Protecting Your CIMcloud Website From Bots (CAPTCHA, etc)

 

Overview

CAPTCHAs are an automated way to deter bots and other automated systems from conducting abusive activity on your CIMcloud website and are used in multiple ways:

1. Fraud & SPAM Protection – Protects against automated “SPAM” contact us submissions, fraudulent orders and fraudulent credit card attempts.
   1. (Always On) Network-level CAPTCHAs will automatically block bots on pages subject to SPAM
      1. Protected pages: Contact Us
      2. Managed by CIMcloud
   2. (Recommended) Embedded CAPTCHA’s are available on sensitive pages as of core release 2025.2.0 (4.13.0) and can be enabled in the Worker Portal. These use Google reCAPTCHA v3.  Older websites that cannot be readily updated to core release 2025.2.0 (4.13.0) and have an immediate need for CAPTCHA should submit a CIMcloud support task for assistance.
      1. Protected pages: Contact Us, Checkout Cart, Create Login and Account, Create Login, Select Existing Account
      2. Managed in Worker Portal
      3. Additional information is in the Google reCAPTCHA (Embedded CAPTCHA) section below.
2. Denial-Of-Service Protection
   1. (Always On) Network-level CAPTCHAs protect against performance issues caused by excessive automated traffic, such as Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks.
   2. Protected pages: All pages
   3. Managed by CIMcloud
   4. Additional information is in the Denial-Of-Service Protection (Always On) section below.

These protections function independently and provide multiple layers of protection.

Google reCAPTCHA (Embedded CAPTCHA)

When reCAPTCHA is enabled, detected bots will be blocked from using website functionality that is subject to abuse including cart, checkout, contact us, and login management.

Important Concepts: Score, Score Threshold, and Blocking

A reCAPTCHA Score is calculated by Google for each website visit (session) based on website activity. reCAPTCHA has 11 levels for scores with values ranging from 0.0 to 1.0. The score 1.0 indicates that the interaction poses low risk and is very likely legitimate, whereas 0.0 indicates that the interaction poses high risk and might be fraudulent.

You control the minimum score (the Score Threshold) required for any website visit to be considered legitimate. If a visit’s score does not meet the minimum threshold it will be blocked from using some website functionality.

What Customer Site Users See

A small reCAPTCHA badge will be visible at the bottom right of protected pages.

Note: reCAPTCHA runs in the background of all pages to monitor and generate a score based off user activity; however, the badge only displays on protected pages.

The reCAPTCHA badge expands if clicked:

If a visit is determined to not be legitimate (in other words, its Score does not meet the Score Threshold), it will be blocked from using some website functionality.  The only indication to the end-user will be an err=invalid-username message in the URL; however, they will not be able to continue checking out, or submitting forms, where reCAPTCHA is enabled.

CIMcloud’s reCAPTCHA verification runs on the following pages when enabled:

• Contact Us
• Checkout Cart
• Create Login and Account
• Create Login and Select Existing Account

What An Admin Worker Sees

Enabling reCAPTCHA

1. Step 1: Register a Google reCAPTCHA Site Key
   1. Go to the Google’s reCAPTCHA page and click Get started.
   2. Register a new site using these settings:
      1. reCAPTCHA type: choose Score based (v3)
      2. Domains
         1. Add each of your custom domains that have been enabled on your CIMcloud website:
            • Example: coffeesupply.com
         2. Also add these standard CIMcloud domains:
            • cimproduction.com
            • cimstaging.com
            • cimlocal.com
            • mycimcloud.com
            • mycimstaging.com
            • mycimproduction.com
            • mycimlocal.com
      3. Google Cloud Platform
         1. Select an existing project or create a new project
      4. Submit the information
      5. You will need to copy-paste these two new keys into your CIMcloud Worker Portal in the next step:
         • Site Key
         • Secret Key (*this should be protected as you would protect a password*)
2. Step 2: Add your reCAPTCHA Site Key to your CIMcloud Website
   1. Sign into the CIMcloud Worker Portal (<site>.mycimcloud.com)
   2. Go to Settings Workspace > Customer Site Settings > Customer Sites
   3. Click “Edit” on the Customer Site that you’d like to add reCAPTCHA v3 to it
   4. Scroll to Analytics > Google reCAPTCHA
   5. Choose Yes for Use Google reCAPTCHA v3?
   6. Paste the Site Key
   7. Paste the Secret Key
   8. Set a Score Threshold
      1. Any visit with a Score below this will not be considered legitimate and will be blocked from some website functionality.
      2. Higher values (up to 1.0) will block more bots but may accidentally block some legitimate visits. Lower values (down to 0.0) block fewer legitimate users accidentally, but fewer bots may be blocked.
      3. It is recommended to start with 0.7 and then adjust higher or lower based on actual results. The Websites Visits page in the Worker Portal and Google administrative tools have useful information to help with tuning.
      4. According to Google: only the following four score levels are available before triggering an automatic security review by adding a billing account to your project: 0.1, 0.3, 0.7, and 0.9. To request access to 11 score levels, add a billing account to your project.
   9. Click Save

Reviewing reCAPTCHA Activity

1. Sign into the CIMcloud Worker Portal (<site>.mycimcloud.com)
2. Go to CRM Workspace Home > Customer Timeline > Website Visits
3. The Verification column shows the results of reCAPTCHA verification for each session
   • Not Processed – Visit was not categorized
   • Passed (<Score>) – Visit was categorized as legitimate.
   • Failed (<Score>) – Visit was categorized as not legitimate and was blocked from some website functionality.
   • <Score> – Likelihood, assigned to the visit by reCAPTCHA, that the visit is legitimate. This is helpful information when adjusting the Score Threshold (configured during setup).
4. Clicking the View link next to the Passed or Failed verification status will show additional technical information.

 

Network-Level CAPTCHA

These CAPTCHAs run prior to a page being shown to a user (and therefore prior to any embedded CAPTCHA). The CAPTCHA includes the message “Loading <website>…” where <website> is the domain name of the website (ex: yourwebsite.com). User interaction is NOT required for people to pass the CAPTCHA.

Denial-Of-Service Protection

If there is excessive or unusual traffic that is likely a bot, the website may display a CAPTCHA to verify that a user is legitimate. This article focuses on CAPTCHA however there are other denial-of-service protections in place. Other mitigations include the website returning “429 Too Many Requests”, temporarily blocking IP addresses, or permanently blocking IP addresses.