Extension:QuestyCaptcha

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manual
Crystal Clear action run.png
QuestyCaptcha

Release status: beta

Implementation Page action
Description Adds a question-based CAPTCHA.
Author(s) Emufarmers
MediaWiki 1.6+ (in theory)
License GNU General Public License
Download
Added rights

skipcaptcha

Hooks used
EditFilterMerged

EditFilter
UserCreateForm
AbortNewAccount
LoginAuthenticateAudit
UserLoginForm
AbortLogin
APIEditBeforeSave

Translate the QuestyCaptcha extension if it is available at translatewiki.net

Check usage and version matrix; code metrics

QuestyCaptcha is a plugin for the ConfirmEdit extension. Instead of using a math problem (trivially defeated) or an image (see below), QuestyCaptcha makes users answer a question. The site owner adds questions (and their answers!) in LocalSettings.php, and the extension picks from them randomly.

Installation[edit | edit source]

The installation process largely mirrors that of ConfirmEdit.

  • Download the snapshot for your version and extract it
  • Create a folder in the extensions folder named ConfirmEdit
  • Upload the files to the extensions/ConfirmEdit/ folder
  • Edit LocalSettings.php in the root of your MediaWiki installation, and add the following lines near the bottom:
    require_once( "$IP/extensions/ConfirmEdit/ConfirmEdit.php" );
    require_once( "$IP/extensions/ConfirmEdit/QuestyCaptcha.php");
    $wgCaptchaClass = 'QuestyCaptcha';
    $arr = array (
            "A question?" => "An answer!",
            "What is this wiki's name?" => "$wgSitename",
            'Please write the magic secret, "passion", here:' => 'passion',
            'Type the code word, 567, here:' => '567',
            'Which animal? <img src="http://www.mysite.com/dog.jpg" alt="" title="" />' => 'dog',
    );
    foreach ( $arr as $key => $value ) {
            $wgCaptchaQuestions[] = array( 'question' => $key, 'answer' => $value );
    }
  • You can also configure ConfirmEdit's triggers and other options

Weaknesses[edit | edit source]

Image-based CAPTCHAs have a few vulnerabilities. Bots using optical character recognition can crack them, and the only defense is to make the images harder to read for humans and computers alike. OCR algorithms are constantly being improved, though, and computers will probably eventually be better at solving CAPTCHAs than humans. In the meantime, spammers can pay workers in developing countries to solve CAPTCHAs or trick ordinary Web users into solving them. Math-based CAPTCHAs are trivial enough for automated spambots to crack for obvious reasons.

A question-based CAPTCHA isn't vulnerable to OCR. Humans can still be paid to solve them, but a question can be context-sensitive: if a question asks you which plant MediaWiki uses for its logo, the answer isn't going to be obvious unless you're on MW.org.

If your wiki contains controversial content or would otherwise tend to be a target of others' animosity, QuestyCaptcha might not be the best captcha for you, as vandals can simply solve all the captchas and load them into a vandalbot. QuestyCaptcha is not designed to fend off determined vandals.

On the other hand, because the database of questions used by any particular site is small, it is straightforward for a human to answer all questions for a given site and store the responses. Even for attackers who attack large numbers of sites, they only need to perform a small amount of manual work per site, and it is also possible for spammers to scrape questions and answers from various websites for them to use in defeating CAPTCHAs. In this sense it is inferior to other CAPTCHAs that produce a unique puzzle for each user. As a practical matter, though, if you run a small and unpopular site, generally the spammers won't bother to crack your QuestyCaptcha.

When selecting your question, it's important to avoid cultural bias. For example, a popular TV show in the US is not likely to be familiar to editors from Brazil, and conversely an American is not likely to know who the prime minister of Australia is. Stick to questions that rely on universal knowledge or knowledge that pertains to the wiki's topic.

You may wish to collaborate with your wiki's users in coming up with questions and answers. If you do so on-wiki, you might afterward want to delete the page containing the questions and answers, or at least blank that portion of the page so that attackers can't find it by googling or using Special:Search on your wiki to find the questions. Note that Extension:ROT13 will protect against googlers but not against Special:Search, which searches the raw wikitext.

Question and Answer Setup[edit | edit source]

Answers are case-insensitive, and you can add multiple answers to one question by placing them in an array:

$arr = array(
    "What is one color on this web page?" => array('red','green','BLUE','white','black')
);

See also[edit | edit source]

External link[edit | edit source]