The plugin that sabotaged itself

This was a brilliant plugin that I had been using on dozens of sites for many years without any issues – it just worked. It was so good at stopping spam that I never had to worry. Then one day, the developer pushed a devastating update that broke spam filtering all at once – seemingly for everyone. This poorly handled rollout caused myriad problems for countless site owners. Rather than allowing the old methodology and the new to live side-by-side so site owners could migrate at their own pace, reCAPTCHA v2 was removed completely (including keys from the database) in favor of v3. This left every updated site wide open to attack by default.

Worse than that, v2’s removal was not disclosed anywhere in the changelog. If you hadn’t been paying very close attention, you wouldn’t have even known to add v3 keys at all. Even after you do set up v3 integration, most sites still get hit with tons of spam, with the added detriment of having a Google disclaimer prominently displayed on every page, often overlapping essential website content.

Despite all the problems, the author has stated that they will never restore v2 integration. Unfortunately, these poor rollout practices, removal of features without warning, and top-down decision making with no regard for user preferences have greatly undermined trust over time.

EDIT: Running CF7 along with the “Advanced noCaptcha & invisible Captcha” plugin makes this a viable plugin again by adding makeshift support for reCAPTCHA v2, for the time being. Also, there is a new update that fixes some of the v3 leakage, but the invasive Google badge remains and native v2 support is still left out.

EDIT 2: After version 5.5.6.1, Contact Form 7 includes a Schema block for each form which cannot be disabled. This would be fine except that the javascript to load the schema consistently takes multiple seconds to load, vastly affecting load time and site performance. When asked about it, the developer simply responded that “there is no necessity to remove schema”, even though many users have alerted them of the issue. I don’t expect this will be fixed or made optional.

EDIT 3: Version 6.1.4 – The developer has added Turnstile integration! This works far better than any version of reCAPTCHA ever did. There is only one catch, and that’s in how it is implemented. The developer once again chose an overly-opinionated approach here. Regardless of whether or not you use the turnstile shortcode in your form, CF7 will automatically inject Turnstile anyways. This ends up breaking Multi-Part forms and leaves any kind of fine tune controls in the hands of CF7 developers rather than site owners.

—

Basically, this is a free plugin – and you get what you pay for. If your needs are simple it might very well work for you, and do a stellar job at it. But if you are working on anything important, be sure to keep an eye out for bad launch practices. Breaking changes are often rolled out without warning. Also, be aware that features and integrations may change on a whim – it all depends on the developer’s preference, and they do not accept feedback.

I would not actually bother seeking support with this plugin. Being ignored is the best case scenario – usually they will ask you to disclose your website URL and installed plugins publicly and then don’t really offer much advice in return. And now there is a permanent public record of your website, its installed plugins, and at least one person who works on it – a treasure trove for hackers and a nightmare for security-minded administrators.

• This topic was modified 7 years, 4 months ago by typeless.
• This topic was modified 7 years, 4 months ago by typeless.
• This topic was modified 7 years, 4 months ago by typeless.
• This topic was modified 4 months ago by typeless.
• This topic was modified 2 months, 2 weeks ago by typeless.