How to set standards based on visitor reputation

Protecting your pages from unwanted traffic is a balancing act: your rules should be strict enough that misbehaving visitors do not get free rein, but not so strict that good visitors become annoyed and dissuaded from using your site. Ideally, a misbehaving robot would be caught and challenged on the very first visit. How can we accomplish this?

One option is to take advantage of Gatekeeper tags to identify harmful visitors. In this tutorial, we'll create a couple of policies that allows general visitors multiple visits before seeing a CAPTCHA, while requiring visitors with the abuse tag to immediately solve a CAPTCHA in order to continue.

First, create a general CAPTCHA challenge policy. Go to the policies page and click the "New policy" button. Our general policy will require visitors to complete a CAPTCHA after 10 visits in 12 hours, and then again every subsequent 30 visits. These numbers can be freely modified as desired.

policy named "general CAPTCHA" that reads "When visitors in any visit any page(s) 10 times in 12 hours then require CAPTCHA every 30 visits."

Additionally, we'll give this policy a priority of 11. This number is mostly arbitrary, but will be important when creating the next policy for visitors tagged as abuse.

Next, create another policy for the harsher CAPTCHA requirement.

Since our policy only applies to visitors with a single tag in this case, we'll take a shortcut in the Visitor section. Instead of creating a new visitor group and adding "abuse" as a visitor, we can have our policy apply to the abuse tag directly.

Type "abuse" into the visitor groups select, and a number of options should pop up in the dropdown menu. Select the abuse tag option.

We want these visitors to immediately see a CAPTCHA, so we'll set the frequency to 1 time in 12 hours. You can select an appropriate number for the grace interval, or the number of visits after the first correctly solved CAPTCHA challenge before the IP visitor gets to fill out another challenge. The general CAPTCHA policy above selected 30, and you can keep it the same here or reduce it if you feel that these IP addresses are suspect.

policy named "harsher CAPTCHA" that reads "When visitors in abuse visits any any page(s) 1 time in 12 hours then require CAPTCHA every 30 visits."

We'll set the priority for this policy to 12. This ensures that thie harsher CAPTCHA policy will be checked before the general CAPTCHA policy.

Again, the number is arbitrary, but the stricter policy must have a higher priority than the general policy for this configuration to work. If the priorities are set correctly, the harsher CAPTCHA policy should appear above the general CAPTCHA policy in the list.

a human visits 10 times and gets a CAPTCHA on the 10th visit


a robot tagged with "abuse" visits and gets a CAPTCHA on the first visit



In reality, there may be multiple tags you might want to challenge with a CAPTCHA early beyond just abuse. Check the full list of tags supported by Gatekeeper for more options.