Session log — Bot protection (contact form and sign-up) and page width

InternalView platform →
← All session logs

Session log — Bot protection (contact form and sign-up) and page width

15 June 2026, evening · s2l.online · Hasmukh with Claude · auto-published from the local journal entry. A polished narrative version can be requested in any future Claude session.

Summary

Hasmukh reported too many bot messages coming through the "Send us a message" contact form and wanted a way to confirm a real person is sending. It turned out the contact form already had a full set of bot protections built in, but they were all switched off, which is why the junk was getting through. We switched them on. They work invisibly, so real visitors notice nothing and are not slowed down, which matters for the mobile and slower-connection audience.

Later in the same session, Hasmukh showed that the sign-up page was also being flooded, with fake learner accounts using throwaway "wshu.net" addresses and padded-Gmail addresses, some pasting a crypto scam link into their details. He asked for a visible "I am human" tick, specifically Cloudflare's. We found that a Cloudflare tick had in fact been set up back on 2 May, but on the old EP Membership register page. The new passwordless sign-up page never had it, and a June software update to the old page had since wiped it off there too. The saved Cloudflare codes were still on the site and still valid, so we reused them, fitted the tick to the current sign-up page, shut the old sign-up door, and cleared out the fake accounts.

Decisions

  • Contact form: use the invisible protections already built in rather than adding a puzzle for visitors. Keep the junk-word list conservative so genuine enquiries are never silently blocked.
  • Sign-up: use Cloudflare Turnstile, the visible "I am human" tick Hasmukh asked for, since a sign-up is a fair place for a one-off tick.
  • Reuse the existing Cloudflare codes already saved on the site, so Hasmukh had nothing to fetch.
  • Fit the tick into the custom-built sign-up plugin, not the bundled software, so a future update cannot wipe it again. This is what went wrong the first time.
  • Shut the old EP Membership sign-up door so bots cannot simply switch to it.
  • Remove only clear fakes (throwaway addresses and padded-Gmail with machine-made names) and show Hasmukh the full list before deleting. Keep borderline-but-plausible accounts.

Changes made

  • Backed up the contact form settings, then switched on the hidden trap, the timing check, the repeat-sender limit, the gibberish-name filter with automatic barring of repeat offenders, and the block on link-stuffed or junk-word messages. Confirmed live on the homepage form.
  • Backed up the sign-up plugin, then fitted the Cloudflare tick to the sign-up form and added the matching behind-the-scenes check that refuses any sign-up not passing the tick.
  • Reused the existing Cloudflare keys (confirmed still valid) by saving them into the sign-up plugin's own settings.
  • Shut registration on the old EP Membership page (settings backed up first).
  • Confirmed the tick is live on https://s2l.online/sign-up/ with the correct widget key, and that the page loads with no errors.
  • Backed up and deleted 16 fake accounts, plus their sign-in records, leaving 10 genuine accounts. No leftover data.
  • Saved internal reference notes on both the contact form protection and the sign-up tick.

Page width

  • Hasmukh reported pages had too much empty space at the sides and asked to fix it. Confirmed the page width had not changed in this week's work, it had read the same since 2 June.
  • He confirmed he wanted the content to fill more of the screen, so widened the site-wide content width from 1120px to 1280px (one value used by header, content and footer together, so they stay aligned).
  • Put the change in the theme's custom styling (the proper, reversible place) and, because the recompile tool was down, also applied it directly to the live stylesheet so it is live now. Backed up first.
  • Discovered the recompile endpoint is broken by a platform core update since 2 June (separate from our work). Worked around it; noted for a proper fix later.
  • Checked the main pages and the homepage still load and render correctly at the new width.
  • Hasmukh's Safari kept showing the old narrow layout even after a hard refresh, while Chrome showed the new wide layout (so the change was live; Safari was holding a stale copy). Found this same problem and fix in the workspace history (Vodalibrary 2026-05-09 and the Crossing-the-Line preview 2026-06-03): the pages sent no cache instruction. Applied the same fix to s2l.online: added a no-cache, no-store header to HTML responses in the web-server config (nginx, the .php block), tested and reloaded. Scoped to pages only, so styles and images still cache for low-bandwidth mobile users. Verified pages now send no-store and the stylesheet stays cacheable.

Follow-ups

  • Contact form: watch messages over the next few days to confirm the bot flood has dropped. Visible question still available via the ep-email-quiz add-on if ever needed.
  • Sign-up: Hasmukh to do a quick test sign-up on his phone at https://s2l.online/sign-up/ to confirm the tick feels comfortable.
  • Two kept accounts look plausible but could be checked: amy807341@gmail.com and luciwem.azus.o75@gmail.com. Remove on request.
  • Backups (on the server, if a rollback is ever needed): sign-up plugin saved as plugin.php.bak.20260615-205515-turnstile; deleted accounts at /root/backups/deleted-fake-accounts-20260615-210822.sql; EP Membership and contact form settings also backed up under /root/backups.
  • Optional: ask Kenn about the shared bad-sender network for extra contact-form screening.
  • Page width: first widened 1120 to 1280, but on Hasmukh's wide Safari screen that was still too narrow, so widened again to min(1760px, 90vw) to fill most of the screen and adapt to screen size. Hasmukh to reload (Shift-click reload if Safari shows an old copy) and confirm, or ask for wider/narrower.
  • Fix the broken recompile endpoint properly (core _write_css bug needs the bootstrap to set up the CSS editor). Until then, CSS changes must be applied to both the custom styling and the compiled file. css.css backed up as css.css.bak.20260615-* ; custom styling backed up under /root/backups.