[Looking for Charlie's main web site?]

Simplifying the captcha graphic in Lyla Captcha (and BlogCFC)

Note: This blog post is from 2006. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Wish you could simplify your captcha's? If you use Peter Farrell's Lyla Captcha, as I do because it's embedded in Ray's BlogCFC, I'll show a few quick changes you can make that will make them much easier for your users to read.

Sound counter-intuitive? Aren't captcha's supposed to be difficult to read, to hamper spammers? In my last entry, I made a call for simplifying captchas and why they aren't all bad. As a blog owner who uses them to weed out the random spambots who would otherwise clog my comments and feedback mechanisms, I like captchas, and I'm grateful for the work Peter's done.

That said, I have to admit that as I've encountered them in the blogs of others, I've grown a tad weary of their complexity. They require the user to type several characters and have several swirly ovals, random lines, and a wavy background. Frankly they're quite hard to read, and it would be a shame to lose commenters for that reason.

hard captcha

Again, the intent is to make it hard for some spammer to scan the captcha request somehow and figure out what's being requested so as to automate around it. Fair enough, but as I said in my last entry I'm really not that concerned about protecting my site from determined break-ins. I'm not a bank. I just want to keep out the automated pests.

With just a couple of changes to Lyla's captcha.xml file, you'll have a much simplified captcha, if you want one.

hard captcha

Lyla is highly customizable

On a lark, I decided to try to find out if Lyla might just be modifiable to dial down the intensity. Turns out it is, by simple changes in the lyla captcha.xml file, as documented in this PDF. Thanks again, Peter! :-)

After a few simple tweaks, I reduced my captcha to just asking for 3 characters, all lowercase, without all the swirly ovals, lines, and wavy background.

Changing Lyla's captcha.xml

In BlogCFC, the captcha.xml file is located in blog\client\includes (or just \includes if you've installed the blog client directory as your webroot.)

To effect the change I wanted, I ended up with the following values for the following entries. Again, see the docs for more info:

<config name="randStrType" value="alphaLcase"/>
<config name="randStrLen" value="3"/>
<config name="fontColor" value="dark"/>
<config name="backgroundColor" value="light"/>
<config name="useGradientBackground" value="false"/>
<config name="backgroundColorUseCyclic" value="false"/>
<config name="useOvals" value="false"/>
<config name="useBackgroundLines" value="false"/>
<config name="useForegroundLines" value="false"/>

You can change them to suit your taste. Note that if you do change the randStrLen, the value selected represents the "average" length of the string that users will be asked to enter, and may vary by +/- 1 from that.

Make the changes, and check 'em out for yourself. Note that with Ray's BlogCFC, you need to reinitialize the blog (add ?reinit=1 to your blog URL) to see the changes. What I did was had one browser page open to do that, and another sitting on a blog comment form. After running the reinit, I could then just reload the comment page to see the impact. (If there's a still-simpler way to test changes to the captcha.xml, let me know.)

If you don't use BlogCFC, then you have to re-instantiate the captcha object after making changes to the XML file. If you've stored it in a shared scope (like application), you need to run some code that reloads it. Of course, restarting ColdFusion will also reload the CFC in whatever scope you stored it in.


Making these changes won't solve the accessibility problems some have with captchas, and it certainly could increase the risk of a determined spammer more easily breaking your captcha. As I said in the last entry, I doubt that's a real concern for most of us. If it proves to be so, then you can dial the intensity back up.

I just want to keep from annoying my readers, and I hope others will consider these changes to keep from annoying us all. :-)

PS: I do realize that one could skip the captcha graphic entirely and just go to prompting the user for a random string. That may just a bit "too" easy for a spambot to get around. To each his own.

Thanking Peter

One last note: while Peter certainly appreciates your kind comments (and do share them, as I'm sure many don't bother), those who REALLY appreciate his work should note that he gratefully accepts contributions by way of his Amazon Wishlist or you may may make a donation with PayPal, using his address, [email protected].

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed

You should give CFAkismet a look-- integrating it will pretty much elimate the need to bother your blog commenters with CAPTCHA. I personally don't use ColdFusion for my blog, but I created the API in hopes of getting CF based blogs to catch-up with some of the anti-spam technology the rest of the blogosphere is using which doesn't make users jump through hoops.


I'd say it's pretty much a 1.0 release at this point given that I've fixed the few bugs found by others, I just need to add some documentation and a downloadable zip file which only contains the component.
I should add-- since I updated my blog software (WordPress) exactly 2 weeks ago, it's automagically protected me against 2,129 spam comments an trackbacks and not let any false positives by.
I shouldn't be posting comments this late-- I meant to say Akismet (the network that CFAkismet interfaces with) was what prevented the spam, which is now a standard part of WordPress 2.x, instead of sounding like WordPress itself did it.
Thanks, Brandon. I will give that a look.
Very nice, Charlie! Thanks! Ken.
I want to add a post-mortem on this entry from nearly a month ago. Since simplifying my captcha, I've not had a single spam comment, so clearly it didn't hurt, and I hope it helped my readers enter comments more easily. That should help them and me (as I like comments) and otehr readers (who would appreciate their comments).

Sadly, I just was using someone else's blog which uses BlogCFC, and I had to enter the catpcha value 3 times because it was the standard "complicated" one. I hope others will please consider implementing this change. You have nothing to lose (it seems) and potentially much to gain (if users ever give up in frustration and skip bothering trying to leave you their comment).

I saw that Ray has said he will consider implementing these simpler specifications in the lyla xml file as he distributes it. that wuold be great.
Hi Charlie,

Many thanks, you've done the community a great service. I lost count of how many times I have had problems with my own captcha. I have implemented this already and I love it!

Great job, many thanks.

It was the little details (exact xml changes and the reminder to reinit along with the URL variable name) that made this such a gem. Read post, make tweaks, call page, change for the better made in under 5 minutes!!!

Thanks for taking the time!
Thanks very much, Peter. It's enthusiastic replies like that which make it all worthwhile. :-) The challenge now is to get users of the catpcha (bloggers, or blog readers) to know about the option. Anything you can do to spread the news would be greatly appreciated.
Hi Charlie,

I'm pretty sure a lot more people read your blog than mine, but I'll definitely mention your posting on the off chance it helps!

Best Wishes,
This has been rolled in 5.5.
Sweet! Although when is that coming out? I haven't even got round to upgrading from 5.005 yet :-<
I will make the following promises:

BlogCFC 5.5 will be released before Vista. Before ColdFusion 8. Before I actually get my HDTV. Before I lose 20 pounds.

In all seriousness, it is very close. I need to wrap up testing on the first feature I added, new render tags, which kind of got forgotten. I'm pretty sure it's broken on BlueDragon, but I haven't gotten to test it yet. I also want to ensure XML-RPC is really there. It 'seems" to be, but with all the different clients and with them all being a little bit different, it may not be 100% there. Lastly - I need to update the documentation. All in all - very darn close.

I'm also making plans for 6.0.
I did copy your xml file(captcha) and replaced with the one I had. But for whatever reason I don't see the changes in the image at all. Other then replacing the file(editing xml file), do I have to do anything else?
# Posted By Nita | 10/25/07 1:02 PM
uhhh, it's funny. I had to reboot my PC for something else and now my image is showing fine and has all the changes I made in xml file. Do you think something needs to be done when a change in xml file?
# Posted By Nita | 10/25/07 4:00 PM
Nita, you didn't need to reboot your PC. You don't even need to restart CF, which would have been the first thing to try if I hadn't told you what to do. :-)

I had said above in the blog entry, "Make the changes, and check 'em out for yourself. Note that with Ray's BlogCFC, you need to reinitialize the blog (add ?reinit=1 to your blog URL) to see the changes."
Thanks Charlie. Sorry for not paying much attention to the text.
# Posted By Nita | 10/26/07 12:28 AM
When you make changes to the XML file you have to reload the instance of the capctha CFC that is stored in the application scope. This is why your settings didn't change until after reboot.
# Posted By WilGeno | 11/26/07 3:05 PM
@WilGeno, as I said in a comment just before yours, you should just need to reinitialize blogCFC as I showed. Are you saying that's not enough in your observation?
Well, according to me it was not enough. I am not CF expert. When I make a change to xml file, I contact my ISP and they restart cf application for me which will show the update information.
# Posted By Nita | 11/26/07 11:02 PM
Nita, this isn't about CF expertise. This is about a built-in feature of BlogCFC. Folks, I've just confirmed it. All you need to do is request your blog with the query string ?reinit=1, so for my blog, that was:


That immediately reloads the xml file (and it's also useful for a variety of other benefits, like reloading changes in the blog.ini.cfm, or reloading any cached content within the blog).

And I confirmed this on my hosted carehart.org site. It should work just fine for everyone.

Hope that's helpful.
Actually I wasn't referring to how Lyla behaved from within BlogCFC. I don't have a blog so I do not use BlogCFC. I do have other sites and I did implement Lyla Captcha and what I posted earlier is accurate as well as what you posted Charlie. Either way you have to re-instantiate the captcha object after making changes to the XML file. BlogCFC has it's method for doing so and when not using BlogCFC you simply need to reload the captcha object that you store in your application scope. Both methods are correct depending on your usage of Lyla Captcha.
Oh, ok, well that's a horse of a different color. :-) My blog entry was clearly heavily oriented toward using Lyla within BlogCFC, though certainly it applies outside of it as well. When Nita raised her concern, she didn't mention using it outside BlogCFC, and when you posted your reply, you also didn't say you were speaking of its use outside of that. That explains all the confusion.

Anyway, thanks for the clarification. I'm sure it will help some readers. In fact, since some others may read the entry and not read all the comments, I'll add this point of clarification to the text itself.
I am using it for my feedback page on the website not for blog.
# Posted By Nita | 11/27/07 5:09 AM
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting