As part of the next XMB version in development, I made changes to help with the new pricing structure of Google's reCAPTCHA service.

In our original implementation, the captcha was displayed as soon as anyone visits the registration page. This causes unwanted traffic between bots and the Google API.

Going forward, there will be an introduction page for registration. This means the reCAPTCHA gets pushed back to the 2nd page and won't be visited by bots quite so frequently.

There is also a future change regarding keys "to be migrated to a Google Cloud projected by the end of 2025." It is my next priority to learn how that affects us here.

What I've learned so far is that it's not just about the keys. I migrated one of the 2 keys used here and that transition is seamless.

After that, there are a bunch of steps for actually switching APIs from the "siteverify" to the "enterprise" version. Here's how that might go:

https://cloud.google.com/recaptcha/docs/using-features

The reCAPTCHA keys will have to be traded for Google Cloud API keys. Of course, there's a whole new way of doing things behind the scenes too:

https://cloud.google.com/recaptcha/docs/create-assessment-we...

Here is the old API reference:

https://developers.google.com/recaptcha/docs/display

So this looks like a need for more settings, a way to switch between the two API implementations, and a lot of testing after it's ready.

Also consider an alternative, https://www.cloudflare.com/application-services/products/tur...

I'd rather avoid captchas altogether, they just annoy people while doing little to actually prevent spammers.

My proposal is to go for some user-configurable Q&A,. Then again, good luck educating admins to bother setting it up properly so it's both accessible enough for users and not too easy for spammers. (

I remember setting up a phpbb board over 4 years ago that I've long since left, and there was a 'sortable q&a' feature that had minimal JS and made you put different things into different boxes:



I think there's maybe been one spam account that registered in the whole time of its existence, and while it's... obnoxiously opinionated, to say the least, it works for the purpose of that specific forum.

In other words, configure something like this correctly, and you've got yourself something that works with minimal JS and tracking things - therefore works even under 'strained conditions'. You could expand on the idea a bit more than phpbb did which I think only allows for the one question - as long as the suggested defaults are strong I think admins should be okay

If there's an open source solution that you know about, that's possible. This isn't a wheel that we should try to reinvent.