How to set standards based on visitor reputation
Protecting your pages from unwanted traffic is a balancing act: your rules should be strict enough that misbehaving visitors do not get free rein, but not so strict that good visitors become annoyed and dissuaded from using your site. Ideally, a misbehaving robot would be caught and challenged on the very first visit. How can we accomplish this?
One option is to take advantage of Gatekeeper tags to identify harmful visitors. In this tutorial, we'll create a couple of policies that allows general visitors multiple visits before seeing a CAPTCHA, while requiring visitors with the abuse tag to immediately solve a CAPTCHA in order to continue.
First, create a general CAPTCHA challenge policy. Go to the policies page and click the "New policy" button. Our general policy will require visitors to complete a CAPTCHA after 10 visits in 12 hours, and then again every subsequent 30 visits. These numbers can be freely modified as desired.
Additionally, we'll give this policy a priority of 11. This number is mostly arbitrary, but will be important when creating the next policy for visitors tagged as abuse.
Next, create another policy for the harsher CAPTCHA requirement.
Since our policy only applies to visitors with a single tag in this case, we'll take a shortcut in the Visitor section. Instead of creating a new visitor group and adding "abuse" as a visitor, we can have our policy apply to the abuse tag directly.
Type "abuse" into the visitor groups select, and a number of options should pop up in the dropdown menu. Select the abuse tag option.
We want these visitors to immediately see a CAPTCHA, so we'll set the frequency to 1 time in 12 hours. You can select an appropriate number for the grace interval, or the number of visits after the first correctly solved CAPTCHA challenge before the IP visitor gets to fill out another challenge. The general CAPTCHA policy above selected 30, and you can keep it the same here or reduce it if you feel that these IP addresses are suspect.
We'll set the priority for this policy to 12. This ensures that thie harsher CAPTCHA policy will be checked before the general CAPTCHA policy.
Again, the number is arbitrary, but the stricter policy must have a higher priority than the general policy for this configuration to work. If the priorities are set correctly, the harsher CAPTCHA policy should appear above the general CAPTCHA policy in the list.
In reality, there may be multiple tags you might want to challenge with a CAPTCHA early beyond just abuse. Check the full list of tags supported by Gatekeeper for more options.