Github mirror of MediaWiki extension ConfirmEdit - our actual code is hosted with Gerrit (please see for contributing)
Clone or download
translatewiki Localisation updates from
Change-Id: Id283b8e85c4a272dc908366c10415d4532de0d09
Latest commit d435e6b Oct 14, 2018
Failed to load latest commit information.
FancyCaptcha Localisation updates from Oct 9, 2018
MathCaptcha Clean up some phpcs problems Jul 12, 2018
QuestyCaptcha Localisation updates from Oct 14, 2018
ReCaptcha Localisation updates from Aug 27, 2018
ReCaptchaNoCaptcha Localisation updates from Sep 3, 2018
SimpleCaptcha Only expand `{{...}}` in messages once Oct 11, 2018
i18n Localisation updates from Oct 14, 2018
includes build: Updating mediawiki/phan-taint-check-plugin to 1.3.0 Aug 19, 2018
maintenance Fix "Suceeded" typo in code Aug 27, 2018
resources Replace jshint/jscs with eslint and add stylelint Jan 19, 2017
tests/phpunit Do not attempt to mock 'object' Oct 9, 2018
.eslintrc.json Replace jshint/jscs with eslint and add stylelint Jan 19, 2017
.gitignore Add AUTHORS file and update authors for Special:Version Dec 6, 2015
.gitreview Whoops, track not trace Oct 25, 2016
.mailmap Update AUTHORS.txt Aug 17, 2016
.phpcs.xml Clean up some phpcs problems Jul 12, 2018
.stylelintrc.json Use json extension for .stylelintrc Aug 19, 2017
AUTHORS.txt Update AUTHORS.txt Aug 17, 2016 build: Updating mediawiki/phan-taint-check-plugin to 1.3.0 Aug 19, 2018
ConfirmEdit.alias.php Setting aliases of some special page names for Urdu language Oct 13, 2017
Gruntfile.js Use json extension for .stylelintrc Aug 19, 2017 Fixup use of $ceAllowConfirmedEmail Apr 29, 2017
blacklist Just saw "wench" in a captcha Oct 6, 2016 Add threads parameter to for multithread CAPTCHA generation Jun 12, 2017 Add threads parameter to for multithread CAPTCHA generation Jun 12, 2017
composer.json build: Updating mediawiki/phan-taint-check-plugin to 1.5.0 Sep 7, 2018
extension.json Clean up some phpcs problems Jul 12, 2018
package.json build: Updating npm dependencies for security issues Oct 11, 2018


ConfirmEdit extension for MediaWiki

This extension provides various CAPTCHA tools for MediaWiki, to allow for protection against spambots and other automated tools.

For more information, see the extension homepage at:


The following modules are included in ConfirmEdit:

  • SimpleCaptcha - users have to solve an arithmetic math problem
  • MathCaptcha - users have to solve a math problem that's displayed as an image
  • FancyCaptcha - users have to identify a series of characters, displayed in a stylized way
  • QuestyCaptcha - users have to answer a question, out of a series of questions defined by the administrator(s)
  • ReCaptcha - users have to identify a series of characters, either visually or audially, from a widget provided by the reCAPTCHA service. This plugin is depreacted since MediaWiki 1.28! Please switch to the new ReCaptchaNoCaptcha version of ReCaptcha (which is supported by Google and ConfirmEdit).
  • ReCaptchaNoCaptcha - users have to solve different types of visually or audially tasks.


ConfirmEdit is published under the GPL license.


The main framework, and the SimpleCaptcha and FancyCaptcha modules, were written by Brion Vibber.

The MathCaptcha module was written by Rob Church.

The QuestyCaptcha module was written by Benjamin Lees.

The reCAPTCHA module was written by Mike Crawford and Ben Maurer.

Additional maintenance work was done by Yaron Koren.

Configuration comments

 * List of IP ranges to allow to skip the captcha, similar to the group setting:
 * "$wgGroupPermission[...]['skipcaptcha'] = true"
 * Specific IP addresses or CIDR-style ranges may be used,
 * for instance:
 * $wgCaptchaWhitelistIP = array('', '');
$wgCaptchaWhitelistIP = false;

 * Actions which can trigger a captcha
 * If the 'edit' trigger is on, *every* edit will trigger the captcha.
 * This may be useful for protecting against vandalbot attacks.
 * If using the default 'addurl' trigger, the captcha will trigger on
 * edits that include URLs that aren't in the current version of the page.
 * This should catch automated linkspammers without annoying people when
 * they make more typical edits.
 * The captcha code should not use $wgCaptchaTriggers, but CaptchaTriggers()
 * which also takes into account per namespace triggering.
$wgCaptchaTriggers = array();
$wgCaptchaTriggers['edit']          = false; // Would check on every edit
$wgCaptchaTriggers['create']        = false; // Check on page creation.
$wgCaptchaTriggers['sendemail']     = false; // Special:Emailuser
$wgCaptchaTriggers['addurl']        = true;  // Check on edits that add URLs
$wgCaptchaTriggers['createaccount'] = true;  // Special:Userlogin&type=signup
$wgCaptchaTriggers['badlogin']      = true;  // Special:Userlogin after failure

 * You may wish to apply special rules for captcha triggering on some namespaces.
 * $wgCaptchaTriggersOnNamespace[<namespace id>][<trigger>] forces an always on /
 * always off configuration with that trigger for the given namespace.
 * Leave unset to use the global options ($wgCaptchaTriggers).
 * Shall not be used with 'createaccount' (it is not checked).
$wgCaptchaTriggersOnNamespace = array();

# Example:
# $wgCaptchaTriggersOnNamespace[NS_TALK]['create'] = false; //Allow creation of talk pages without captchas.
# $wgCaptchaTriggersOnNamespace[NS_PROJECT]['edit'] = true; //Show captcha whenever editing Project pages.

 * Indicate how to store per-session data required to match up the
 * internal captcha data with the editor.
 * 'CaptchaSessionStore' uses PHP's session storage, which is cookie-based
 * and may fail for anons with cookies disabled.
 * 'CaptchaCacheStore' uses $wgMemc, which avoids the cookie dependency
 * but may be fragile depending on cache configuration.
$wgCaptchaStorageClass = 'CaptchaSessionStore';

 * Number of seconds a captcha session should last in the data cache
 * before expiring when managing through CaptchaCacheStore class.
 * Default is a half hour.
$wgCaptchaSessionExpiration = 30 * 60;

 * Number of seconds after a bad login that a captcha will be shown to
 * that client on the login form to slow down password-guessing bots.
 * Has no effect if 'badlogin' is disabled in $wgCaptchaTriggers or
 * if there is not a caching engine enabled.
 * Default is five minutes.
$wgCaptchaBadLoginExpiration = 5 * 60;

 * Allow users who have confirmed their email addresses to post
 * URL links without being harassed by the captcha.
$wgAllowConfirmedEmail = false;

 * Number of bad login attempts before triggering the captcha.  0 means the
 * captcha is presented on the first login.
$wgCaptchaBadLoginAttempts = 3;

 * Regex to whitelist URLs to known-good sites...
 * For instance:
 * $wgCaptchaWhitelist = '#^https?://([a-z0-9-]+\\.)?(wikimedia|wikipedia)\.org/#i';
 * Local admins can define a whitelist under [[MediaWiki:captcha-addurl-whitelist]]
$wgCaptchaWhitelist = false;

 * Additional regexes to check for. Use full regexes; can match things
 * other than URLs such as junk edits.
 * If the new version matches one and the old version doesn't,
 * toss up the captcha screen.
 * @fixme Add a message for local admins to add items as well.
$wgCaptchaRegexes = array();