I was just wondering if something like this would work:
- The page displays a form, with a captcha code inside it.
- When this form is generated, a transient is set to store the captcha code.
- The vistor submits the form
- After submit
$_POST['captcha']
is compared to the transient from the database; if matched return success, otherwise fail - Delete the transient
What do you think? Is this secure?
I think that, while this method could be secure, there are many advantages to using an off-the-shelf captcha system, both in terms of the security of the captcha images/audio/media, and also in terms of performance advantages like caching. If you use a captcha widget which is JavaScript based, for example, the underlying WordPress-generated page could actually be completely cached as a static page by a number of caching plugins. If you are generating the captcha in PHP each time, this would not be possible
If you do go down this route, one thing you’ll want to do as well is to add a hidden nonce to the form as well to make sure that the user agent responding to the captcha is the one who you just generated it for. WordPress’s wp_nonce function can help you do this easily. Otherwise, if you do not flush your captcha transients carefully, it’s possible for someone to cache that page with the captcha and have another user agent send the response.