Introduction

Spam is a huge problem, if you don't protect your forms with some sort of anti-spam measure, it won't be long before you are receiving a huge amount of unsolicited email.  Fortunately Google has invented it's RECAPTCHA v3, which works behind the scenes, validating users.  If a user is suspected of being a bot, it will show a series of images to test that the user is human.  If the user fails the test, then no email is sent.

However, although the RECAPTCHA is very good at what it does, it is not trouble free.  The reason I wanted to write this blog post is because I often have trouble with the RECAPTCHA, especially with new sites and actually getting it working.  This blog post is written for Concrete5 / CMS but some of these concepts may apply to other website platforms too.

The Problem

You try to submit a form, it doesn't submit and just shows this error instead:

incorrect-captcha-code.png

Potentially it is a very serious issue leading to lost enquiries etc.  We need to fix it, but what does the error mean and how do we fix it?

What does the error mean?

This error is returned from the form block controller in Concrete5:

// check captcha if activated
if ($this->displayCaptcha) {
            $captcha = Core::make('helper/validation/captcha');
            if (!$captcha->check()) {
                    $errors['captcha'] = t('Incorrect captcha code');
                    $_REQUEST['ccmCaptchaCode'] = '';
            }
}

It's a bit generic, so we need to try various things:

Potential solutions

  1. Clear the Concrete5 Cache
    Always a good place to start, clearing the cache is quick and easy and then it's easy to retest your form.
     
  2. Check https://www.google.com/recaptcha/admin has the domain name listed in settings 
    Within these settings you need to add the domains that use this CAPTCHA key.  Make sure these are correctly set.
    There is some useful guidance from Google here: https://developers.google.com/recaptcha/docs/domain_validation

    So for subdomains you can put the main domain instead of the subdomain.
    However, I suspect the IP addresses need to match.
     
  3. Check you have copied the keys and secret correctly
    Login to the Google RECAPTCHA control panel again (from step 2) and then into your site and go to www.yoursite.com/index.php/dashboard/system/permissions/captcha

    Make sure the keys are correct:
    captcha-keys.jpg  
  4. Set Canonical URLs correctly:
    Go to www.yoursite.com/index.php/dashboard/system/seo/urls
    Ensure they are set correctly:
    canonical-urls.jpg  
  5. Are you using Facebook Like buttons?
    According to this post, it could cause a conflict with IE (if you care about IE)
     
  6. Check your version of Concrete5/CMS
    There was a fix in v8.5.7 for RECAPTCHA timeout:
    https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes
     
  7. Change Form type
    If you are using a Form block, try a Legacy Form block instead
     
  8. It could be your IP address
    We use a VPN so we can change our IP address.  Sometimes no matter what, the RECAPTHA just refuses to work, so we change our IP address and it then starts to work.  Google obviously got a little annoyed with what we were doing!
     
  9. If all else fails, make a new CAPTCHA key
    here https://www.google.com/recaptcha/admin and make a new one

What about "Invalid Token"

Another error message that can appear is "Invalid token, please reload the page and retry". 

  1. Check your site is using the servers time here in your settings:
    www.[site].com/index.php/dashboard/system/basics/timezone

    server-site-time.png

  2. View the source and find this line that contains ccm_token:

    <input type="hidden" name="ccm_token" value="1737049893:d18369291fc5431fc45c0716ff4ae3ba" /><input type="hidden" name="express_form_id" value="f228a3ef-c117-11ee-9f35-3ab2f6b86ec1">
    <div class="ccm-dashboard-express-form">

    The value of that field (above it is 1737049893:d18369291fc5431fc45c0716ff4ae3ba) should change every time you refresh.  If it doesn't, it is a caching issue.

    So we need to check the following:

  • server cache like opcache

  • concrete cache

  • browser cache

3. Turn each off, refresh your browser and see if the value changes.

Strangely, on just one of the sites we host, the issue turned out to be down to the Block Output Cache setting in the CMS:

block-output-cache.png
 

Conclusion

With some pain, using Google's RECAPTCHA means you can prevent the majority of spam.  It won't block everything, but should bring it down to manageable levels.

Special thanks to https://www.mesuva.com/ for helping us with this article.
If you have any other tips, please email us and we'll be happy to include them and link back to your website.

Back to articles

Join the discussion

Want to have your say on this topic? Start by posting your comment below...

Can we help?

We are a digital agency, specialising in web design, development, hosting and digital marketing. If you need help with anything, feel free to reach out...

Required
Required
Required
animating-website-element.jpg
Animation in UX Design: Elevating User Experience and SEO

10 March 2025

pexels-olly-1050244.jpg
Perfect your e-commerce checkout process

04 March 2025

female-photographer-working-on-blog.jpg
Get Blogging! Grow your website, grow your business!

24 February 2025

View all articles

Keep up to date

Call us