How to Prevent Unwanted Spam to Contact Form 7 [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for WordPress Development Stack Exchange.

Closed 2 years ago.

Improve this question

I posted about this on the Support page for the plugin, but figured I'd post here now, too -- I'm getting a lot of spam from the plugin Contact Form 7, and I was wondering what my options were for validating incoming messages for this plugin. Rather than installing yet another plugin, it would be great if I could do something within functions.php, or even something within one of Contact Form 7's php files to prevent this from happening. Is this possible?

An example of the kind of spam I'm getting would be something like:

loans for bad credit guaranteed <a href="http:/redacted">loans for people with bad credit</a> online loans bad credit [url=http://redacted[/url]

I believe there is some kind of cross-site scripting going on in an effort to store third party back links on my site. I tried preventing this with Javascript but realized that wouldn't fix it, and also was told in another post to always validate/secure against spam server-side rather than client-side.

Answer 1

Contact Form 7 has support for Akismet, and reCaptcha; check the docs. Hidden fields are not useful, IMHO; they are still visible in the page source to a 'scraper'. (Neither are 'questions' and some other techniques.)

The only useful thing that I have found is to add some Javascript to the form that senses human interaction: adding functions that look for on-click and/or on-focus of required fields. Bots have a difficult time with JS, although it is possible a targeted-to-your-specific-form spammer might be able to bypass that. But that is a highly-targeted attack.

I wrote a plugin that adds the on-click/on-focus sensing to CF7 forms: "FormSpammerTrap for Contact Form 7". The form 'target' is modified to submit to a 'honeytrap' site, unless an on-click/on-focus is sensed on a required field - that resets the form 'target' to normal. A simple shortcode is used on the form to enable my plugins' technique.

This blocks a lot of spammers, but there is no perfect solution. I've found that a combination of techniques: Akismet, reCaptcha, and my technique will catch a lot of (but not all) spam.