How to fix "Incorrect CAPTCHA Code" in Concrete5 CMS

Introduction

Spam is a huge problem, if you don't protect your forms with some sort of anti-spam measure, it won't be long before you are receiving a huge amount of unsolicited email.  Fortunately Google has invented it's RECAPTCHA v3, which works behind the scenes, validating users.  If a user is suspected of being a bot, it will show a series of images to test that the user is human.  If the user fails the test, then no email is sent.

However, although the RECAPTCHA is very good at what it does, it is not trouble free.  The reason I wanted to write this blog post is because I often have trouble with the RECAPTCHA, especially with new sites and actually getting it working.  This blog post is written for Concrete5 / CMS but some of these concepts may apply to other website platforms too.

The Problem

You try to submit a form, it doesn't submit and just shows this error instead:

Potentially it is a very serious issue leading to lost enquiries etc.  We need to fix it, but what does the error mean and how do we fix it?

What does the error mean?

This error is returned from the form block controller in Concrete5:

// check captcha if activated
if ($this->displayCaptcha) {
            $captcha = Core::make('helper/validation/captcha');
            if (!$captcha->check()) {
                    $errors['captcha'] = t('Incorrect captcha code');
                    $_REQUEST['ccmCaptchaCode'] = '';
            }
}

It's a bit generic, so we need to try various things:

Potential solutions

1. Clear the Concrete5 Cache
   Always a good place to start, clearing the cache is quick and easy and then it's easy to retest your form.
    
2. Check https://www.google.com/recaptcha/admin has the domain name listed in settings 
   Within these settings you need to add the domains that use this CAPTCHA key.  Make sure these are correctly set.
   There is some useful guidance from Google here: https://developers.google.com/recaptcha/docs/domain_validation
   
   So for subdomains you can put the main domain instead of the subdomain.
   However, I suspect the IP addresses need to match.
    
3. Check you have copied the keys and secret correctly
   Login to the Google RECAPTCHA control panel again (from step 2) and then into your site and go to www.yoursite.com/index.php/dashboard/system/permissions/captcha
   
   Make sure the keys are correct:
    
4. Set Canonical URLs correctly:
   Go to www.yoursite.com/index.php/dashboard/system/seo/urls
   Ensure they are set correctly:
    
5. Are you using Facebook Like buttons?
   According to this post, it could cause a conflict with IE (if you care about IE)
    
6. Check your version of Concrete5/CMS
   There was a fix in v8.5.7 for RECAPTCHA timeout:
   https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes
    
7. Change Form type
   If you are using a Form block, try a Legacy Form block instead
    
8. It could be your IP address
   We use a VPN so we can change our IP address.  Sometimes no matter what, the RECAPTHA just refuses to work, so we change our IP address and it then starts to work.  Google obviously got a little annoyed with what we were doing!
    
9. If all else fails, make a new CAPTCHA key
   here https://www.google.com/recaptcha/admin and make a new one

Conclusion

With some pain, using Google's RECAPTCHA means you can prevent the majority of spam.  It won't block everything, but should bring it down to manageable levels.

Special thanks to https://www.mesuva.com/ for helping us with this article.
If you have any other tips, please email us and we'll be happy to include them and link back to your website.