The amount of traffic from malicious bots compared to all traffic on the internet has grown significantly in recent years. According to statistics, in 2016 the amount of traffic was still less than 20%, but in 2022 it had already grown to more than 30% (Statista). Because of this, the amount of spam sent via website forms is also increasing. Protect your forms before this becomes a problem.
Contents
Harm caused by spam
Your website's form spam is detrimental in many ways.
- you have to sift through a large number of messages to find the genuine ones and all of your response times slow down
- your site's performance slows down, which leads to both lower search engine visibility and you may have to upgrade your server to a more efficient one
- bots may sign up for your email marketing list, leading to unnecessary emailing in your campaigns
- you may receive malicious links, become a victim of phishing, or your site may be hijacked
- if you analyze visitor data e.g. for commercial purposes, your data is no longer correct
The longer the problem is allowed to continue, the bigger the problems and risks become.
Bot spam and spam sent by humans
Most spam can be prevented. Spam is generally divided in junk mail sent by humans or bots.
Spam sent by people is initiated by either individual actors or commercial companies of several actors whose task is to send a specific message via forms. The behavior between genuine customers and spammers is similar. Therefore, separating these groups from each other is challenging. This guide focuses on malicious bot spam, but there is also a brief advice below on how to prevent human spam on your WordPress site.
Spam sent by bots practically means a computer program that has been developed for the purpose. A well-designed bot can send an incredible amount of messages. The bot can open links and fill in forms automatically. If there is no blocking on the form, this is very easy. Bots have evolved significantly recently, and a large part of bot spam prevention methods can be bypassed today. Therefore, when designing websites, it is necessary to take into account that it is possible to automatically send a lot of spam via an unprotected form placed on the site.
Spam sent by people is almost impossible to completely prevent. Spam from malicious bots, on the other hand, can be prevented using techniques that the bot does not yet recognize. However, this is a constant race between spammers and spam block developers.
Goals of the bots
The reassuring thing about this race is that the aim of most malicious bots is merely to market a specific message. This may be a commercial advertisement or other information, which is spread to be visible in as many places as possible. Your site will probably be able to continue operating. It's just being abused to spread this message.
A smaller number of bots aim to damage your site or fish for data. However, there are some bots whose purpose is to harm your site and hinder your business. These bots may place so much load on your site that your site can no longer handle it and the whole site crashes. Another group of malicious bots, on the other hand, may try to find weaknesses in your site and possibly fish for various types of information that can be used in criminal activities.
Frequently used ways to prevent form spam
It is possible to try some easy-to-install ways to prevent harmful bot spam. The customer's user experience is very important in your choices. Due to the shortsightedness of the customers and the user experience aspects, it is not recommended to install extra tasks on the site for the customer to solve. Your website's forms should always work quickly and easily for customers. The same form, on the other hand, should be very difficult for a bot to use. Some commonly used spam blocking methods are mentioned below.
Ghosting
Ghosting is a very effective and so far less frequently used method to block spam. dxw3 Bot Spam Block - plugin uses this method. In ghosting, the elements of the form on the website are ghosted, i.e. they practically disappear. Since bots can't find elements, they can't send spam. However, the form is normally visible to the actual user. The advantage of this method is its ease of use. Once the protection is turned on, no other settings are required. On the website, the visitor does not have to solve additional tasks or press buttons, but the visitor uses the form normally.
Honeypot
Honeypot is currently one of the most popular and effective means of protection against form-sent spam. As the name suggests, the idea of the honeypot is based on its ability to lure a bot into a trap. At its simplest, the form's programming code includes a field to be filled in, which is visually hidden from the customer. The bot reads the code, but the customer sees the form visually. So the customer doesn't fill in anything in the field, but the bot thinks it needs to be filled out. If there is information in the field, the submission of the form will be rejected. Honeypot with its different versions is still a reasonably good way to prevent spam. However, it has become more and more vulnerable because nowadays bots read the code (CSS/JavaScript) used to hide it and know how to react accordingly.
Speed limit
Another promising way to stop bot form submission is to use rate limiting. The power of the bot is based on its speed. The bot tries to submit forms very quickly and efficiently. However, if sending the form or filling in the fields too quickly, is blocked, the bot's form submission can be blocked. The problem with this method might be the browser's "autofill" function, the purpose of which is to improve user-friendliness. Due to the autofill function, filling out the form is very fast. However, if you know how to set the right time limits, user-friendliness can be maintained and still prevent bots from sending.
IP address blocking
A certain type of bot traffic can be blocked based on IP addresses. It is possible to save harmful IP addresses or to prevent fast and repeated form submissions from the same address. However, malicious IP addresses must be recorded and retrieved so that they can be compared. Often the first spam submission is successful anyway and the next one can come from somewhere else. However, this method prevents a large amount of spam, depending on the implementation applied.
Cookie-based blocking
Some sites use cookies that store session data on the user's computer. If something is not set on the site on a page other than the form page itself, the form submission will be rejected. However, since bots nowadays easily read cookies and use JavaScript, this method does not always prevent bots. When implemented correctly, it can be effective and forms protected by dxw3 used in the past cookies to prevent form submissions.
Validation of fields
It is worth validating the fields of the forms, i.e. checking that the entered information is in the right format. However, this hardly blocks the operation of the bots very much, because the bots know how to insert the information correctly.
CAPTCHA
In the past, Google's CAPTCHA was a very popular anti-spam method. However, this method is disappearing, as it weakens user-friendliness a lot. Adding various quizzes before submitting the form is harmful.
reCAPTCHA/hCAPTCHA
reCAPTCHA is a more user-friendly blocker than CAPTCHA. Many sites use reCAPTCHA. The algorithm behind it tries to determine whether the site visitor is a bot or a human. Although reCAPTCHA is more user-friendly, it still adds an extra step for the customer before the form can be submitted. In addition, the bot may pass this blocker and its effective use requires a little more work from the site administrator.
Changing the original URLs and file names
An effective way to prevent some bot spam is to change WordPress standard URLs and some file names. In this case, finding the form itself is made somewhat more difficult.
WAF
Mainly the bigger software companies offer comprehensive anti-spam services. However, the problem with these systems is both their price and their vulnerability against the so-called 0-attacks. These services rely on complex algorithms to determine what is spam. However, the algorithms are often unable to recognize new types of spam, allowing it to get through. Some genuine mail may also be filtered out.
Additional questions
One way to prevent bots from working has traditionally been to ask various simple questions. The form might ask, for example, how much is 1+3. Or it might have some easy verbal questions. However, it is challenging to set these methods in such a way that they are completely user-friendly and effective. The calculation task can be solved by the bot and the verbal task may be difficult for the human user.
Email verification
Blocking of e-mail addresses or domain names can be used especially in the validation of the registration form. Known malicious domains are not accepted. Harmful e-mail addresses can be blocked if the registration has to be confirmed with a link sent to the e-mail. This method should not be used widely, as it weakens the user experience.
JavaScript protection
You can use JavaScript to block various functions on your form. Or you can change the behavior of functions over time. These are effective means of protection. If implemented correctly, JavaScript can block most malicious bots. In practice, certain elements related to the correct function of the form can be made usable later. For example, first the human form-filler performs certain non-suspicious action on his computer by using the keyboard or mouse. Consecutively, the condition that was dynamically removed from the bots, is made usable. Another way is to enable the use of the form certain time later by scheduling the form functions. Many bots fill out the form very quickly, so by scheduling you can block the submissions of several bots. There are problems with JavaScript-based technologies. For example, some bots know how to execute JavaScript and solve these obstacles. Another problem can be users who have disabled their browsers from running JavaScript. In this case, the technology may block bots and at the same time some of the real users as well. Ghosting does not have these problems and is the best way to stop form bot spam.
Try out the capability of your form to block spam sent by the bots on this website with the bot spam tester.
Blocking human spam
Blocking spam sent by humans is partially possible, for example with the Akismet plugin . Often, to prevent spam sent by humans, you have to use a comprehensive library of words or IP addresses to be blocked. Blocking is therefore not as effective, but if this kind of spam is a problem, you should use one of the many WordPress plugins developed for this purpose.
WordPress Contact Form 7 and WPForms spam blocking
Almost without exception, WordPress homepages have a page that also has a contact form. Contact form 7 and WPForms are the most common add-ons for WordPress websites designed to implement a contact form. The CF7 plugin doesn't have any anti-spam by default, so sending spam is very easy. However, Google's reCAPTCHA can be connected to CF7. WPForms, on the other hand, now offers its own token-based protection by default, as well as numerous third-party plugins. Token-based protection is relatively easy for bots to circumvent, and for example, this site's simple spam tester is able to send messages through a form protected in this way.
It is therefore worth testing the protection of your form with dxw3's bot spam online tester.
dxw3's form-based blocking was previously partially based on cookies. This can be a very effective and invisible way to prevent spam. Honeypot was also used at the time. Today, blocking is based on ghosting. If the above methods do not help, or otherwise you want an easy and effective blocker, you should get and install it on a WordPress site dxw3 Spam Block plugin. This add-on does not require settings, but works automatically after activation. However, if you use some method to optimize the CSS code, read the related notice general installation instructions.