What is form spam?
Form spam is when unsolicited messages make their way through your website’s forms. Most messages are commercial, but some can be very dangerous, they may contain links that lead to phishing web sites or sites that are hosting malware. Spammers spam your website forms and everybody because it pays good money at least for someone. Think about spam on a global scale.
In this article, we are going to explore different methods that will finally allow you to prevent those annoying spam messages from reaching your inbox through your Contact Form 7 forms.
Akismet: Spam Protection for WordPress
Akismet is a powerful anti-spam service provided by Automattic used by millions of websites.
The first step is to activate the Akismet plugin . Akismet is bundled with WordPress so there is no need to manually install it.
To enable Akismet we first need to get an API key. If your site is a personal blog you can get a free API key. If you are planning to use it on a commercial site, I recommend you to get Jetpack .
Jetpack is provided by Automattic, the same company as Akismet, and the “Personal” and upper plans include an Akismet subscription that is equivalent to the Akismet “Plus” plan, also you will get a wide variety of features such as security, performance, and site management tools.
Using Akismet with Contact Form 7
When a user submits a contact form Akismet will automatically check and filter out the ones that look like spam. If a “spam” answer is the response, Contact Form 7 will reject the form submit and will show a message saying, “There was an error trying to send your message”.
To use Contact Form 7 with Akismet we first need to add additional form options. We can use one or more of these options, the more options we use better the results we will get.
akismet:author - We add this tag to the field where submitters input their names.
akismet:author_email - We add this tag to the field where submitters input their email addresses.
akismet:author_url - We add this tag to the field where submitters input the URL of their websites
If you want to test if the spam filtering is working correctly, try entering
viagra-test-123 into the name field or
firstname.lastname@example.org into the emai field, Akismet must return error response.
reCAPTCHA: Easy on Humans, Hard on Bots
reCAPTCHA is a free service from Google that protects websites from spam and abuse. A “CAPTCHA” is a turning test to tell humans and bots apart. Contact Form 7 is using reCAPTCHA v3 since v5.1 . reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take appropriate action for your site. It works in the background so users won’t even notice.
Activating reCAPTCHA in our Wordpress site.
The first step is to register our WordPress site . reCAPTCHA is a Google service so you need a Google account to use it.
Select reCAPTCHA v3 from the type options, and enter the domain of the website in the Domains field.
After you register a website, you will get a reCAPTCHA site key and secret key for the site. You need to Copy-paste in your Wordpress Contact Form 7 “reCAPTCHA” Integration menu page.
Now your contact forms use reCAPTCHA’s score to verify whether the form submission is from a human or a spam bot.
Hiddig Google reCAPTCHA badge
Now that your forms submissions are protected and the spam has stopped a new reCAPTCHA badge in the bottom right of your site has appeared, and you start to wonder is there a way to hide it?
According to Google , you can legally hide the badge, but you must include the following text in the user flow.
To remove the badge, you just have to include the following line in your CSS file.
Never use the
display:none; property, this will disable the spam protection in your contact forms.
Another great way to stop unwanted messages through your contact form is by blocking specific words or by adding the IP address from which the messages originate in the comment blacklist .
The comment blacklist is a core feature of WordPress that helps manage comments. To use the comment blacklist go the Discussion Settings in the Wordpress admin panel and enter the words you want to block.
When a form submission contains any of these words in its content, name, URL, email, or IP address, it will be treated as spam by Contact Form 7 and will not be delivered.
To get the IP address from which the messages originate just add the special mail tag [_remote_ip] in the content of the email sent to you. You will receive the senders IP address.
Honeypot for Contact Form 7
According to Wikipedia , a Honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and, enables blocking or analyzing the attackers.
Honeypot for Contact Form 7 it’s a plugin that includes an additional field to your contact form that if the bot fills it will cause the form not to validate. Most spam is entered by bots, and bots will attempt to fill in all fields, regardless of whether the field must be completed or not.
What method should i use?
All WordPress websites receive spam in many different ways. What works on your website maybe will not work in another, I encourage you to try and combine all the different methods above.
Thanks for reading, if you like the article be sure to subscribe down below to be the first to know when new articles are published. Also, we are always looking to improve if you got any constructive criticism let me know.