Shield Security employs many technical elements to accurately detect malicious bots, and block them.
There is no component that stands alone. Shield uses many signals to build a visitor profile, which is used to inform decisions on whether certain requests (such a WP login, WP Comments) should be allowed.
We’ve struggled internally on finding a good name for this invisible technology. The one we landed on most recently was “ADE” – AntiBot Detection Engine.
That name tells us a little and it’s not immediately clear what it’s referring to. So we needed a name that everyone could instantly grasp.
Introducing: silentCAPTCHA – Shield’s Defense Against WordPress Bots
We landed on the name: silentCAPTCHA.
Absolutely everyone knows what a CAPTCHA is and what it’s for. So this name immediately demystifies the purpose of our anti-bot system, without ever mentioning “bot” or “system” or “service”.
But the crucial part is “silent”. Everyone gets “silent”, and it strikes to the core of our technology. Just like Google’s Invisible reCAPTCHA and reCAPTCHA v3, silentCAPTCHA is completely invisible to your normal, everyday visitor.
By leveraging the fact that this technology operates only on WordPress, we eliminate the need for any direct user interaction. There’s no checkboxes to click, no sums to work out, and no sprawling letters to squint through.
The entire process is silent.
Google’s reCAPTCHA and CloudFlare’s Turnstile both involve user interruption. And while these technologies are great, they’re designed for many types of applications, not just WordPress.
What’s New In The Latest silentCAPTCHA Apart From The Name?
Since our first release of AntiBot Detection Engine silentCAPTCHA, we’ve evolved the system quite a lot to make it more reliable and reduce false positives. Most trouble stems from heavy use of WordPress page caching, which we’ve tried many times to work around.
For our upcoming Shield Security release (v20), we’ve completely rewritten core components and employed an all-new approach to the bot-challenge.
Our earlier bot challenge was a Javascript-based “obstacle”, which actually performed surprisingly well. It thwarted the vast majority of bots, and while it performed better than expected, we felt we could go further.
In light of these issues, we set about doing some research to solve the following:
- can we build a more resilient, harder-to-beat challenge for bots?
- can we eliminate the page caching issues that break our Javascript challenge?
#1 Creating A Harder-To-Beat CAPTCHA Challenge For WordPress Bots
As we already mentioned, our original silentCAPTCHA wasn’t complex, but it did present a challenge to most bots. We wanted to make the challenge even harder, without interrupting the experience for legitimate visitors.
To achieve this, we landed on the Proof-of-Work principle.
Very simply put, proof-of-work involves presening a computationally intensive challenge to the visitor and asking them to solve it. If they can solve it, then they must include the solution to the challenge in their requests. If they don’t, then we can infer that the visitor is a bot, in all likelihood.
Most legitimate visitors will solve this challenge without any issues. Your web browser does all the leg work for you and you’ll continue through the site as normal. Bots, however, are built for high throughput – i.e. fire many requests in as little time as possible. If they must spend resources computing the solution to complex challenges, they either won’t be able to do it, or they’ll view it as too costly to bother with.
An important point about bots is this: bots need resources to operate.
Anyone deploying the bots must pay, in some way, for these resources. If increase the cost for running those bots against your WordPress sites, then you’ll reduce their impact by discouraging the bots altogether, or slowing them right down.
#2 Eliminate Breakage Caused By WordPress Page Caching
WordPress Page Caching lets you convert a dynamic website to a static website.
When you use page caching, your website is basically converted to static (unchanging) HTML pages which you serve to your visitors. For some WordPress page caching plugins, the actual WordPress subsystem isn’t even loaded when the cached HTML is served.
This results in “as-fast-as-possible” website speeds. This is super for the user experience, but it will interrupt the dynamic elements of WordPress sites such as forms (login, comments, contact).
You’d never want to cache WooCommerce checkout pages, for example.
But it isn’t just e-commerce sites that provide a dynamic experience. Many plugins provide dynamic content and when you cache the pages, certain elements on the page will break, for various technical reasons.
This problem has plagued our silentCAPTCHA technology, and while we’ve mostly solved it, the workarounds can result in additional web requests to the site that wouldn’t otherwise be sent if page caching wasn’t so aggressive.
Our latest silentCAPTCHA iteration will solve the page caching problem in several key ways:
- We’ve massively improved our Javascript and its interaction with the Shield plugin to reduce the need to send any CAPTCHA requests to the site at all. All new visitors will still need to send the CAPTCHA requests, but they’re optimised to reduce repeated requests.
- As we mentioned earlier, our 1st version used a basic Javascript challenge that was effective against many bots and we’ve kept this in there. It’s now easier for bots to fire, but it won’t be broken by page caching. The response to this initial request contains the “Proof-of-Work” Challenge that the visitor will need to solve to complete the 2nd stage of the CAPTCHA.
- The “Proof-of-Work” challenge can’t be broken by page caching either and this is where the core of our newer bot challenge lies. The fact of whether or not the visitor has completed this challenge is used by Shield to inform its silentCAPTCHA decisions.
In summary, we’ve eliminated the page caching problems, and further optimised how visitors are challenged, to reduce number of requests, while at the same time increasing the complexity of the challenge that bots will face.
How Can You Get silentCAPTCHA v2?
Our new silentCAPTCHA will be included in our next ShieldPRO release – version 20. We’ve updated many more things in this release which is why it’s received a new major version, but we’ll have more on that in our release announcement coming soon.
As always, if you have any questions about silentCAPTCHA or anything raised in this article, please let us know in the comments below.
