Extension:QuestyCaptcha

MediaWiki extensions manual
QuestyCaptcha
Release status: stable
Implementation Page action
Description Adds a question-based CAPTCHA.
Author(s) Emufarmers
MediaWiki 1.42+
License GNU General Public License 2.0 or later
Download
skipcaptcha
Public wikis using 1,332 (Ranked 210th)
Translate the QuestyCaptcha extension if it is available at translatewiki.net

QuestyCaptcha (was a plugin and now) is a part for the ConfirmEdit extension. Instead of using a math problem (trivially defeated) or an image (see below), QuestyCaptcha makes users answer a question. The site owner adds questions (and their answers!) in LocalSettings.php, and the extension picks from them randomly.

Installation

The installation process largely mirrors that of ConfirmEdit.

  • Download the snapshot for your version and extract it
  • Create a folder in the extensions folder named ConfirmEdit
  • Upload the files to the extensions/ConfirmEdit/ folder
  • Edit LocalSettings.php in the root of your MediaWiki installation, and add the following lines near the bottom:
wfLoadExtensions([ 'ConfirmEdit' ]);
wfLoadExtensions([ 'ConfirmEdit/QuestyCaptcha' ]);
...
  • You can also configure ConfirmEdit's triggers and other options, if the Captcha does not appear add the following behind the code. This means that the Captcha is triggered that means called if you do the named actions like edit a page or create a page. You can write true to make it happen and false to make it not happen.
$wgMainCacheType    = CACHE_ANYTHING;
$wgCaptchaTriggers['edit']          = true;
$wgCaptchaTriggers['create']        = true;
$wgCaptchaTriggers['createtalk']    = true;
$wgCaptchaTriggers['addurl']        = true;
$wgCaptchaTriggers['createaccount'] = true;
$wgCaptchaTriggers['badlogin']      = true;

This tip came from this page.

Weaknesses

Image-based CAPTCHAs have a few vulnerabilities. Bots using optical character recognition can crack them, and the only defense is to make the images harder to read for humans and computers alike. OCR algorithms are constantly being improved, though, and computers will probably eventually be better at solving CAPTCHAs than humans. In the meantime, spammers can pay workers in developing countries to solve CAPTCHAs or trick ordinary Web users into solving them. Math-based CAPTCHAs are trivial enough for automated spambots to crack for obvious reasons.

A question-based CAPTCHA isn't vulnerable to OCR. Humans can still be paid to solve them, but a question can be context-sensitive: if a question asks you which plant MediaWiki uses for its logo, the answer isn't going to be obvious unless you're on mediawiki.org.

If your wiki contains controversial content or would otherwise tend to be a target of others' animosity, QuestyCaptcha might not be the best captcha for you, as vandals can simply solve all the captchas and load them into a vandalbot. QuestyCaptcha is not designed to fend off determined vandals.

On the other hand, because the database of questions used by any particular site is small, it is straightforward for a human to answer all questions for a given site and store the responses. Even for attackers who attack large numbers of sites, they only need to perform a small amount of manual work per site, and it is also possible for spammers to scrape questions and answers from various websites for them to use in defeating CAPTCHAs. In this sense it is inferior to other CAPTCHAs that produce a unique puzzle for each user. As a practical matter, though, if you run a small and unpopular site, generally the spammers won't bother to crack your QuestyCaptcha.

When selecting your question, it's important to avoid cultural bias. For example, a popular TV show in the US is not likely to be familiar to editors from Brazil, and conversely an American is not likely to know who the prime minister of Australia is. Stick to questions that rely on universal knowledge or knowledge that pertains to the wiki's topic.

You may wish to collaborate with your wiki's users in coming up with questions and answers. If you do so on-wiki, you might afterward want to delete the page containing the questions and answers, or at least blank that portion of the page so that attackers can't find it by googling or using Special:Search on your wiki to find the questions. Note that template-based obfuscation will protect against googlers but not against Special:Search, which searches the raw wikitext.

Question and answer setup

Answers are case-insensitive, and you can add multiple answers to one question by placing them in an array. The answers must be written in lowercase:

$wgCaptchaQuestions = [
    "What is one color on this web page?" => [ 'red', 'green', 'blue', 'white', 'black' ],
];

CSS

The QuestyCaptcha question is easy to overlook on the Special:CreateAccount page. Newcomers can easily fail the question because they don't notice it. The question text and background are the same as the adjacent text and background and easy to overlook.

If the maintainers could fix that, so that on the Create Account special page the question stands out in bold green text with an outline or something, that would help.

You can use your wiki's MediaWiki:Common.css to style the QuestyCaptcha question so that it stands out visually.

First you will need to set Make $wgAllowSiteCSSOnRestrictedPages to true, because Common.css is disabled for the Create Account page by default for security. To enable it add this to LocalSettings:

$wgAllowSiteCSSOnRestrictedPages = true; //default is false

$wgUseSiteCss will also need to be true, which is already the default unless you have changed it:

$wgUseSiteCss = true; //default is true

This CSS (tested in MediaWiki 1.31.1) in Common.css makes the QuestyCaptcha question on the Create Account page red, which is hard to overlook:

/* ConfirmEdit QuestyCaptcha -- on Create Account */
.htmlform-tip + .mw-htmlform-field-HTMLInfoField { color:red; }

This CSS makes the question on the Edit page, such as on add URL, green bold bigger and italic:

/* ConfirmEdit QuestyCaptcha -- on Edit page + add a URL */
label[for=wpCaptchaWord] {
    color:green;
    font-weight:bold;
    font-size:150%;
    font-style:italic;
}