Preventing/ Limiting Spam Email Strategies
***To go directly to the procedures, scroll down to the next section.
Background Information
Forms are necessary to keep live emails off web-sites but are now routinely the target of auto-filling bots that spam the client through their forms. While there is no easy way to stop human spammers, there are techniques to foil automated spambots.
1. Honeypots. A honeypot is a hidden form field not able to be filled out by a human visitor but because a bot scans the page code, will see it and assume it needs to be completed for the form. There is conditional code associated with the hidden field that directs the form submission button to be disabled if the field is populated. Bots are increasingly able to recognize these honeypots and thwart them but there are ways for them to remain effective.
Gravity Forms has a built-in honeypot that can be enabled with a checkbox. It routinely changes the name/type of the hidden field to try and keep the bots from learning what to avoid filling in.
Alternatively or in addition, you can create your own honeypot if you have the ability to apply conditional code to the hidden field, which is easily accomplished in Gravity Forms. Not every form plugin has this capability. The key elements when creating a honeypot is to use a field name like password, which a bot would assume is necessary (and could stop them by itself) or a long random string that they wouldn’t recognize and would not be in their database of known field titles. Use a text field for the input field over a checkbox or other easy to fill-in field. Bots are increasingly able to recognize a hidden field via css so some recommend moving the field so far off the screen that no human would see it but it is not technically “hidden.”
2. Akismet plugin. Akismet is a paid plugin for all but personal use (no promotion, ads, etc. on site) but it is a powerful anti-spam tool that protects not only forms but comments and registrations. One downside is the number of false/positives it can generate. See these instructions and the procedures for using Akismet with RadiateWP.
3. Black Hole for Bad Bots plugin. This is a site-wide bot trap built by Jeff Starr of Perishable Press. (I use this one and his Block Bad Queries plugins). It’s lightweight and completely behind the scenes. It requires adding a line of code to the robots.txt file to activate the trap. This plugin is free.
4. reCaptcha (successor to original Captcha) by Google. ReCaptcha is a Google product (although there are others on the market employing similar verification methods) which provides form submission verification (that the submitter is human) by presenting the visitor with a “challenge” they must complete successfully or the form will not send. To install reCaptcha, the site must have a Google account to acquire a site key. The Captcha can be a visible challenge or invisible. When an invisible reCaptcha is selected, the content of the form is evaluated through machine learning/AI. ReCaptcha can be an effective tool against spambots but it detracts from the user experience and might not be the best solution for people who would rather not have Google analyzing their website for user behavior. In addition, Google can change the requirements or the functionality of their product unexpectedly (and frequently do) rendering whatever you have set up already to be useless.
5. Other options. It is relatively easy to block certain countries and IPs inside security plugins to block known spam-prone areas of the world from accessing the site (ex: Russia, China). Another method to block spam is to disallow the addition of urls in the message body.
Action Steps
Suggested order of operations when attempting to prevent spambots submitting forms. After each implementation, wait at least one week (depending on the reported volume of spam) before trying the next fix:
- For Gravity Forms: Enable honeypot and create a custom honeypot.
- Install Black Hole for Bad Bots and add a required line to robots.txt file. (This is the preferred solution after the honeypot)
- Install Akismet. See RadiateWP procedure.
- Install reCaptcha. Try the invisible one first to preserve good user-experience.
At least one of these methods should help reduce or eliminate most automated spam.