I want to know, if it is possible enable recaptcha on /lostpassword page on my OJS 3 installation?. There are many fakes users (I know it because the email address does not exist in remote server). I don’t know how nor when, but everyday I am receiving 5 emails that says: “Reported error: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 https://support.google.com/mail/?p=NoSuchUser h2si4170516qtc.262 - gsmtp”
I think the solution is activate recaptcha on lostpassword, or there are other solutions?
OJS should only try to send a forgot password email to a user’s email if it exists in OJS.
So the situation you are proposing is:
A user registers for an account in OJS with a fake email address.
A user tries to reset the OJS password using that fake email address.
The mailserver responds that the email address is not found.
Do you have email validation turned on in config.inc.php? I could imagine a spammer registering, not being able to validate, and then trying the password reset process.
If you already have ReCAPTCHA enabled on your registration page, and the spammers are bypassing that to do the initial registration, I don’t expect that adding ReCAPTCHA to the lost password page will help much.
There are other tools like formHoneypot or Akismet which might help with spam registrations if spammers are completing ReCAPTCHA.
If you really want to add ReCAPTCHA to the lost password page, this will be surprisingly complex. You can find the basic code which makes it happen on the registration form:
But the lost password page does not use the form architecture, so we can’t use the normal form validation. You would need to modify the handlers and template directly:
Thank you for you clear answer. The problem that I am facing is that my OJS 2 had not email validation turned on. After upgrading to OJS 188.8.131.52 I activated that option. Actually, I have more than 11k users per journal, many of them are fake users.
I was analyzing that spammers are completing ReCAPTCHA V2 on registration page. I will try to use the tools that you mentioned above.