rails - Choosing captcha plugin [closed]

Answer 1

Good analysis of the existing plugins.

Modern bots are quite sophisticated, and their developers are paid a lot, so they are always trying to get around the latest defense. For that reason I think its good to stick with an option that is actively maintained and worked on, like ReCaptcha. I also think that the users understand the interface and feel safe knowing that you are taking steps to protect their data.

I had to sift through all of the rails captcha options for a project, and wrote up a sample app for my client to test and try out. simple-captcha-demo.heroku.com

They were all pretty easy to use and set up, and I like using heroku as a test bed to get something set up quickly, and let a client test it out. I also wrote up some of my experience and gotchas on my blog RailsPerformance.com

There may be new plugins, its always good to see what the trending is on www.ruby-toolbox.com

Answer 2

Flooding is a different problem from spam. You should definitely build the logic around rate limiting into your application, you can do this using validation to check that the user hasn't, for example, placed more than 2 orders in the last 15 minutes.

In regards to captchas any of the plugins you select are most likely going to be great. I wouldn't think of having to install RMagick as a positive or negative, it really isn't that hard to get working. If it was me choosing, my first instinct would be to go with recaptcha, it's the least annoying of them all.

Spam is another issue, it's often entered by human users who can bypass your captcha. Akismet is great for catching spam, definitely take a look at it, you can use it in conjunction with something like recaptcha.

Finally, modern bots are very sophisticated. Far more sophisticated than any of us probably expect. They can fully automate browsers, use OCR to read captcha text and generate spammy content that will bypass even the most sophisticated filters. That said, it's not about "stopping all spam/bots" it's about making the barrier to entry just high enough that it isn't worth it for the casual user.