Hi. I'm Stephen

Javascript Captcha

This article was written in 2008. Some or all of the information and views may be out of date. Please keep this in mind while reading.

Captcha's are considered a necessary evil against the ever increasing and clever comment spam which is plaguing our websites and blogs on a daily basis.

Askimet, a provider of a very popular anti comment spam plug-in for WordPress, have released statistics that show 85.5% of comments between the end of 2005 and today, where spam. So only 14.5% are actual comments by actual users... this is a hugely worrying amount.

Most Captcha's are designed so that humans must do something that the computer cannot such as enter the characters shown in the an image, click on the cats or solve a simple equation. All of these require the human to do something and this can be bad from an accessibility point of view, as many have demonstrated previously.

Example of poor captcha design

I suggest a new method which doesn't require the user to do anything and banks on the computer not doing anything either... confused? In order for my new method to work, I must assume the following:

Implementing the new captcha method is rather simple. First you must enter a hidden field into your comment form.

<input type="hidden" name="antiSpam" id="antiSpam" value="Please do not alter" />

Users will not be able to see this field as will thus, not edit it's default value. Spam scripts may submit its default value, not submit it or add some random text to it. We must now add some JavaScript to make the magic happen.

var antiSpam = function() {
        if (document.getElementById("antiSpam")) {
                a = document.getElementById("antiSpam");
                if (isNaN(a.value) == true) {
                        a.value = 0;
                } else {
                        a.value = parseInt(a.value) + 1;
        setTimeout("antiSpam()", 1000);


What this little nugget of JavaScript crudely does is update the hidden form field with the number of seconds that has elapsed since the page was loaded. When the user has finished reading the post and writing a comment, they will submit the form with the new value in the antiSpam field. What happens next is totally up to you, however on my server, I will be doing the following IF statement.

If AntiSpam = An Integer
        If AntiSpam >= 10 Seconds
                Comment = Approved
                Comment = Spam
        Comment = Spam

This finds out if the default value has been turned into a number by the JavaScript function and if it has, see if a certain number of seconds has elapsed. All approved spam will be automatically shown to the public while comments marked as possible spam are held in a pending que which I will review occasionally in-case some comments sneaked through.

As an overview, here are the pros and cons to this approach.



With these pros and cons in mind a have decided that I will be implementing the JavaScript Captcha on this blog within the next few days.

Updated on 1 August 2008

I have updated the JavaScript function to fix a bug when the form was submitted but not accepted due to an error. If the user forgot to enter a form item, the antiSpam value would reset, this has been fixed. Also, the function now doesn't require any parameters.