Protecting your pages from unwanted traffic is a balancing act: your rules should be strict enough that misbehaving visitors do not get free rein, but not so strict that good visitors become annoyed and dissuaded from using your site. Ideally, a misbehaving robot would be caught and challenged on the very first visit. How can we accomplish this?
One option is to take advantage of Gatekeeper tags to identify harmful visitors. In this tutorial, we'll create a couple of policies to allow general visitors multiple visits before seeing a CAPTCHA, while requiring visitors with the abuse tag to immediately solve a CAPTCHA in order to continue.
First, create a general CAPTCHA challenge policy. Go to the policies page and click the "New policy" button. Our general policy will require visitors to complete a CAPTCHA after 10 visits in 12 hours, and then again every subsequent 30 visits. These numbers can be freely modified as desired.
Additionally, we'll give this policy a priority of 11. This number is arbitrary, but will be important when creating the next policy for visitors tagged as abuse.
Next, create another policy for the harsher CAPTCHA requirement.
We want our policy to apply to visitors who are tagged as abusers. Since this is only a single tag, we can take a shortcut. Instead of creating a new visitor group and adding "abuse" as a visitor, we can have our policy apply to the abuse tag directly.
Type "abuse" into the visitor groups select, and a number of options should pop up in the dropdown menu. Select the abuse tag option.
We want these visitors to immediately see a CAPTCHA, so we'll set the frequency to 1 time in 12 hours. You can select an appropriate number for the grace interval, or the number of visits after the first correctly solved CAPTCHA challenge before the IP visitor must complete another challenge. The general CAPTCHA policy above selected 30, and you can keep it the same here or reduce it if you feel that these IP addresses are suspect.
We'll set the priority for this policy to 12. This ensures that the harsher CAPTCHA policy will be checked before the general CAPTCHA policy.
Again, the number is arbitrary, but the stricter policy must have a higher priority than the general policy for this configuration to work. If the priorities are set correctly, the harsher CAPTCHA policy should appear above the general CAPTCHA policy in the list.
In a real-life situation, you may want multiple tags to trigger an immediate CAPTCHA challenge. Check the full list of tags supported by Gatekeeper for more options.