Mail form protection

If you find that you are receiving a lot of spam from email forms on your website, you can enable mail form protection in the form of CAPTCHA verification.

 

CAPTCHA generates a random string of characters that the customer must enter before they can submit their email.

 

This stops automated “bots” from spamming your email forms.

 

 

To enable this protection for your mail forms, you need to set the following in your shop configuration.

 

Xprotectemailforms

If set to Yes, this will display a series of random characters on mailing forms that the customer must enter correctly before it can be submitted. This helps stop the form from being used by spam bots to generate spam.

 

With VPCART, you have the option to choose which version you want to use the Captcha method :

Xcaptchamethod

The method of the Captcha that present at your site.

1. recaptchav2:

reCAPTCHA v2 is a Google anti-spambot feature used in account creation to prevent spams/bots from signing up for accounts.

 

reCAPTCHA v2 is currently the most secure and effective version of reCAPTCHA.

 

It will provide you less friction for human users and a better overall security experience.

 

You must also update below 2 configs to ensure reCAPTCHA v2 working properly:

- xrecaptchav2_sitekey : Enter your Recaptcha v2 site key, go to : https://www.google.com/recaptcha/admin to generate your site key and enter here.

- xrecaptchav2_secretkey : Enter your Recaptcha v2 secret key, go to : https://www.google.com/recaptcha/admin to generate your secret key and enter here.

 

2. webwiz:

Old faster way captcha method, but less secured.

 

The default value for the xcaptchamethod is recaptchav2.

xcaptchaxml

The Transport method that used for CAPTCHA service.
The value should be XML2, XML3 or XML4. Default is XML2

xrecaptchav2_secretkey

Enter your Recaptcha v2 secret key, go to : https://www.google.com/recaptcha/admin to generate your secret key and enter here.

xrecaptchav2_sitekey

Enter your Recaptcha v2 site key, go to : https://www.google.com/recaptcha/admin to generate your site key and enter here.


How to Get Google ReCaptcha v2 Site Key and Secret Key

To obtain google reCAPTCHA 2.0 API keys, you need to sign up on http://www.google.com/recaptcha/admin.



Once you sign up then you will see “Register a new site” section just like on the above image.

You can put anything on Label field as it is just for your notes.

Just after Label, you will need to select “reCAPTCHA v2”.

After selecting type of reCAPTCHA, there is a field labeled “domains”. You can list more than 1 domain (one per line) without http(s):// also keep on mind domain should end with TLD ( .com, org, .net)  for example – example.com/default.asp would be invalid and correct domain would be – example.com.

If you want to use google reCAPTCHA in your localhost, then you can use the key from any domain as all API keys work on localhost (127.0.0.1).

At left bottom you will find a checkbox “Accept the reCAPTCHA Terms of Service”. Please tick it.

Also there is another checkbox “Send alerts to owners” you can check that if you (website owner) want google to send you a report, when google finds something suspicious on your website.

Hit Register button once you fill all the required details and you will be redirected to next page, which will have the site key and secret key.



Copy the Secret Key into the config xrecaptchav2_secretkey
Copy the Site Key into the config xrecaptchav2_sitekey



And please always make sure the config xcaptchamethod value is set to recaptchav2.

 

Security Preference Setting For Your reCAPTCHA v2

You can manage from your reCAPTCHA administration to set the security level for your reCAPTCHA v2.

Login to your reCAPTCHA administration first at http://www.google.com/recaptcha/admin

Once logged in, locate and click your existing record there.



Click the Advanced Settings.



You should see a slider that you can slide to left or right, or use default (middle) security level. If you want to most secure reCAPTCHA v2 then slide to right. If you want easiest for users then slide to left.
Or just leave as middle by default.

There is another extra option added into VPCart 9 for protection of the email that merchants will get.

xemail_sensive_words

Enter the sensitive/spam words separated by comma that you do not want VPCart to send email to merchants.
On review pages like contact us page, product review pages, tell a friend page, blogs review, news review, if match with sensitive/spam words, the process won't send an email to merchant.

 

Example: if you set the value of the config to eg viagra,call now,sign up now

Then if someone in your contact us page enter "viagra" or "call now" or "sign up now" and they submit the form, the merchant will not get the email as it is blocked by system.