Visitors can message the marketplace admins via the "Contact us" page and create an account in your marketplace (unless your website is configured as invite-only).
Unfortunately, sometimes, especially when your marketplace grows, you'll receive some spam messages and notice some accounts created by spammers. This is annoying, and there isn't a way to avoid them totally, but some things can help, such as reCAPTCHA. If enabled, visitors then have to check an "I'm not a robot" checkbox and the service, powered by Google, relies on strong rules to guess best if that person is a legitimate visitor or not.
You can enable that feature from your Admin panel. It requires some configuration at reCAPTCHA. Right now, Google doesn't charge anything for that service but may change this in the future.
Let's get started with the setup!
Sign up for a pair of API keys at reCAPTCHA
Log in with your Google account (this will be the owner of the reCAPTCHA account).
Register a new site by filling in the information, as detailed in the following steps.
Label: add whichever name you want for the project. We suggest inputting your marketplace name or URL for convenience.
reCAPTCHA type: select "reCAPTCHA v2" then "I'm not a robot" Checkbox".
Domains: add your marketplace URL, for example, "www.example.com" or "example.sharetribe.com".
Possibly, add more owners.
Accept the terms.
Submit.
You should now see your reCAPTCHA API keys. Great! Let's continue.
Add the reCAPTCHA API keys to your marketplace
Log in to your marketplace. You must be logged as an administrator.
Go to the "Advanced / reCAPTCHA" page of your Admin panel.
Copy the "Site key" from your reCAPTCHA settings and paste it in the "reCAPTCHA site key" field on your Admin panel.
Copy the "Secret key" from your reCAPTCHA settings and paste it in the "reCAPTCHA secret key" field on your Admin panel.
Save the changes in your Admin panel.
That's it!
reCAPTCHA is now enabled on your marketplace. As an unlogged user, you can visit the "Contact us" and "Sign up" page. The reCAPTCHA box should be visible at the bottom of the form.
Finetune reCAPTCHA security settings and monitor things
From your reCAPTCHA account at https://www.google.com/recaptcha/admin/, you can edit your website security settings. For example, you can edit the "Security Preference" from "Easiest to users" to "Most secure". This is not really specific from Google, so it's good to start with the default setting. Over time, if you experience lots of spam, you can change that setting to something more challenging, but keep in mind that regular users' experiences will be more annoying.
Also, from your reCAPTCHA account, you can monitor, after a little while, the requests. How many have passed, failed, etc.? This should help you learn how helpful the service is and better decide what kind of security preferences you'd like to configure.
What do to if you still experience spam and fake accounts
Spam and fake accounts are annoying. They can also be a lucrative business, so people who do this are often one step ahead. There is no definitive way to prevent it.
If you receive a spammy contact request or account every other day (for example), it's likely created or sent by an actual human, paid for that task. reCAPTCHA won't work 100%.
If you experience a low volume of "Contact us" spam (a few messages per week), you may simply have to accept it. We hate it too, spam is more than half of the total email traffic on the Internet, but sometimes the best is to "Mark it as spam" and move on.
If you experience a low volume of fake accounts for spam purposes (a couple per week), disable them immediately. You may want to consider making your marketplace invite-only for a little while.