It seems that there are always waves of spam bots cruising websites to poke post and try their way in to any available exploit that they can find. Once you manage a number of websites, you'll notice the patterns as these bots come through in waves trying new and different tactics each time.
Lately, in the DNN sites we manage, it seems to be DotNetNuke registration forms. These forms previously were not touched and comment and other contact forms were the main target. This doesn't show a hole in security or exploit available, but instead is mostly a source of annoyance for administrators weeding through junk email registration messages, junk bot-created users, and is a general nuisance.
In this article, I'll go through several recommended steps that you can try in order to improve your site's defenses, distraction and deception tactics, and overall resilience to the hacking attempts and spam bots that will come.
One thing people tell you when talking about form security is that any one single method may cause problems for users, or may not be foolproof against all bots and hackers. It's one reason why combining together slightly different approaches can have a big benefit in reducing the bot attempts that get through. But it's also another reminder that just a few minor efforts can block the majority of the "lazy bots" and "lazy hackers" and they're the ones we want to stop from flooding us with attempts.
Within DNN, you have the ability to control the amount and type of registration you want to allow. On the Site Settings page, under the User Account Settings tab, you'll find the following options:
Let's go through the Registration Settings Options:
- NONE - This means that registration is off completely. This is the most safe method. No possible registration form presented to users or bots / hackers.
- PRIVATE - Allows admin to screen all users and to invite them individually to register for the site.
- PUBLIC - This is the most open method and allows all users to register and on the next screen be logged in as "Registered Users"
- VERIFIED - This method allows all public users to register, but sends out a validation email that the user must receive and follow back to complete their registration, thus validating and verifying that they've used a real email address they have access to.
It's important for you to pick the most strict option possible for your needs. As an extreme yet effective method, consider also, turning on and off registration as needed.
Remember, even if you have your Registration.aspx page not in a sitemap, or you don't have a page at all that has a registration module on it, there are URL Query String and alternate methods to get to a registration form for your DNN site, IF registration is set to Public or Validate, so you always have to review these settings.
With the recent wave of bots targeting the DNN Registration forms, turning registration down to Verified or Private will still result in junk emails being sent to those dummy email addresses and junk spam-bot created users in the system.
Turning off registration will fix that problem... but most sites cannot have "no registration" so we continue on to further options and things to consider.
Step 1B. Set the DNN Captcha ON for Registration
OK, here's a great option in later DNN versions that's a good addition!
Lower down in that same tab, you'll see the option to "Use CAPTCHA For Registration." Turning on this setting will render the core DNN Captcha in a registration form, which looks like this in the core DNN registration form:
This is a good start and can help. A few reported complaints about this Captcha are that it detracts from users and their form process, doesn't look so great when you're focused on design, and most of all, that it's a simplistic type of Captcha that some bots can go through.
So, what's next then?...
XMod Pro To The Rescue!
What could fit better as a solution than the ability for you as a developer to completely customize the perfect solution to balance your needs for control, simplicity for your user audience and the ability to add extra validation methods. XMod Pro is the perfect solution to help stop robots, bots, spam-bots, hackers from annoying you through your DNN Registration form!
Step 2. XMP's Updated DNN Registration Form Module Kit
Many XMP developers have already started customizing their registration process by building their own custom forms and/or starting from our Module Kit which helps show you the basics of how registration works within XMP and has some nice features such as visual password complexity checking and existing username/email checking notices.
http://dnndev.com/Products/Free-XMod-Pro-Kits/User-Registration
This kit has been updated now to include a few other new security and validation features that focus on bot protection.
There are two hidden form fields that are present in these example forms. Both are hidden from users, both are validated / checked by a combination of client-side and server-side validation. It is the different ways these are setup that, in combination, can help foil many bots.
-
Honeypot Hidden Field
There are several good articles that describe the concept... basically, many bots are programmed to put data into every form field present and test submit. By having a field that is present/visible to the bot but is set with CSS to be hidden to the human user, AND having a field name like "website" or "state" it's irresistible to a bot to fill out.
The field is set with standard XMP validation and Regular Expressions to only accept blank/null value on submission. If there is anything in the field, then the form submission will not complete.
-
Hidden Field, Value Changed by JavaScript / jQuery
The second hidden field takes into account that most bots will operate their form submissions with JavaScript turned off or stripped out of your page. This means that client-side validation and protections evaporate. This field takes that into account and hopes for it!
The SQL Select Statement for the form sets a default value for the form such as "imabot" and when the page loads properly with jQuery, the value is changed to something like "imahuman". Standard XMP validation and RegEx are in place that only the value "imahuman" is allowed.
If the bots run without that JavaScript running, then the form won't pass validation!
These are just two simple methods that we've put in place. There are plenty more that you can work out! My favorite part about the combination of these two is that they play different attributes about bot methods against the bot's success.
That, and the fact that they should be completely invisible to users and could allow you to have no visible interruption for users in their registration process!
Step 3. Additional DNN Form Security Tactics
There are several other, similar methods of generating elements on-the-fly and / or hiding or showing items to help confuse or defeat bots.
Here are a few that you can consider working into your XMod Pro Forms:
-
JS-generated Checkbox
There are a few flavors of this idea around... essentially you create a CheckBox on-the-fly with jQuery. Most of the time by simply creating a new checkbox option. That option, then, is the only allowed value that you would set within standard XMP validation. My favorite of this idea is to have only one checkbox field of "I'm not a bot".
-
Random Numbers / Text Evaluation
Another method to impact users lightly is to put in a phrase that must be evaluated by a human. The idea here is to have a form label such as:
"Please enter the middle middle word in this series: ball, pig, rock">
or
"Yellow and Blue make..."
or
"Add twelve to eleven and you have..."
>and in your validation you either allow a specific typed word or with RegEx you make a list of a few different accepted variations.
There are variations on this, too, where you can generate random numbers and values to keep those questions and their answers changing with each form load.
Step 4. XMod Pro Extensions - Custom Validation Controls - Google ReCaptcha & Others
My company has even released a few options on ways to help with this problem, not only with registration forms but with all / any forms that need not only the protection that validation can add, but also the visual presence to the user that there is added security to the form submission process (which can be important to clients and user impression!)
We have been working on a new release of a group of validation options and that means that our stand-alone Google ReCaptcha control has a new lowered price compared to the larger kit with more options. If it helps get anyone currently suffering with these bots some relief through ReCaptcha then I'm glad to help!
Not familiar with ReCaptcha? It's not used heavily in DNN that I've seen elsewhere, but I'm sure you've seen Google's ReCaptcha around.
ReCaptcha:
Once installed and registered in your XMP Forms, you can call it just like any other form control.
Other Validation Options:
The larger package of validation options ties in options for several different services that, like Google's ReCaptcha, allow you to tie into other services that provide validation solutions that are external to your site and are always being updated and enhanced.
A few examples of the additional validation options available are:
- Text Phrase Evaluation
- Google Semantic Text Evaluation
- SweetCaptcha's Visual Captcha Service
- Drag & Drop Visual Validation (works great for mobile users!)
-
So, what have we learned in this article?... Hopefully, it's that if you're having problems with new waves of bots hitting the forms on your site (any form, not just DNN registration forms!) you should review the general core DNN user registration settings to see if you're in the right level, try some alternatives for bot-smashing tactics through custom built XMod Pro Forms...
And finally, that you're not in it alone! Whether you try out custom controls built to enhance XMP with further possibilities, you try out some yourself, or you reach out to your friends and fellow developers here in the XMod Pro community, there are plenty of options available to get help with your DNN site's form security!
MooreCreative XMOD Development Blog
In the MooreCreative XMOD PRO Development Blog, I'll try to share some of the thoughts and ideas that we've come up with on a day-to-day basis as my development company uses DNN + XMOD PRO to tackle client projects. I'll include items such as tips/tricks, did-you-know articles, troubleshooting/testing examples as well as posting samples solutions and explanations behind our experience working with XMOD and jQuery functions, PageBlaster, ZLDNN Article, and other modules/elements.
If you would like to see us tackle a topic, especially anything out of the forums that could use further examples, please, don't hesitate to email me, and I'll look into preparing it for a blog post.