Integrating the New Google reCAPTCHA With YOURLS

This guide and screenshots are courtesy of Jared Stark and Erasure Web Services, originally available on their own bitty.link shortener. It’s duplicated here in case their goes offline or missing but please check on the original link first in case they have updated it. Much thanks to them!

How to integrate the New Google reCAPTCHA With YOURLS

The problem

URL shortening services are often a target for automated spam form submissions. The traditional way to prevent spam bots from doing this is to require a captcha to be properly filled out before a form can be submitted. Unfortunately, captchas can significantly reduce the quality of a user experience as they require deciphering cryptic text, putting the pieces of a puzzle together, or some other action which can significantly increase the amount of time a user spends trying to complete a form.

The new Google reCAPTCHA service aims to get rid of those traditional problems with captchas by providing what they call the “No CAPTCHA reCAPTCHA experience.” This is accomplished by using an “advanced risk analysis system” which can separate actual humans from bots with just the check of a box. More information about this system can be found on the Google reCAPTCHA website.

Because of its easy of use, the new Google reCAPTCHA is ideal for URL Shortening websites since it allows users to create short URLS quickly while preventing spam at the same time. This tutorial will show you how to integrate this service into a YOURLS installation, much like what this website, bitty.link uses.

The solution : tutorial

This tutorial will show how to implement the “No CAPTCHA reCAPTCHA” into the default YOURLS public interface setup. Obviously, it can be tweaked and modified for other public interfaces.

Please note that this tutorial uses the reCAPTCHA API 1.0.

  1. Visit the Google reCAPTCHA website. You will need to “Get reCAPTCHA,” which requires a Google account. After filling out the required information, you should receive your site key and secret key. Make sure to keep this information handy.
  2. In your YOURLS installation, open the file includes/functions-html.php. Copy the JavaScript client-side script from the reCAPTCHA website and place it in the described place (screenshot)
  3. Open your public interface file. On the reCAPTCHA website, copy the “sitekey” line and paste it in the described place (screenshot)
  4. Upload a copy of the captcha.php and recaptchalib.php files to the directory of your YOURLS installation that has your public user interface in it. Although those two files do not use the most recent reCAPTCHA API, they are easier to implement and will still work just fine.
  5. In the captcha.php file, paste in your secret and site keys to the indicated spots.
  6. Open your public user interface file. Paste the following under where it says “Part to be executed if FORM has been submitted:” include('captcha.php'); if ($resp != null && $resp->success) { (screenshot)
  7. Place a } at the end of the text block in the example photo: (screenshot)

This is the most basic way to get the new Google reCAPTCHA working on your YOURLS instillation. Although it will prevent spam bots from submitting automated requests, if a user fails to fill out the captcha, unfortunately, a reason to why the request failed will not be given unless more code is added.

Tutorial written by Jared Stark for bitty.link

Short URL to this post: http://yourls.org/di

Getting spam links in YOURLS? Read this.

I regularly get reports or call for helps about YOURLS installs that are flooded with spam links despite being configured as private (ie constant YOURLS_PRIVATE set to true, as 99% of installs should have)

In 9 cases out of 10, the “problem” is that the user also has set up an unprotected public interface through which anyone can shorten links. Seriously. PEBKAC, really.

But a kind and smart user also brought to my attention a (stupid) server default config that can make your YOURLS install spamable: on some machines, filename.php.txt is interpreted as a PHP file instead of a text file.

In other words, when loading sample-public-front-page.php.txt in your browser, instead of seeing code in a text file, you might see this:

your-server-sucks

Check right now that your server is properly configured. If that’s not the case, delete or rename those *.php.txt files and poke your server admins because I’m pretty sure that’s not how a web server is supposed to run.

Note: if you’re purposely running a public YOURLS install and you are getting spam, that is another matter. There are numerous anti spam plugins for YOURLS. Use them.

Short URL to this post: http://yourls.org/ax

Forums are gone

I decided to remove the forums on this site. Long story made short: I’m uberfedup with dealing with spam and I’d rather do something productive with my too rare free time (and, to be honest, I’m surprised it lasted so long before I decided this)

So long, chinese spammers. Sorry for the (very few) users who felt this was useful.

Short URL to this post: http://yourls.org/4n

Preventing abuse of your public YOURLS install

A lot of you, beloved users, are using YOURLS to set up public shorteners. Sooner or later you all face the same problem: abuse by spammers, sometimes until your hosting provider shuts down your site. Hopefully, thanks to the plugin API, being abused by spammers is not inevitable destiny and plugins can address that issue.

I know at least 2 plugins on this topic:

If you made a plugin on this topic, be sure to let me know (remember: DON’T MODIFY core, make a plugin instead!!)

Short URL to this post: http://yourls.org/11