We Need To Add a reCAPTCHA To Newsletter Sign-Ups

[rheaplex]

1. We urgently need to add a reCAPTCHA to our newsletter sign-up forms as they are being abused by spammers and there have been complaints to our bulk email service provider.
2. I have implemented the proposed functionality on staging on the /about/contact/newsletter/ page. This goes to the live Civi database, so if you wish to test with any emails that aren't already in the live DB let me know if they need removing afterwards.
3. In this design, we can move the Sign Up arrow back up next to the email form if people think it won't confuse users. The current placement is so the steps required to complete the form are ordered vertically and the reCAPTCHA doesn't appear optional.
4. We have to ensure that every single sign-up goes throught the reCAPTCHA. This will require a more general design change. Either we remove the email address field before each instance of "Sign Up" on the front page and in the sidebar and have the "Sign Up" button lead to the newsletter sign-up page, or (and this will look even more hacky and probably frustrate users) I can add some JavaScript to the /about/contact/newsletter/ page to get an email address from the URL query parameters and we can modify each instance of the sign-up form on other pages to pass that information along.
5. @ageeroms @ericsteuer @little-wow I'm sorry to ambush you with this but can you please take a look at the staging version and give me any feedback so I can get something done by the end of Friday. We can do something better later, I just need to get something in place as soon as possible.

[little-wow]

@robmyers I moved the signup up to see what it would look like, and I think it looks better and isn't that confusing with the CAPTCHA below. I tested an email and it seemed fine. :) (and I got to choose pictures of waffles, yum!)

I can't see it on mobile because I can't access staging on mobile, but as long as it looks okay, I'm good to go.

[ageeroms]

Hey @robmyers, if I click the recaptcha, it seems to work.

If I don't enter the captcha and try to sign up, I land here:

1. I'm guessing the "save" button is intended to say signup?
2. The cancel button looks strange on that page.
3. Also, "Quick Links | Events | Current major donors | Current small dollar donors | Recent major donors | Major donor moves management | Recurring donors | Cancelled recurring donors | " at top of the page, with those links redirecting to donate is a little odd.

I'm also wondering, was there already a honeypot? Often honeypot stops bots, but is invisible to folks signing up.

thanks, Anna

[little-wow]

@robmyers the fields at the top are the Quicklinks section that are supposed to be internal. Are these being exposed to users? There should be a "Please fill out this field" prompt when nothing is filled in, like on the front page, but I just noticed that /newsletter doesn't have that prompt either. Also, there is a newsletter signup on the front page and the sidebar-- are those also going to have a CAPTCHA requirement? If so, what will it look like? We should not be exposing Civi to users.

Agreed with @ageeroms on the honeypot, if that would be possible.

[rheaplex]

Thank you for getting back to me so quickly!

In order of comment:

@little-wow OK we can use that design, thank you!

@ageeroms :

We get that behaviour with the current email form on https://creativecommons.org/about/contact/newsletter/ as well. If the user does not enter an email address but clicks on the "SIGN UP" button, they are sent to that page.

The appearance of the buttons on that page is determined by CiviCRM's theme. I agree that it doesn't look good but I don't think we can easily change it. Hopefully most users will get the reCAPTCHA right and won't see it.

I agree with you and little-wow that the exposed links / information here are undesirable. Again this is existing behaviour but it definitely doesn't look good. I will investigate fixing that. If I cannot change the site configuration to remove the links I will contact Giant Rabbit.

@geeroms @little-wow: I don't believe there's a current honeypot, if there is then unfortunately it's not working. A honeypot would be less obtrusive and there are honeypot modules for Civi but the email provider has specifically requested a reCAPTCHA.

So given this, this afternoon I intend to:

1. Use the new, new design of the sign-up form on /about/contact/newsletter/
2. Change all the inline versions of the mailing list sign-up on the front page and in the sidebar to be just links to /about/contact/newsletter/#subscribe , in the style of the current "SIGN UP" button.
3. Either remove the links/details from the top of the CiviCRM page for the form myself or contact Giant Rabbit about doing so.

Please let me know if any of this seems like a bad idea or if I haven't adequately addressed any concerns.

I believe this will be a temporary fix and we can revisit the sign-up form design soon (we can discuss this in email if needed).

[ageeroms]

OK, no worries. I'm in total support of deployment. Thanks Rob!

[little-wow]

DMed with Rob, and I definitely agree. Thank you!

[rheaplex]

That's great, thank you so much. I'll make the changes on staging and then move over to live and ping here when that's done.

[rheaplex]

Not linking to #subscribe on that page as it doesn't look good. And I've had to add some inline css for the link on the front page. But otherwise all good on staging.

[rheaplex]

OK I have made these changes to the live site and disabled the sign-up forms in civi that didn't have the reCAPTCHA. Hopefully this will stop spammers abusing our sign-up process.

If you spot any problems or get any reports of issues please add them here.

Thank you again for your help with what I hope is something of a one-off in terms of workflow.