People seem obsessed with captcha these days.

Small web sites that I know couldn’t possibly get more than a few enquiry form submissions a week come looking for it.

I, with 13 years experience of the Internet and decent eyesight have to repeatedly re-attempt registration on websites where I want to do scary things like buy products.

Try signing up for a windows live account. Only a blind person can do it at the first attempt. Not because they can hear the audio (their hearing is many factors better than the sighted, but not that good), no, they can deal with captcha easily because any Internet literate person with sight difficulties are aware of all the tools and plugins that can defeat captcha easily.

In no particular order, these are the reasons I really, really do not want to put captcha on your website:

• You don’t need it. Have you had more than 1 spam submission in the last 2 weeks? Oh I see, all the OTHER sites have it. Like what, Google? Microsoft? Ebay? I admire your self confidence, but I’m not sure your site or service is quite there yet.
• How dare you put the onus on the person you want most to interact with you: a potential customer, collaborator or Internet stalker, and make them jump through an extra hoop simply to register or contact you. Do shops take fingerprints at their doors lest a shoplifter gain entry?
• It is lazy to use captcha. If you really have a problem with spammy signups, contact form submissions etc, a bit of imagination on the part of you and your developer can solve this problem without sticking it to the visitor. Email verification. Spam Filtering. Bad Behaviour. Akismet. It is your problem, so put a bit of effort in.

I have just recently switched this website from the Drupal CMS to WordPress. Within the last 24 hours I have had the first symptoms of an irritation I have noticed on other blogs I mangage. Almost as soon as the conversion was complete, I had two suspicious user sign-ups. Suspicious in that they occurred in very short order for a relatively low traffic website, and guess what, they both end in “.ru”, the Russian domain ending.

Now I am not in favour of tarring everyone with the same brush, I am sure most Russians couldn’t give an Abkhazia about my blog, but there is something fishy going on. Another blog I managed has over 1,500 registered users, yet over 800 of those users have emails ending in “.ru”.

So what is going on here? Initial suspicion was that this was a way of attempting to place spam comments on the blog, but does not seem to pan out. Firstly, the Akismet plugin does not seem to have a problem catching comment spam whether the user is registered or not. Not that I could find any relationship between these “dodgy users” and the comments that had been placed into the Spam bin by Akismet.

So I haven’t worried too much about them since they don’t seem to be doing any damage.

As I mentioned earlier, this is a new blog. Comments have been open on it, but I have only just activated the Akismet plugin. So there were about 24 hours during which comment spam could have been placed on the blog yet it wasn’t, even by the suspicious new users. Strange huh?

It seems then that there must be another reason for these signups other than comment spam. They may be trying to exploit known vulnerabilities in older versions of WordPress.

In any event, to see if I can cut this out, I have installed a new plugin, Register Plus, this has quite a number of nifty features around user registration which have been a bit lacking in WordPress to date. The features I have so far activated are:

• Email address confirmation for new users
• Users can set their own passwords
• Custom logo on the registration page

There are a number of additional features worth checking out, but so far those are the ones I will be using.

I will see how I get on over the next few weeks and if successful, I will roll out the plugin to other WordPress sites I manage.

My suspicion is that these “dodgy signups” are driven by an automated bot and this may well not be able to use the new registration form. If that fails, then I am pretty sure the email addresses are invalid and therefore the user accounts are not activated and will be removed after 7 days.

In the last resort, there is also a captcha feature, but I would prefer not to have to use that. Hate the bloody things!

Another blogger who doesn’t think much of the fake user signups is using the Sabre plugin, but I am going to see how I get on with Register Plus before employing yet another plugin that only does one specific task. They become a nigthmare to manage them all.