Aimy Capture-Less Form Guard is a user friendly way to protect your forms from spam bots and therefore improves the security of your Joomla! website. The system plugin is a Captcha alternative that does not require user action: It uses some well known and GDPR-friendly anti-spam tests to decide whether the user is a human or a machine on form submission.
This captcha plugin for Joomla! 3 and 4 implements the Joomla! captcha interface. Therefore all extensions that can use Joomla! captcha plugins can be protected.
|Feature||Aimy Captcha-Less Form Guard||Aimy Captcha-Less Form Guard PRO|
|High usability - no user action required||✓||✓|
|Easy to configure||✓||✓|
|Minimum fill out time||✓||✓|
|Bot trap (honey pot)||✓||✓|
|DNS Blackhole List||✗||✓|
|… all methods suitable for screen readers and text browsers||✓||✓|
|Logging of rejected Form Submissions|
|… via Joomla!||✓||✓|
|… via PHP (
|Visual hints for minimum fill out time (for example a countdown)||✗||✓|
|Disable "protected-by" link to Aimy Extensions' website beneath a form with one-click||✗||✓|
|Supports RSForm!Pro forms||✗||✓|
|Updates on new releases||✓||✓ (for one year - 15 month on renewal)|
Buying the PRO version
If buy the PRO version of Aimy Captcha-Less Form Guard
you get automatic updates in the Joomla!
backend for the domain(s) you name in
the order process for one year (15 months
You may still use the extension afterwards and on unlimited websites, but benefit from the update service only on the domains ordered.
How Does this Joomla! Captcha Plugin Work?
It is a wide spread solution to keep forms spam free using a graphical captcha containing some text that a user has to enter.
But there are other possibilities to stop spam bots that are better for website usability and accessibility. Aimy Capture-Less Form Guard for Joomla! is a captcha alternative and combines three of these methods:
Minimum Fill Out Time
A human who fills out a form will need some time to read the texts and type in the information. Bots, however, fill out forms in nearly no time. With Aimy Captcha-Less Form Guard you can set a minimum time required to fill out the form: If the form is submitted faster than that, the submission will be rejected.
The bot trap works with a hidden input field in the form. Bots usually fill out all fields present in the form's code and do not evaluate which ones are actually rendered by the browser and thus shown to a human visitor. By placing such a hidden input field in your form, Aimy Captcha-Less Form Guard can easily deny every submission that contains data for this special field.
DNS-based Blackhole Lists (DNSBL)
A lot of organizations put a lot of effort in building up blacklists, where known spam hosts are listed. Our captcha plugin uses two of those databases to look up spam-likely IP-addresses: NiX Spam and SORBS (safe). If the form is filled out by a bot that is on one of those lists, form submission will be rejected to keep your website secure.
With reject strings you may define words you will never get in a real email to detect spam. This feature can be used additional to the other anti-spam methods and allows a specific anti-spam filter for your website.
In the Joomla! plugin configuration you can activate one or all methods to protect your forms.
GDPR-friendly captcha plugin for Joomla!
Furthermore this captcha plugin uses Joomla!'s default session to store required technical information. The Joomla! session itself uses a session cookie that does not need consent (as it expires when the session ends and is technically necessary).
Aimy Captcha-Less Form Guard is a Joomla! system plugin that allows you to protect your forms from spambots - without requiring an image based Captcha.
This manual documents both the free and the pro version of the Joomla! extension. Any documentation that applies to one of the versions only is marked either (FREE) or (PRO) respectively.
Installing the Captcha Plugin
The installation of the extension follows the common Joomla! procedures.
In case you are not familiar with these procedures, proceed as follows:
- Download the extension's ZIP archive
- Log into your Joomla! backend as "Super User"
- From the menu, choose "Extensions" → "Manage" → "Install"
- Click on the "Or browse for file" button and select the ZIP archive
The extension's archive will be uploaded and installed afterwards.
For further information, please have a look at the Joomla! documentation: Installing an Extension.
NOTE: All plugins are disabled by Joomla! when installed for the first time. To enable Aimy Captcha-Less Form Guard, proceed and configure the plugin.
Configuring the Captcha Plugin
After a fresh installation, click on the "Configure plugin now" button on the installation report page.
At any time, you can configure the Aimy Captcha-Less Form Guard plugin using Joomla!'s Plugin Manager by choosing "Extensions" → "Plugin Manager" from the menu. Locate the plugin and click on its name in the "Plugin Name" column of the plugin listing.
Enabling the Plugin
In order to use Aimy Captcha-Less Form Guard functionality, you have to enable it first.
To do so, change the plugin's status from "Disabled" to "Enabled" and apply your changes by clicking on either the "Save" or "Save & Close" button in the toolbar.
Aimy Captcha-Less Form Guard provides a couple of methods to guard Joomla! forms against spam without requiring a traditional image-based Captcha.
NOTE: You may choose any combination of the available protection mechanisms - but at least one protection mechanism has to be enabled.
Minimum Fill Out Time
Unlike humans, spambots usually require nearly no time to fill out your forms. They obtain your form, fill in their data and submit it immediately. Any human would at least have needed a few seconds to understand what data to enter where in your form and actually fill it in before clicking the submit button.
This distinction is why setting a minimum fill out time helps to programmatically distinguish spambots from humans.
If this protection method is enabled, Aimy Captcha-Less Form Guard keeps track of the time the form has been sent to the user and only accepts it if a certain amount of time has passed on submission.
To enable this feature, set "Minimum Fill Out Time" to "On" and optionally select a "Minimum Time (in seconds)" that suits your form best or stick to the default of seven (7) seconds.
Spambots are usually not very smart guys. They obtain your form's code, gather its fields and submit their data as long as the form has either been accepted or a certain amount of attempts failed. They don't have an understanding of what input the fields of your form actually expect and they don't look at the rendered form like a human user would - they just evaluate your form's code.
Aimy Captcha-Less Form Guard therefore provides an effective bot trap that helps to detect whether a form has been submitted by man or machine: a special field is placed in your form that is not shown to your human users. Technically it is hidden using CSS so a browser won't render it while it is still there in the form's code.
If this protection method is enabled, Aimy Captcha-Less Form Guard checks whether the special field has been filled out and rejects the form submission if any data has been sent for this field.
To enable this feature, set "Bot Trap" to "On".
DNS Blackhole Lists (DNSBL) (PRO)
Some nice and smart people do take a huge effort to identify machines on the internet that send spam and make their knowledge available to the public. Aimy Captcha-Less Form Guard allows you to use these blacklists to automatically check the IP address of anyone trying to submit your form.
If the sender's address is known to send spam by any of the activated DNSBL providers, the form submission will be rejected.
You may select one or more of the following DNS Blackhole Lists:
To enable logging of rejected form submissions, set "Logging" to "On".
The next option, "Logging Method", allows you to specify how these messages are logged. Select one of the following methods:
If selected, logging is done using Joomla!'s logging facilities.
The log file will be named "aimycaptchalessformguard.php" and stored in the log folder set up in Joomla!'s "Global Configuration" ("System" tab).
The log file looks like this:
#Fields: date time clientip message 2017-04-26 09:30:17 188.8.131.52 REJECT: denied by NiX Spam DNSBL
- PHP (PRO)
If selected, logging is done using PHP's standard error logging facility using the function error_log().
As a result, all logged messages are stored along with your other PHP error messages.
Depending on how you configured your PHP error logging facilities, a log entry may look like this:
AimyCaptchaLessFormGuard: REJECT: 184.108.40.206: denied by NiX Spam DNSBL
User Interface Hints in the Joomla! Frontend (PRO)
If you enabled the "Minimum Fill Out Time" protection mechanism, you may want to give your users a hint about it. This further reduces the likeliness of a false-positive bot detection.
Aimy Captcha-Less Form Guard allows you to do so in different ways:
- Disable Button
If selected, the submit button of the form will be disabled until the configured minimum time is over.
If selected, the submit button will be temporary disabled and its text will be replaced by a countdown that is refreshed each second, as long as the minimum time is met. The initial text will be restored afterwards.
Expert Settings (PRO)
Reject Strings (PRO)
If you set "Use Reject Strings" to "Yes", form submissions that contain any of the entered "Reject Strings" in its data will be rejected.
Reject strings are case-insensitive (case is not relevant).
The strings can be part of a word, a word or more than one word.
NOTE: Be careful when defining reject strings! Make sure the entered reject strings are unique enough and really classify a submission as being spam. Keep in mind those strings could possibly occur as part of another word. If you, for example, enter "sex" as a reject string, a form submission would be rejected as well if it contained the word "Sussex".
To put this extension to use, tell Joomla! to do so: Beneath System → Global Configuration set "Default Captcha" to Aimy Captcha-Less Form Guard.
User Notification Message
To inform your users that the form they are filling out is protected, Aimy Captcha-Less Form Guard displays a short message saying: "This form is protected by Aimy Captcha-Less Form Guard".
This way your users won't misinterpret the lack of a traditional, image-based captcha as your site being unprotected and insecure. In contrast, they may very well appreciate not being forced to enter some hard to read code to prove being a human while still being aware of your security measures. This helps you building trust.
However, if you do like to replace the default message shown, you do not have to edit any source code. Just use Joomla!'s default mechanism of Language Overrides, and override the constant AIMY_CLFG_PROTECTED_MSG_FMT with your new message.
Language Overrides are explained in detail in the official documentation:
To switch the message off completely, set "Show Protected-By" to "Off" (PRO).
Custom Reject Messages
Aimy Captcha-Less Form Guard comes with the following overridable reject messages you could customize to fit your website's needs using a "Language Override" (see link above).
Default: "Bot detected - form submission rejected"
Default: "Your IP address is blacklisted by %s - form submission rejected"
The "%s" placeholder will be replaced with the DNSBL's name.
Default: "Form submission rejected because of bad content. If you think this is a mistake, please write us an email."
Please note that the default strings are included in various languages as part of Aimy Captcha-Less Form Guard already.
Support for Third Party Extensions
Aimy Captcha-Less Form Guard implements the Joomla! Captcha interface. Therefore all extensions that support to make use of Joomla! captcha plugins can be protected by this plugin - for example RSForm!Pro, FlexiContact and OSG Seminarmanager.
Copyright & Trademark Notice
The Joomla!® name and logo are trademarks of Open Source Matters, Inc. in the United States and other countries.
Mentioned hard- and software as well as companies may be trademarks of their respective owners. Use of a term in this manual should not be regarded as affecting the validity of any trademark or service mark. A missing annotation of the trademark may not lead to the assumption that no trademark is claimed and may thus be used freely.