Page MenuHomePhabricator
Create Task
Maniphest T399351

Provide a way to increase CAPTCHA difficulty in abuse filters
Open, Needs TriagePublic
Actions

Description

AbuseFilter should support setting CAPTCHA difficulty per filter. There are cases where the current CAPTCHA is insufficient to slow down persistent abusers. We need a way to make specific filters more difficult and slower to solve.

Ideally, this could include:

  • A difficulty setting per filter if CAPTCHA is enabled (e.g., multiple CAPTCHAs being required)
  • A setting to randomly vary difficulty (e.g. a percentage chance of a harder CAPTCHA)
  • A way to cycle through different CAPTCHA types or configurations, if available

Background: CAPTCHA has been helpful so far since fully disallowing certain abusive edits can backfire (some bad actors respond by adapting their tactics). What we need is the same experience you get on certain websites when using a sketchy VPN or network: CAPTCHA after CAPTCHA after CAPTCHA. Some added configuration could help make that possible.

Event Timeline

DanielQ created this task.Jul 12 2025, 12:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 12 2025, 12:22 AM
Pppery added a project: ConfirmEdit (CAPTCHA extension).Jul 12 2025, 1:48 AM
Pppery subscribed.

I don't think the concept of CAPTCHA difficulty exists at all right now.

HideonRosie subscribed.Jul 12 2025, 2:52 AM
DanielQ added a comment.Jul 12 2025, 3:43 AM
In T399351#10997090, @Pppery wrote:

I don't think the concept of CAPTCHA difficulty exists at all right now.

Many CAPTCHA systems increase the difficulty level simply by requiring multiple CAPTCHAs to be solved. That's why I mentioned that as an example of how to implement difficulty in the first bullet point. I wasn't trying to define the solution too narrowly or assume changes would be needed to the CAPTCHA system itself. The key point is that AbuseFilter needs to support configurable CAPTCHA behavior so filters can trigger harder or more time-consuming challenges when needed.

Novem_Linguae subscribed.Jul 12 2025, 5:21 AM
DanielQ added a comment.EditedJul 12 2025, 6:59 AM

Another idea that has been discussed is the idea of being able to set a random failure rate for CAPTCHAs. This would only be used for highly accurate filters targeting severe abuse.

Johannnes89 subscribed.Jul 12 2025, 7:20 AM
ToBeFree awarded a token.Jul 13 2025, 12:43 AM
ToBeFree subscribed.
ToBeFree added a comment.Jul 13 2025, 12:57 AM

Increasing a CAPTCHA's difficulty is probably normally done to stop bots which manage to solve easier CAPTCHAs. When Cloudflare or Google display their most annoying CAPTCHAs, they probably do so in response to bot traffic: Once someone has proven their humanity (and perhaps some CPU work), they're allowlisted with a cookie.

Wikipedia's use case for a difficulty setting is different: We want to increase the amount of time and work a human has to spend on solving the CAPTCHA. We don't necessarily have to make the letters harder to detect or to reduce accessibility; that's not the point. We could display a fully-accessible series of 20 simple math questions and it would still do the job.

In T399351#10997135, @DanielQ wrote:

Another idea that has been discussed is the idea of being able to set a random failure rate for CAPTCHAs. This would only be used for highly accurate filters targeting severe abuse.

This could be extremely effective for filtering out mass vandalism by users who don't care about their edits enough to try again.

ToBeFree added a comment.EditedJul 13 2025, 1:03 AM

I'd even say we should have a two-dimensional setting: Bot difficulty from 0 to 100, human work from 0 to 100. Displaying a maths question in plain text would be 0:10, displaying ten of them would be 0:100. Using images instead of text would increase the left number instead.

Reedy moved this task from Backlog to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.Jul 17 2025, 6:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits