Scammers and spammers are among those we encounter when doing business online. Publishers can run into issues when nefarious actors use transactional forms for things such as card testing. This is a common occurrence with payments on the web in general, not specific to Newspack sites.

If you are using Newspack as your Reader Revenue platform, we recommend that you implement these best practices now to mitigate your site’s risk of card-testing attacks.

  1. Set up reCAPTCHA
  2. Check your minimum donation level

For those using a third-party service to manage donations, you’ll want to check with the provider to make sure that you are properly safeguarded against card-testing attacks.

Setting up reCAPTCHA on your Newspack site

Newspack supports both v3 and v2 (invisible) flavors of reCAPTCHA. The “checkbox” flavor of reCAPTCHA v2 is not supported, as it’s a much more obtrusive user experience than the other flavors. Learn more about the differences between reCAPTCHA versions here.

If you haven’t already, you will first need to generate a Site Key and Secret Key. Read on for more details.

Generating credentials

Generate new site key and secret credentials via Google reCAPTCHA. Note that site key and secret credentials are tied to a specific reCAPTCHA type, so make sure you create credentials for the same version selected in Newspack site settings. Learn more about the different versions here.

When creating new credentials, choose the following:

  • Label: Type in a label for your reCAPTCHA (e.g., your site name).
  • reCAPTCHA type: Choose either Challenge (v2) + Invisible reCAPTCHA badge or Score-based (v3). The type must match the type selected in Newspack site settings.
  • Domains: Add your site’s domain(s). You can add more than one if you want to use the same set of credentials across sites.
  • Owners: Add in the email addresses of anyone else (such as an admin on your team) who should have access to “own” and modify these reCAPTCHA settings.
  • Accept the reCAPTCHA Terms of Service: Check the box to accept.
  • Send alerts to owners: It’s best to keep this checked, as it will alert you via email if Google detects site issues via reCAPTCHA.
Screenshot of reCAPTCHA keys generated by Google's form
Google’s reCAPTCHA form will generate two keys like this.

Configuration options

When using reCAPTCHA v3, false positives can and sometimes do happen. Because reCAPTCHA v3 works without any direct user input, false positives can be a frustrating, show-stopping issue for readers, leading to lost conversions as readers seemingly have no choice but to abandon their action.

For this reason, reCAPTCHA v3 provides a tool called the threshold, which tells it how strict it should be when evaluating user action attempts. When evaluating user interactions, reCAPTCHA v3 returns a score between 0.1 and 1.0 that shows how confident the system is in the interaction’s botness vs. humanness. The lower the score, the more suspicious it is. The higher the score, the more likely it is to be human. Read here about how reCAPTCHA v3’s scoring system works.

The default threshold of 0.5 should work well for most sites. But if you’re seeing a lot of spam activity or reports of false positives from your readers, you can tweak the threshold for reCAPTCHA in the Connections admin page. This allows you to decide how strict its checks should be. A higher threshold makes the checks stricter (attempts are less likely to be allowed), while a lower threshold makes the checks more permissive (attempts are more likely to be allowed).

When tweaking the threshold value, we recommend keeping the value as close to 0.5 as possible. At 0.1, reCAPTCHA will allow nearly every attempt, rendering it useless. at 1.0 or higher, reCAPTCHA will reject every attempt, making protected actions impossible to complete. Finding the optimal balance for your site and your readers may take a little experimentation.

If you’re having trouble finding a balance between false positives and security on your site, consider using the v2 (invisible) flavor instead. Instead of being rejected, readers flagged as suspicious will have the chance to “prove” their humanity via solving a challenge. Make sure to generate new credentials if switching between reCAPTCHA versions.

What’s protected?

After you enable reCAPTCHA v2 or v3, the following Newspack features are automatically protected from fraudulent activity:

  • WooCommerce-based transactions initiated via Newspack Donation or Checkout Button blocks
  • Newsletter signups via the Newsletter Subscription Form block
  • Reader account registrations via the Registration block and the “Sign In” modal

Troubleshooting reCAPTCHA

If your readers experience error messages when registering for an account, signing up for newsletters, or attempting to complete transactions, the most common errors are due to the following misconfigurations:

  1. The Site Key or Secret are associated with the wrong reCAPTCHA version (e.g. it’s a v3 key/secret but the option is set to v2, or vice versa)
  2. The site’s domain has not been added as a whitelisted domain in the settings page in Google reCAPTCHA settings

Setting a minimum donation level

To avoid fraudulent card-testing payments, a good best practice is to increase the minimum donation for your site. Newspack sets a minimum donation amount of $5 by default. To change this minimum amount:

  1. Navigate to Newspack > Reader Revenue > Donations.
  2. Under Donation Settings, set the Minimum Donation value to the desired number and click Save Donation Settings.

To update a previously set minimum in WooCommerce

If you’ve previously set a Minimum Price on Newspack donation products in WooCommerce, this may conflict with the minimum donation amount set in Newspack > Reader Revenue > Donations. To check WooCommerce product settings:

  1. Navigate to Products > All Products to access your list of products. You’ll be able to see any Minimum Price value that was previously manually entered (e.g., From: $1.00) for each donation option in your Products list.
Screenshot of Products list with two donation options set to a $1 minimum
This is an example of a site with $1 set as the minimum on two donation options.
  1. We recommend that these Minimum Price values match the minimum donation value set in Newspack > Reader Revenue > Donations. To edit the minimum price for each donation product:
    • On the Edit product page, in the Product data meta box, set or clear the Minimum Price field. If cleared or set lower than the minimum donation value, the minimum donation value will take precedence.
    • Click Update at the top of the Product page to save your settings.
Screenshot of Edit product metabox
Check the minimum price field.

Questions

Have any questions? Let us know, and we’ll be happy to help you sort this out.

Support Home

reCAPTCHA

Minimum Donations

Reader Revenue Table of Contents