Ridiculous Spam Prevention

A week or so ago I agreed to help the lovely Natalie of The Yarn Yard move her blog from Typepad to Wordpress. We talked through what she wanted, and she identified a theme that she liked. I'm not going to identify it, because I think it'd be counter productive, but it has a killer feature that she really likes.

Unfortunately, the documentation is a bit lacking, and in looking to make a specific change to this killer feature, I found that I needed to consult the support forums.

So far, so good.

Except, all the support I can find tells me to find line 40 of header.php (which I did) and look for specific code and change it.


Except that line 40 doesn't look like the specific code any more, and I can't find any bit in any of the files that does (and believe me when I say that I've tried, and I've searched).

So I decide to bite the bullet, risk the revocation of my geek card, and ask for help in the forum.

Except, to do that, I have to register, and that's where the fun starts.

Before I begin, I want to make this clear. The forum is a support forum for two themes. One for Wordpress, one for another CMS.

So I start to fill in the registration form, not really reading the help text with the labels, because I've filled out a million registration forms before.

Username: the usual Email address: the usual Confirm email address: *yawn* Password: blah Confirm password: blah again

Ignore language and timezone

Then the wheels fall off the wagon.

Antispam: (no, I'm not a spammer)

Secret code: You what now?

There's a big pile of help text under that label, telling me to send an email to an email address to get a code, to prevent spambots. I'm thinking to myself that this is a bit of overkill, but I do it anyway.

While I'm waiting I go back to the form to answer the next couple of questions.

Human: Yes.

Are you going to do bad things to my forum?: (I wasn't before, but now I'm considering it. Only kidding. No.)

By this point the email with the code shows up. I enter it, and move on.

To find that, after having completed FOUR different CAPTCHA type devices, including sending an email for a secret code, I now have to fill out an actual CAPTCHA.

By this point, I'm wondering if this guy is serious, and whether he's protecting the treasure of the Sierra Madre, or whether I'm on some kind of eyetracking version of Candid Camera, but I complete it anyway, and hit submit.

To be thrown back with an error that my username is too long. It has to be between 3 and 8 characters, which means my usual username is out.


Change that, redo CAPTCHA, hit submit.

Another error. Password too short. Of course, because it deleted the password I entered the first time (but not the copy of it in the second confirmation, curiously). Change that, redo CAPTCHA again, hit submit.


Then I get a message telling me I have to wait for an email to activate my account before being able to ask my question.

In fairness, he does acknowledge the hoops and there's a message saying thanks for jumping through them, but that's doing little to soothe my irritation.

So I have a whinge on twitter about it, while I wait for the confirmation email to show up, which it does, a couple of minutes later.

With the username and password provided in clear text.

Now, I've seen a lot of crappy websites in my time. I've registered for a lot of forums in my time. I've been annoyed by user experiences in my time, but rarely have I felt so motivated to send a very strongly worded email to the owner of a forum (I think the last time was when someone suggested that my colleagues and I should be horsewhipped, for something which we had no control over, but that's a whole other story).

I am quite flabbergasted that someone who sees fit to implement stringent (and seemingly arbitrary) limits on usernames, plus five different CAPTCHA security devices (including an inaccessible actual CAPTCHA) doesn't give the users he's forced to jump through hoops to join his support forums the same kind of respect for their security.

I've now changed my password on that forum (which in itself was a UX nightmare), but I'm still quite astonished.

I understand that spam is a problem on online forums (and everywhere else), and I understand that CAPTCHAs go some way to slowing down (if not entirely stopping) the deluge of spam, but I just don't believe that putting the user through so many hoops is acceptable under any circumstances, let alone for something so basic as a support forum.

Rather than make me feel safer, it's irritated me to the point that I've just written over 800 words about how irritated I am with this, rather than writing about how much I love the TV series Chuck, which is what I was going to write.

More to the point, it makes me seriously reconsider using the Theme, because if he's that lax with security on something as basic as a forum signup email, I can't even begin to trust his code, which is a shame, because that killer feature in the theme was pretty nice.