captcha_keypad

Traditional CAPTCHAs are broken. Bots now use OCR to read distorted text in under a millisecond, and audio CAPTCHAs are trivially bypassed. Meanwhile, your real users squint at blurry letters and give up. Captcha Keypad takes a different approach.

Instead of asking users to decode garbled text, Captcha Keypad displays a numeric keypad and asks users to click a short sequence of digits. It's fast and intuitive for humans — and surprisingly hard for bots.

Why bots struggle: The keypad can shuffle its buttons on every page load. Even if a bot correctly reads the target code from the page, it cannot reliably map that code to a screen coordinate because the button positions change each time. No OCR library helps when the spatial layout is random.

Why users love it: There's nothing to type, nothing to decipher. Tap three or four numbers and you're done. Works equally well on desktop and mobile.

Features

• On-screen numeric keypad — users click/tap digits rather than type, eliminating typos and keyboard layout confusion
• Shuffled key order — button positions randomise on every page load, defeating coordinate-based bot attacks
• Inline validation feedback — errors appear immediately inside the widget with a clear "Invalid security code" message and a red border highlight
• Three display themes — choose the layout that fits your design:
  • Plain — compact floating keypad, minimal footprint
  • Horizontal — two-column grid, buttons and input side by side (default)
  • Vertical — 3×3 button grid with input at the top, great for narrow sidebars
• Admin-exempt mode — skip the CAPTCHA for user 1 and any user with the Administer Captcha Keypad permission, so site builders never get locked out
• Flexible placement — protect any combination of forms: user registration, login, password reset, contact forms, forum comments, and more
• CAPTCHA module integration — works alongside the Captcha module for centralised point-based configuration
• Environment-aware — bypass the keypad on dev/staging environments using an environment variable, so automated test suites run without intervention

How it works

1. Drupal renders a short numeric code (configurable length, default 4 digits) alongside a keypad
2. The keypad buttons are optionally shuffled client-side on every page load
3. The user clicks the displayed sequence
4. On submit, the server compares the clicked sequence against the expected code and verifies the keypad was actually used — preventing simple form-field injection attacks

If you don't want to be filling in this for on your local dev environment, you can disable it based on Environment variables or any other condition:

// Disable captcha keypad on Dev environment
if (!is_null(getenv('ENVIRONMENT') && getenv('ENVIRONMENT') == 'dev') {
  $conf['securepages_enable'] = 0;
}

Supported modules

- Captcha
- Contact
- Forum
- User
- Webform

Similar modules

• Botcha
• Spamicide

Live demo http://csvconverter.biz/user/register

Supporting

If you want to support this project you can use https://gratipay.com/~marcelovani/