contao
Use ALTCHA by default
Implements #8237
Until there is a way to select the type of CAPTCHA per module, we should at least make ALTCHA the default.
I don't think we should use it by default. The security question is invisible to regular users whereas our default altcha widget would be visible, no? So when updating to Contao 5.6 you would suddenly have an altcha widget visible on your website and possibly break the layout.
The ALTCHA widget is pretty self-contained, so I doubt there would be any layout breaks. Of course the field would be visible, but the security question is potentially visible too, so any layout already has to take a visible CAPTCHA into account.
And the added security outweighs this anyway in my opinion.
I would only add altcha if necessary. Otherwise I would want to have the security question by default, as it is always invisible to regular users.
When ALTCHA is added as default, does this exclude all people with disabled Javascript from beeing able to submit these forms? (https://github.com/contao/contao/issues/7680) In that case I'm against making this a non-configurable default setting.
@fritzmg If we merge #8254, there is an even better temporary (and opt-in) solution:
// contao/config/config.php
$GLOBALS['TL_FFL']['captcha'] = Contao\FormAltcha::class;
