For sites with custom domains, your own reCaptcha keys must be used.
Here at Mavenseed the security of your site is one of our top priorities. We're pretty seasoned at this, and have spent many years battling all types of different size attacks on CG Cookie. We've taken everything that we've learned and have deployed numerous measures and mitigations in order to keep your site protected.
The most integral parts of your site are protected by Google reCaptcha V3. This version of reCaptcha doesn't interrupt the normal flow for your users, and won't require them to "check the boxes with dougnuts", even though, doughnuts are amazing and should always be checked.
To do this the reCaptcha API calculates a score to determine if the user is a real human. During our testing we've found it to be reliable on both mavenseed subdomains, and custom domains.
The following endpoints on your site automatically protected for you:
- customer sign in
- customer account creation
- placing orders
- asking questions in the forum
- answering questions in the forum
If you do not have a custom domain set, or in other words, if you are using the yoursite.mavenseed.com domain, no further action is required on your part.
If you have a custom domain set for your site, you will need to retrieve your own API keys for Google reCaptcha. This is a limitation from Google, as they limit how many custom domains can be added to one set of keys. We would just keep using our keys, but I guess we can't have our cake and eat it too!
Setting this up is super simple (note: this requires a Google account).
- 2.On the upper right hand corner of your screen click the plus button to create a site.
- 3.Specify a label, choose the option for reCaptcha V3.
- 4.Important! Add two domain names in the Domains section. The first should be your main domain name, and the second should be your Mavenseed subdomain URL. So for example if your domain was myballerdomain.com, then you would add myballerydomain.com. ALSO, if your subdomain at Mavenseed is myballerdomain.mavenseed.com, then you would add this as well. When done you will have (2) domains added here! Your custom domain URL, and your mavenseed subdomain URL.
4. Once you've submitted the form, Google will give you two API keys; a site key, and a secret key.
5. Log into your Account at Mavenseed. Find your site in the list of sites, then click the "manage" button.
6. Under the "security" tab, paste in the site key, and the secret key, then save the settings in Mavenseed.
That's it! Your site is now fully protected. Google will give each "action" like logging in or checking out, a score. Typically scores above or near 1.0 mean it's a human, and 0.0 means its likely a bot. In some cases you might find that real people are getting caught into the mix. If this happens, you can change the minimum scoring for that specific interaction.
For example, if you are getting reports of someone not being able to Checkout, you can lower the minimum score from 0.5 to 0.3. This is to say that, any score above 0.3 would be considered legitimate. The ability to change the minimum score is available to everyone even if you do not have a custom domain setup.
If you have a custom domain, and you don't add your own keys for reCaptcha, you will be leaving your site vulnerable to attack. It's not a matter of if, it's a matter of when.
Perhaps more importantly, sign in forms, order forms, and subscription forms will not function if you have a custom domain and you have not added your own custom keys.
We realize that this is tying us to "the big G" but for now this is the easiest and most efficient way for us to be able to provide protection to all of our customers sites.
If you are in the process of building up your site you may not want people to see it yet. You can lock your site with a password, and only those with a password will be able to access your site.
Here's how it works:
- 1.Log into your Account at Mavenseed. Find your site in the list of sites, then click the "manage" button.
- 2.Under the "security" tab, location the Site Password settings.
- 3.Supply a password that your users will enter to gain access, and save the settings.
When you add a site password, we automagically create a page called "locked". This page has a Site Lock page leaf on it which contains the form to enter the password. This page is editable using the page builder, and is also fully protected by reCaptcha.