then just click the «Save Settings»‎ button.

      That’s it! From now you How to completely protect your FiboSearch from spam.

      banner 1544x500

      If you have any questions, add a comment and we will be happy to help you.

      Create your CleanTalk account – Register now and protect your Contact Forms from spam in 5 minutes

      Additional features

      • CleanTalk protects all forms at once: comments, registrations, feedback, contacts and reviews.
      • Installation takes about 1-2 minutes.
      • Smart 99% protection against spambots.
      • Always online – 24/7 technical support.
      • Logs, SpamFireWall, personal lists, country filters, stop-words, and many others.

      Discover the complete list of CleanTalk Anti-Spam plugin features here.

    • Our client’s review: NANIROSSI.IT

      Our client’s review: NANIROSSI.IT

      We continue sharing our clients’ reviews and today’s great review is kindly brought to you by Matteo Mazzei from nanirossi.it on Trustpilot.

      usefull and simply to install WP plugin

      Screenshot 2025 02 03 172042
      Screenshot 2025 02 03 172042
    • Our client’s review: UPWITHDOWN.BG

      Our client’s review: UPWITHDOWN.BG

      We continue sharing our clients’ reviews and today’s great review is kindly brought to you by Borislav from upwithdown.bg on WordPress.

      Perfect!

      I tested so many plugins to stop spam registrations but only CleanTalk worked!!!

      Just install it and spam stopped immediately.

      Thank you so much!!!

      2024 12 16 14 29 57
    • Decorate your website forms for the holidays

      Decorate your website forms for the holidays

      New Year is coming and we’ve got some holiday spirit news for you!

      We are launching an option for the Anti-Spam plugin, which adds special designs for your WordPress websites’ standard comment forms, including holiday designs. Not only does this attract attention in your comment form, but it also is an active protection against bots and strengthens your site’s defense.

      We are actively working on this option and you can check an example of the form design in the comments below this post. The option is currently in beta but is available in the Anti-Spam plugin starting from version 6.47, which has already been released.

      Please write, what you think about the option in the comments below, we really want your opinion.

      How to enable decorated forms

      Step 1: Go to the Anti-Spam plugin Settings and click on the Advanced settings link.

      2024 12 13 10 17 023

      Step 2: Enable the Holiday form decoration option by switching it to on. Then press the Save changes button.

      2024 12 13 10 18 222

      Step 3: Check the result – go to your site and see if the decoration works well. If not – please let us know in the comments below this post.

      Post update Feb 02 2025. Announcement: Holiday Form Decoration Feature Removal Due to Low Demand

    • Thank You for 3,000 Reviews!

      Thank You for 3,000 Reviews!

      We are beyond grateful to announce that, thanks to you, we’ve hit 3,000 reviews on WordPress.org! This milestone reflects your trust, support, and shared journey with us.

      Every review is more than just feedback – it’s a story, a connection, sometimes mistakes =) and a reminder of why we do what we do. Your words inspire us to grow, improve, and continue delivering the best.

      To each and every one of you, thank you for being part of our community. There are a lot of milestones waiting ahead!

      https://wordpress.org/support/plugin/cleantalk-spam-protect/reviews
      https://wordpress.org/support/plugin/cleantalk-spam-protect/reviews/

    • Security vulnerability in CleanTalk plugins fixed – please update your plugins

      Security vulnerability in CleanTalk plugins fixed – please update your plugins

      There was a security vulnerability, that was discovered in both Anti-Spam (versions <= 6.43.2) and Security & Malware scan (versions <= 2.145). The vulnerability was relevant to some users, who had created an account, but hadn’t inputed the Access Key. The vulnerability was discovered, but wasn’t exploited.

      We’ve taken immediate action to address this issue and fixed all the vulnerabilities. The only thing you need to do is to ensure, that you use an up-to-date version of the plugin.

       

      How to update the plugin

      To protect your website, please update the plugins to the latest version as soon as possible. This update will ensure that your website is secured against the vulnerability.

      1. Log in to your WordPress Dashboard: Access your website’s administrative area.
      2. Navigate to “Plugins”: Click on the “Plugins” menu.
      3. Update Your Plugins: Look for the available updates for both Anti-Spam and Security plugins. Click the “Update Now” button for each plugin.

      We apologize for any inconvenience this may cause. Your security is our top priority, and we appreciate your prompt attention to this matter.

      If you have any questions or concerns, please don’t hesitate to drop a comment below or create a private ticket.

    • 9 new fields added in the Blacklists Database

      9 new fields added in the Blacklists Database

      There are several new fields in both Blacklists API and Offline Database. It will help you see the exact time of the checks and a few other things.

      Offline Database

      In the Offline Database there are 4 new fields for the IP files:

      • IP updated time – time from the corresponding date fields. Format: HH:MM:SS
      • Net updated time – time from the corresponding date fields. Format: HH:MM:SS
      • AS updated time – time from the corresponding date fields. Format: HH:MM:SS
      • Last updated – date and time of the last status update. Format: YYYY-MM-DD HH:MM:SS

      And 3 new fields for email files:

      • Submitted time – time from the corresponding date fields. Format: HH:MM:SS
      • Updated time – time from the corresponding date fields. Format: HH:MM:SS
      • Last updated – date and time of the last status update. Format: HH:MM:SS

      spam_check() API method

      As for the spam_check() API method, there were two new fields added for email checking:

      • in_antispam_updated – date and time of the last status update. Format: YYYY-MM-DD HH:MM:SS. API response example,
      JSONwe******@cl*******.org":{"frequency": 0,"submitted": "2024-08-05 09:13:35","updated": "2024-08-05 09:13:35", "spam_rate": 0,"exists": 1,"spam_frequency_24h": 0,"appears": 0,"disposable_email": 0, "in_antispam_updated": "2024-08-05 09:13:35","in_antispam_previous": 1,"sha256": "be25f8b7b9fa76bdf8a2a3275f60dd7603c758598e77b332857a9867f0d6598e"}}}” style=”color:#d8dee9ff;display:none” aria-label=”Copy” class=”code-block-pro-copy-button”>
      {"data":{"we******@cl*******.org":{"frequency": 0,"submitted": "2024-08-05 09:13:35","updated": "2024-08-05 09:13:35",
"spam_rate": 0,"exists": 1,"spam_frequency_24h": 0,"appears": 0,"disposable_email": 0,
"in_antispam_updated": "2024-08-05 09:13:35","in_antispam_previous": 1,"sha256": "be25f8b7b9fa76bdf8a2a3275f60dd7603c758598e77b332857a9867f0d6598e"}}}
      • in_antispam_previous –  the previous Anti-Spam blacklist status. It can show if the record was blacklisted or not (0 – wasn’t blacklisted, 1 – was blacklisted, NULL – no change). Format: 1. API response example,
      JSON
      {"data":{"8.8.8.8":{"domains_count": 3011,"domains_list": null,"spam_rate": 1,"submitted": "2022-02-09 21:05:06",
"updated": "2024-10-11 15:25:25","frequency": 6,"in_antispam": 0,"in_security": 0,"in_antispam_previous": 1,
"in_antispam_updated": "2024-03-05 16:20:44","spam_frequency_24h": 0,"appears": 0,"network_type": "hosting",
"country": "US","sha256": "838c4c2573848f58e74332341a7ca6bc5cd86a8aec7d644137d53b4d597f10f5"}}}

      Learn more about using the Blacklists Database API in our Help.

    • PAYG is no longer used in adding extra website

      PAYG is no longer used in adding extra website

      The Pay-As-You-Go payment method will no longer be used when adding extra websites to your Anti-Spam or Security license. When you need to add an extra website and no free slots are left in your current license, your plan will be automatically upgraded.

      If you have any questions feel free to ask a question in the comments below or create a private ticket.