CleanTalk's blog

    Sign up

    Category: Anti-Spam

    • Recaptcha v3 always returns 0.9 score – research by CleanTalk

      Recaptcha v3 always returns 0.9 score – research by CleanTalk

      Who is this article for?

      We’ve been closely following the thread https://github.com/google/recaptcha/issues/235 and noticed that, despite being closed, users continue to report issues.

      We’ve decided to investigate the problem and share our findings with you.

      • How ReCaptcha v3 works
      • What is a score
      • Why you might get a score other than 0.9 in ReCaptcha v2
      • Why you always get a score of 0.9 in ReCaptcha v3
      • Our testing process
      • How to get an accurate score in a test environment
      • CleanTalk’s solutions

      Research Objective

      Users complain that when testing ReCaptcha v3, they always receive the same score of 0.9. However, in the same environments with ReCaptcha v2, the score varies.

      What is a Score?

      The score is the result of the ReCaptcha check. The closer it is to 1, the more likely the visitor is human. The closer it is to 0, the more likely the visitor is a bot.

      How ReCaptcha v3 Works

      Note: The following findings are based on publicly available code and our interpretation.

      1. A user integrates the ReCaptcha script on a form page.
      2. A unique frontend token is added to each form.
      3. The script loads additional obfuscated code.
      4. The obfuscated code collects frontend data (a “black box” not accessible due to Google’s code obfuscation).
      5. Aggregated and encoded data + frontend token is sent to Google’s cloud to get a result token.
      6. The result token is sent to the backend of the testing environment.
      7. The backend validates the token via Google’s API, sending the backend token, result token, and the visitor’s IP address.
      8. Based on the score result, the backend environment can decide whether to allow the visitor to proceed.

      The backend environment decides whether to allow the visitor to proceed based on the score.

      We believe ReCaptcha v3 relies on machine learning based on the traffic environment. The exact decision-making algorithms are proprietary and remain a trade secret of Google.

      Why You Get Score <> 0.9 in ReCaptcha v2

      ReCaptcha v2 does not use machine learning for decision-making.
      It operates in one of two modes:

      1. in the user interaction mode (presence of click-the-flag mechanism on the page).
      2. In silent mode (reCaptcha v2 badge on the page).

      The data collection and processing occur in real time, allowing for accurate, immediate results. Learn more: https://developers.google.com/recaptcha/docs/versions.

      Why You Always Get a Score = 0.9 in ReCaptcha v3:

      ReCaptcha v3 relies on machine learning based on traffic data.
      A consistent score of 0.9 indicates the system lacks sufficient data about your typical traffic to make an accurate decision. To avoid false positives, the system grants a 0.9 score to all visitors until trained.

      Our Testing Process

      Test Environment

      • A PHP website running WordPress 6.2.
      • ReCaptcha v3 integrated according to instructions.

      Bot

      A simple bot created in Python using Selenium.

      The bot was run from three IP addresses, emulating the following parameters

      • headless
      • user agents
      • headers
      • clicks
      • form submissions

      Process

      The bot ran for 24 hours, performing sequential visits and form submissions with random parameters.

      No live traffic was sent to the site.

      Results

      • All bot requests returned a score of 0.9.
      • The score did not change over time.
      • No statistics appeared in Google Analytics.
        We hypothesize that traffic presence, volume, and quality in Google Analytics may act as a training marker for the ReCaptcha system.

      How to Get an Accurate Score in a Test Environment

      The recaptcha v3 model assumes long-lasting training on live traffic.

      This means that the test environment must be loaded in the same way as the production environment. Which will undoubtedly cause some difficulties in deploying such an environment and getting the payload.

      We believe that to get the right score a user will have to turn to testing in a productive environment.

      However, the policy of most companies we know of (including CleanTalk of course) restricts any testing in a production environment.

      Unfortunately, we couldn’t find specific terms for the duration of training in Google’s official documentation. We believe that the duration of training depends on the following parameters:

      • Traffic load
      • Ratio of bots to real users
      • Percentage of “intelligent” bots among total bot traffic

      Without live traffic, no settings or configurations will yield an accurate score in a test environment.

      CleanTalk’s Solutions

      CleanTalk Check Bot

      • Decisions are made online without machine learning.
      • Simpler integration—no need to manually add tokens to forms.
      • Extensive documentation available: GitHub CleanTalk API
      • Immediate and relevant testing results.
      • Technical support response within 24 hours.

      Anti-Spam SAAS for CMS

      CleanTalk provides a cloud-based anti-spam service for websites, blocking spam in real time without CAPTCHAs. It integrates with CMS platforms like WordPress and Joomla, securing comments, registrations, and contact forms. Features include SpamFireWall to block spambots, email validation, and detailed logs, ensuring seamless protection and improved user experience.

      Anti-Spam CleanTalk API

      CleanTalk offers a suite of APIs that integrate anti-spam functionalities into various applications. The Anti-Spam API includes methods like

      • check_newuser() for registration checks;
      • check_message() for evaluating comments and contact form submissions;
      • send_feedback() for moderator inputs.

      The Database (Blacklists) API provides

      • spam_check() to verify IP and email records against CleanTalk’s database;
      • backlinks_check() to detect domains associated with spam;
      • the ip_info() method returns country codes for IP addresses.

      For managing personal lists and uptime monitoring, the Dashboard API offers dedicated methods. These APIs enable developers to enhance their applications’ security and spam prevention capabilities effectively.

    • FiboSearch Spam Protection

      FiboSearch Spam Protection

      CleanTalk added spam protection for FiboSearch Search Forms for WooCommerce in the CleanTalk Anti-Spam plugin using direct form integration. So in case, you prefer using search forms be sure to use the most effective Anti-Spam plugin. Read the guide below and learn 4 steps to protect all your contact forms from spam.

      Once the CleanTalk Anti-Spam plugin is installed it starts to protect all of the existing forms on your WordPress website. It may not only be FiboSearch but also many others.

      Download CleanTalk Anti-Spam plugin | Download FiboSearch 

      How to install CleanTalk Anti-Spam plugin

      To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

      Then enter «CleanTalk» in the search box and click the Install button for «Spam protection, Anti-Spam, FireWall by CleanTalk».

      After installing the plugin, click the «Activate»‎ button.

      After it is done go to the plugin settings and click the «Get Access Key Automatically» button. Then just click the «Save Settings»‎ button.

      That’s it! From now you How to completely protect your FiboSearch from spam.

      banner 1544x500

      If you have any questions, add a comment and we will be happy to help you.

      Create your CleanTalk account – Register now and protect your Contact Forms from spam in 5 minutes

      Additional features

      • CleanTalk protects all forms at once: comments, registrations, feedback, contacts and reviews.
      • Installation takes about 1-2 minutes.
      • Smart 99% protection against spambots.
      • Always online – 24/7 technical support.
      • Logs, SpamFireWall, personal lists, country filters, stop-words, and many others.

      Discover the complete list of CleanTalk Anti-Spam plugin features here.

    • Our client’s review: NANIROSSI.IT

      Our client’s review: NANIROSSI.IT

      We continue sharing our clients’ reviews and today’s great review is kindly brought to you by Matteo Mazzei from nanirossi.it on Trustpilot.

      usefull and simply to install WP plugin

      Screenshot 2025 02 03 172042
      Screenshot 2025 02 03 172042
    • Our client’s review: UPWITHDOWN.BG

      Our client’s review: UPWITHDOWN.BG

      We continue sharing our clients’ reviews and today’s great review is kindly brought to you by Borislav from upwithdown.bg on WordPress.

      Perfect!

      I tested so many plugins to stop spam registrations but only CleanTalk worked!!!

      Just install it and spam stopped immediately.

      Thank you so much!!!

      2024 12 16 14 29 57
    • Decorate your website forms for the holidays

      Decorate your website forms for the holidays

      New Year is coming and we’ve got some holiday spirit news for you!

      We are launching an option for the Anti-Spam plugin, which adds special designs for your WordPress websites’ standard comment forms, including holiday designs. Not only does this attract attention in your comment form, but it also is an active protection against bots and strengthens your site’s defense.

      We are actively working on this option and you can check an example of the form design in the comments below this post. The option is currently in beta but is available in the Anti-Spam plugin starting from version 6.47, which has already been released.

      Please write, what you think about the option in the comments below, we really want your opinion.

      How to enable decorated forms

      Step 1: Go to the Anti-Spam plugin Settings and click on the Advanced settings link.

      2024 12 13 10 17 023

      Step 2: Enable the Holiday form decoration option by switching it to on. Then press the Save changes button.

      2024 12 13 10 18 222

      Step 3: Check the result – go to your site and see if the decoration works well. If not – please let us know in the comments below this post.

      Post update Feb 02 2025. Announcement: Holiday Form Decoration Feature Removal Due to Low Demand

    • Thank You for 3,000 Reviews!

      Thank You for 3,000 Reviews!

      We are beyond grateful to announce that, thanks to you, we’ve hit 3,000 reviews on WordPress.org! This milestone reflects your trust, support, and shared journey with us.

      Every review is more than just feedback – it’s a story, a connection, sometimes mistakes =) and a reminder of why we do what we do. Your words inspire us to grow, improve, and continue delivering the best.

      To each and every one of you, thank you for being part of our community. There are a lot of milestones waiting ahead!

      https://wordpress.org/support/plugin/cleantalk-spam-protect/reviews
      https://wordpress.org/support/plugin/cleantalk-spam-protect/reviews/

    • CleanTalk Anti-Spam as a No-jQuery WordPress Plugin for Optimal Performance

      CleanTalk Anti-Spam as a No-jQuery WordPress Plugin for Optimal Performance

      With this update, we polished CleanTalk Anti-Spam to do what it’s supposed to do the best. And here’s what was improved in the plugin in more detail.

      What Did We Do

      1. Reducing jQuery Dependency
        • Why jQuery? jQuery was often included to handle some JavaScript tasks but sometimes added extra weight to your website.
        • New Approach: We replaced jQuery with native JavaScript where possible. This will reduce the amount of code needed to load and parse, hence offering faster page load times.
      2. Simplify Handling of AJAX
        • AJAX and Anti-Spam: AJAX helps perform real-time anti-spam checks. However, incorrect AJAX requests may make your website slow.
        • Improved AJAX: We further improved our AJAX handling by reducing the number of requests and enhancing the data transfer process. This will keep the anti-spam checks lean without interfering with the user experience at all.
      3. The debug_ajax Option
        • The debug_ajax option was only given for development purposes and seldom, if ever, used in production environments. To make the plugin core even slimmer, we removed this option.
      4. comments__manage_comments_on_public_page Option
        • That is when comments need to be enabled on a public page. Comment visibility and comment moderation make the option work seamlessly without compromising security.

      Results

      With these optimizations, you will be guaranteed that your website-essentially pages with an active comment section see a significant improvement in speed and performance that will positively reflect in the visitor experience with better SEO rankings and hence a better overall user experience.

      Let’s see what PageSpeed Insights has to say:

      Before

      2024 12 06 14 01 12

      After

      1

      Update Today

      We recommend that you update to the latest release of CleanTalk Anti-Spam to take advantage of these performance enhancements.

      Automatic Update:

      1. Check for Updates:
        • Go to your WordPress admin dashboard.
        • Navigate to Plugins > Installed Plugins.
        • Locate the “Anti-Spam by CleanTalk” plugin.
        • You’ll see a “Update Now” button next to the plugin name.
      2. Update the Plugin:
        • Click the “Update Now” button.
        • WordPress will automatically download and install the latest version of the plugin.
    • Security vulnerability in CleanTalk plugins fixed – please update your plugins

      Security vulnerability in CleanTalk plugins fixed – please update your plugins

      There was a security vulnerability, that was discovered in both Anti-Spam (versions <= 6.43.2) and Security & Malware scan (versions <= 2.145). The vulnerability was relevant to some users, who had created an account, but hadn’t inputed the Access Key. The vulnerability was discovered, but wasn’t exploited.

      We’ve taken immediate action to address this issue and fixed all the vulnerabilities. The only thing you need to do is to ensure, that you use an up-to-date version of the plugin.

       

      How to update the plugin

      To protect your website, please update the plugins to the latest version as soon as possible. This update will ensure that your website is secured against the vulnerability.

      1. Log in to your WordPress Dashboard: Access your website’s administrative area.
      2. Navigate to “Plugins”: Click on the “Plugins” menu.
      3. Update Your Plugins: Look for the available updates for both Anti-Spam and Security plugins. Click the “Update Now” button for each plugin.

      We apologize for any inconvenience this may cause. Your security is our top priority, and we appreciate your prompt attention to this matter.

      If you have any questions or concerns, please don’t hesitate to drop a comment below or create a private ticket.

    • Bots and Your Website: How Much of Your Traffic is Fake?

      Bots and Your Website: How Much of Your Traffic is Fake?

      Not all your website traffic is genuine. Hidden within your analytics are bots – automated programs that can mimic human behavior. Think of them like little robots that visit your website and pretend to be people. While some bots are harmless (like the ones that help Google find your site), others can cause trouble. They can clog up your contact forms with spam, create fake accounts, and even place phony orders. Those fake traffic bots are like a bunch of party crashers at your online store who aren’t there to buy anything, just to cause a mess!

      Just how big is this problem?

      Well, studies show that up to 30% of all web traffic might actually be bots! That means almost one in three “visitors” to your site might not be a real person. And when it comes to contact forms, things get even worse. Experts say that up to 40% of all form submissions could be spam generated by bots. That’s a lot of wasted time and effort dealing with junk! Even registrations and orders can be affected, with estimates suggesting that 10% of new accounts and 5% of online orders could be fake.

      fake traffic bots stats

      Why should you care?

      These sneaky bots can cause a lot of headaches for businesses. They can:

      • Waste your time: Dealing with spam messages and fake accounts takes time and effort away from real customers.
      • Mess up your data: Bots can make your website statistics unreliable, making it harder to understand how real people are using your site.
      • Hurt your reputation: If your contact form is full of spam, it makes your business look unprofessional.
      • Cost you money: Fake orders can lead to financial losses and logistical nightmares.

      So, what can you do about it?

      Imagine having a super-smart bouncer for your website, someone who can spot fake traffic bots before they even get through the door. That’s what CleanTalk Anti-Spam and Security plugins do! They’re like a 24/7 security team dedicated to keeping your website safe and clean.

      Here’s how CleanTalk helps protect your forms and keeps spam away:

      • CleanTalk is a pro at protecting all kinds of forms on your website, from contact forms to registration forms and even order forms. It checks every submission to make sure it’s from a real person, not a spam bot trying to cause trouble.
      • CleanTalk can even help you get rid of spam that’s already on your website. It can scan your comments and other content to find and remove those spam links that bots leave behind.

      CleanTalk is like having a dedicated team of experts protecting your website, making sure your forms are safe, your content is clean, and those pesky bots are kept far, far away

    • XenForo 2 spam protection has been strengthened by the Bot Detector feature

      XenForo 2 spam protection has been strengthened by the Bot Detector feature

      The Bot Detector technology identifies spam bots more accurately, greatly enhancing spam bot protection for your XenForo 2 website. The feature is enabled by default starting from version 3.0.1, so the only thing you need to do is update the Anti-Spam plugin following the instructions.