Architecture / Installation

Architecture / Installation

Brute force captcha attacks

posts: 136

I have big problems with bots registering in my forum and posting spam messages.

I recently set the option "Require validation by Admin", after which I was getting at least 50 requests per day.

I have increased the length of the captcha to 18 characters, which has reduced this down to around 5 per day, maybe less. Obviously, this is not friendly to real users.

This suggests to me that the captcha is being broken with a brute force attack.

Does Tiki have any feature to stop repeated attempts to enter the catpcha from the same IP-Address?

Are there any other measures against brute force attacks, or plans to add them?

Are other sites suffering from this kind of problem?

I am currently using Tiki 10.2,

thanks in advance

posts: 1817 Catalan Countries

Hi Phil:

The easiest effective solution (proven to many of us that were affected by massive spam registrations and posts) is adding the passcode and showing it for your users in the registration form. See:

And in order to remove the hundreds of fake or spam users (or user requests) plus banning their ip's, if you want, you can have a look at:

posts: 136

Hi Xavi,

thanks for the quick reply.

Enabling the passcode, but showing it on the registration form sounds just like a second captcha!

If it works I will try it, but I am having difficulty finding the right fields.

I have found the option Require passcode to register on the page tiki-admin.php?page=login (not tiki-admin.php?page=security), but I can't find the field Show passcode on registration form anywhere.

I am using tiki 10.2. Can you point me in the right direction?


posts: 214


In a recent #tikiwiki irc chat, the "show passcode..." was mentioned as not working in 10.2. You can see the irc log here: #tikiwiki 2013-08-12,Mon.


posts: 956

Phil, use the second way to configure it, as documented, while you are no in latest tiki code.

posts: 136

Thanks for the replies.

Since I have my own style, I have copied register-passcode.tpl into my style directory and edited it there.

To avoid harassing real users too much, I have reduced the captcha to 10 characters. I will be interested to see whether this works.

Does anyone know how bots get past the captcha?

  • Do they analyse the image?
  • Do they try billions of combinations?
  • Do they exploit vulnerabilities in tiki which they have found (but we have not)?

Either way, they presumably make a lot of failed attempts. Would it possible to log failed attempts and block the IP address after a fixed number (say 10)?

(If nobody has done this, I could try myself, although I am not a PHP expert.)


Upcoming Events

No records to display