How to Integrate CAPTCHA in TYPO3?

Yes, I am talking about CAPTCHA. A CAPTCHA is a simple way to create a checkpoint that helps separate real users from bot scripts and protect your website from abuse and spam. TYPO3 offers some methods to add this type of functionality.

Below are some options to find out what works best for you and your TYPO3 project!

TYPO3 offers several reliable methods to protect your forms with a CAPTCHA. Here are the three most common methods: 

1) hCaptcha Extension (Mittwald method) 

hCaptcha is a popular alternative to Google’s reCAPTCHA. It integrates well with TYPO3 via an extension. Setting it up is relatively straightforward: 

Steps to add hCaptcha in TYPO3:

1. Installation of the hCaptcha extension either by composer or from the TYPO3 extension manager
2. Once the extension is installed, you need to activate it either from the extension manager or by the CLI command: ./vendor/bin/typo3 extension:setup
3. In the Template module, include the static template for hCaptcha in your Root Template ( or on the page where your form is located)
4. Open the TYPO3 Form Editor and add the new hCaptcha element to your form
5. Save your form
6. Clear TYPO3 caches
7. Test your frontend form to ensure the hCaptcha is visible and working.
8. Update your privacy policy to mention hCaptcha, since it is an external service.

Overall, this is easy to set up and doesn't require much technical know-how, resulting in highly effective bot protection. Because of this, I think this is a suitable method for site owners who just want a quick and reliable TYPO3 CAPTCHA in place.

2) Friendly Captcha (Focus on Privacy and Accessibility)

Friendly Captcha takes a unique approach. Instead of requiring users to solve puzzles or check boxes, it runs invisibly in the background. Friendly Captcha is accessible and user-friendly.

Steps to add Friendly Captcha in TYPO3:

1. Open a Friendly Captcha account 
2. Add a new application to your Friendly Captcha dashboard, giving you your Sitekey.
3. Create an API Key (keep it safe; it is only shown once). 
4. Enter billing information; this is for your account. You will be charged after the 30-day trial is completed. It is best to provide billing details for your account so you can continue using Friendly Captcha after that point! 
5. Install the TYPO3 Friendly Captcha plugin via composer require studiomitte/friendlycaptcha or through the Extension Manager. 
6. Go back to the TYPO3 backend, select the Friendly Captcha plugin, and configure the settings in the Future Config section of the plugin, of course, to help a user not be frustrated with puzzles to verify they are human in this process of submitting a form to a website. 
7. Save and clear caches.
8. Now test out the form in the front end. The CAPTCHA runs invisibly, so the end-user will not need to solve any puzzles.

It's WCAG compliant, easy to use, GDPR/CCPA compliant, and provides an easy user experience, as visitors do not have to solve puzzles. The only consideration is that you need an account and billing before the trial ends.

3) captcha.eu Plugin (GDPR-Compliant with PowerMail/Forms)

captcha.eu is a TYPO3 extension that allows you to use captcha. Use your TYPO3 Forms System and the popular extension PowerMail. 

Install the extension: The easiest environment to install and set up is to add it using Composer (composer requires captcha-eu/typo3-powermail) or to add it from the Extension Manager.

Steps to add captcha.eu in TYPO3:

1. Use Composer to install the captcha.eu extension: composer require captcha-eu/typo3, or use the Extension Manager to add captcha.eu.
2. Create a captcha.eu account and register your domain.
3. In the captcha.eu dashboard, generate your Public Key and REST Key.
4. In TYPO3 go to Site Management > Sites > captcha.eu
5. Paste the Public Key and REST Key HTML in the boxes provided.
6. Open the Form Editor in TYPO3 (or PowerMail if you use it).
7. Add a new form element from “Advanced elements” and select captcha.eu.
8. Save the form.
9. Your TYPO3 form is protected by captcha.eu!

This is the best solution if you need someone who is GDPR compliant, works with TYPO3 and PowerMail, and if data protection is a key commitment in your project. The only downside is you'll have to register your domain and configure some TypoScript.

The three extensions discussed in the previous section (hCaptcha, Friendly Captcha, and captcha.eu) are the most common and practical options.

TYPO3 is very flexible, and there are other ways to secure your forms if you want to implement something completely different or a solution that requires more control or is different.

1) Manual Implementation (No Extension)

If you do not want to use an extension, you can manually add TYPO3 CAPTCHA. This process is quite technical and requires some more know-how but offers complete flexibility.

Google reCAPTCHA:

• Register your site with Google reCAPTCHA.
• Add the provided JavaScript snippet and your website key to your TYPO3 template or form.
• Add the reCAPTCHA field to your form.
• When submitting the form, validate the token by sending it through the Google API.

This method works well; however, the fact that Google processes user data could potentially cause privacy issues regarding GDPR.

Custom CAPTCHA:

• Use PHP to create a random text- or image-based challenge.
• Store the challenge value in the TYPO3 session.
• Display this challenge image in your form and provide a text field for the response.
• When submitting, compare the user input with the value stored in the session.

This solution bypasses third-party services but is not code-free, requires regular maintenance, and may be less user-friendly than current CAPTCHA services.

2) Other TYPO3 CAPTCHA Extensions

Over the years, TYPO3 has had other CAPTCHA extensions that are still available but have fallen out of fashion:

• sr_freecap: A simple text-based TYPO3 CAPTCHA where users have to type letters from a generated image. While it works adequately, it looks outdated and does not offer good accessibility.
• Captcha: As mentioned earlier, this is a basic TYPO3 CAPTCHA extension. It can add a CAPTCHA to forms but offers less functionality and flexibility than new technologies.

These two extensions can sometimes be helpful in cases of legacy projects, but I would not recommend using them on new sites.

3) Other Ways to Deal with Spam

CAPTCHA is not the only way to deal with spam. TYPO3 website owners sometimes use not only TYPO3 CAPTCHA but also other lighter anti-spam methods:

• Using honeypot fields: When designing your form, add an invisible field for the user. Robots fill out all fields in a form, while humans only fill out visible fields. If the invisible field is filled out, the submission can be blocked.
• Using time-based checks: Time is the time a user takes to submit the form. Typically, a user takes several seconds to fill out and submit the form, while a bot does this immediately. Forms submitted incredibly quickly can be marked as spam submissions.
• Using rate limiting or IP blocking: You can limit the number of forms that can be submitted within a certain time frame from the same IP address. This can help prevent repeated automated attacks.

These are some of the simplest checks that can be implemented and do not create friction for real users. Honeypots, when used in conjunction with a TYPO3 CAPTCHA, can lead to the highest levels of effectiveness.

When selecting the best CAPTCHA for your TYPO3 site, you must consider several factors, all of which can influence the results, depending on your purpose, your audience, and your technical aptitude. 

Here are some practical suggestions: 

To set it up quickly and require little effort

You could opt for hCaptcha. It is simple to set up through the Extension Manager or Composer, and with a few clicks, you can add it to forms on your site and move on. 

While you could have deployed other TYPO3 CAPTCHA options before hCaptcha, it was probably a bit stressful to set up, configure, and/or tweak it to suit your workflow.

To address accessibility and strong privacy compliance

You could select TYPO3 Friendly Captcha. It works invisibly without presenting puzzles or checkboxes to users. TYPO3 Friendly Captcha is also WCAG-compliant, and meets GDPR and other international data protection mandates. 

If your site serves users with a wide range of abilities or needs to strictly comply with privacy policies, such as GDPR, then TYPO3 Friendly Captcha is a strong choice.

For TYPO3 sites that use PowerMail or the Form framework

You could select captcha.eu. This CAPTCHA-freeing plugin for TYPO3 forms was built for TYPO3 forms; it integrates well and handles data in a GDPR-compliant way. 

If you are already using PowerMail and want something native to TYPO3, then captcha.eu is a good option.

For developers or custom projects 

Select a manual integration. You can add in Google reCAPTCHA or even create your own custom CAPTCHA. You'll have complete control; however, you must do more work, testing, and ongoing maintenance.

If you want lightweight protection without integrating a full CAPTCHA 

Consider honeypot fields or time checks. These techniques involve little or no friction for real users but block tons of automated spam. They can be used on low-risk forms or combined with a CAPTCHA for stronger protection.

Practically speaking, many TYPO3 site owners combine methods such as Friendly Captcha with a honeypot field, leaving everyone with a very user-friendly and secure setup.

Protecting forms in TYPO3 via CAPTCHA is vital to eliminate spam and bots. Whether you prefer hCaptcha for rapid (though) setup, TYPO3 Friendly Captcha for its privacy and accessibility, captcha.eu for TYPO3 forms, or manual/custom, there is a solution for everyone. 

Lighter methods like honeypots and time checks can supplement TYPO3 CAPTCHA for further security. There is no best solution; it all depends on how your site is set up, your audience, and how much development you want to do yourself.

Choosing which option is best for your TYPO3 project, you can save time and properly secure and implement user-friendliness with a TYPO3 agency.