Fighting Spam

Introduction

Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam or to mark entries as spam. It’s important to note that no single method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.

Configured notifications, confirmations, and add-on feeds will not be processed for spam submissions.

Submissions that are saved and marked as spam can be found in the Entries section of the form via the spam filter. When viewing a specific entry via the spam filter, you can often find a note indicating which solution marked it as spam. For more information, refer to Reviewing Spam Submissions.

See also: Moderating Entries

Solutions

Honeypot

Gravity Forms includes a built-in honeypot feature available in the Spam Detection section of each form’s Form Settings.

When enabled, the honeypot detects spam using multiple techniques:

  • A hidden honeypot field. The submission is spam if the field contains a value.
  • A JavaScript-inserted version hash. The submission is spam if the value is missing or fails hash validation. Since version 2.7.
  • An optional Submission Speed Check that measures the time between page load and user actions such as clicking submit, next, or previous. The submission is considered spam if the timing data is missing, invalid, or below the configured threshold. Since version 2.9.21.

Depending on your form settings, detected spam will either be blocked (not saved, no entry is created) or saved as an entry marked as spam.

If logging is enabled, the result of the honeypot checks will be recorded in the Gravity Forms core log. Here are the possible logging statements, not all of them will be recorded for every submission.

[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is honeypot input (name: [input name]) empty? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Submission initiated by GFAPI. version_hash validation and speed check bypassed.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is submission valid? No; version_hash input is empty.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is version_hash input valid? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Submission speed check is disabled.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Is speed check valid? No; gform_submission_speeds input is empty or invalid.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Is speed check valid? [Yes or No]; [count] of [total] submissions met the threshold ([threshold] ms). Min required: [number]. All speeds: [JSON containing all the recorded timings]
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is submission valid? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::handle_abort_submission(): Result from Honeypot: [true or false]
[date and time] - DEBUG --> GFFormDisplay::process_form(): Aborting early via gform_abort_submission_with_confirmation filter.

The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.

If you think a bot has discovered the name attribute of your form’s hidden honeypot field, the gform_honeypot_input_name filter can be used to customize it.

Submit Button Conditional Logic

Add a single-line text or multiple choice field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.

Here are some examples:

  • A panda is black and _____
  • 4 + 7 = _____
  • What goes up, must come _____
  • A cow has how many legs? _____
  • The sky is typically what colour? _____
  • What sound does a cat make? _____
  • What do you call water when it is frozen? _____
  • What is 10 minus 4? _____

In the settings panel of the Submit Button field, in the Form Editor, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit. If they manage to force the submission, it will not be processed.

Multi-Page Forms

If you will be accepting payments using a card or payment add-on field, position it on the last page of the form.

Enabling the required setting on earlier fields can limit the use of the card/payment add-on field to those who have completed the previous form pages, reducing the risk of fraudulent carding activity.

Block Search Indexing

Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.

Google recommends using the noindex directive, but if the page is already indexed, you’ll also need to remove it via webmaster tools.

Cloudflare

Cloudflare provides various services, including IP Access Rules, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC, that can safeguard your site and forms. With IP Access Rules, you can easily block entire countries.

Our Cloudflare Turnstile Add-On enables integration with the Cloudflare Turnstile service.

Note: If you decide to use Cloudflare services, please make sure to keep Rocket Loader disabled, and exclude form pages from Cloudflare’s caching to prevent potential issues.

Integrations & Plugins

Akismet Add-On

The Akismet Add-On sends form submissions to the Akismet service for analysis. As of version 1.1, the Akismet plugin by Automattic is no longer required. Submissions identified as spam are saved, with the entry marked as spam.

Cloudflare Turnstile Add-On

The Cloudflare Turnstile Add-On offers a captcha with a focus on privacy and user experience. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session, without the use of cookies. Submissions are blocked or fail validation.

reCAPTCHA Add-On

The reCAPTCHA Add-On adds support for the score-based Google reCAPTCHA v3 or Enterprise functionality, without using a form field. If the reCAPTCHA script doesn’t run or the response is invalid, the form will fail validation without any-field specific errors. Entries are marked as spam when their score from the reCAPTCHA response is less than or equal to the configured threshold.

Captcha Field (legacy)

The built-in Captcha field can reduce spam from bots, but it’s no longer recommended because it can introduce accessibility issues. It integrates with Google’s legacy reCAPTCHA version 2 (checkbox or invisible) or the third party Really Simple CAPTCHA plugin, which is image-based. Submissions are blocked or fail validation.

Certified Developer Add-Ons

The following add-ons are from certified developers:

  • Advanced Phone Field by Gravity Wiz enhances the Phone field with automatic phone number validation.
  • Block Email Domains by GravityKit (previously by Road Warrior Creative) allows you to define a comma separated list of email domains to block on each email field.
  • Blocklist by Gravity Wiz can be used to validate submissions against the WordPress Disallowed Comment Keys. Disallowed Comment Keys was formerly known as Comment Blocklist (WordPress 5.4) and Comment Blacklist (WordPress 5.3 and earlier).
  • Email Validator by Gravity Wiz enhances the Email field with automatic email and email domain validation.
  • GC OpenAI by Gravity Wiz can be used to check if content from the form submission complies with OpenAI’s usage policies. See How to Use AI to Boost Gravity Forms Moderation (with GC OpenAI) for more details.
  • Limit Submissions by Gravity Wiz can be used to limit the number of entries that can be submitted by almost anything (user, role, IP, URL, field value) for almost any time period.
  • One-Time Password by CosmicGiant protects forms by adding a simple verification field. Before a user can submit the form, they’ll click a button to send a verification code via email or SMS. Once verified, the form can be submitted.
  • Zero Spam by GravityKit uses JavaScript to inject an input containing a key into the form submission. If that input is missing or its value doesn’t match the expected key, the entry is marked as spam. Deactivating and then reactivating the plugin will generate a new key.

Third-party Plugins

The following solutions are from third-party developers:

Blocklist
Captchas
Field Validation
Opt-In/OTP
Spam Detection

Code Snippets

Code snippets can be used in the theme functions.php file or custom functionality plugins.

Field Validation

Since version 2.9.15, the Email field has a dedicated filter, gform_email_field_rejectable_values, which can be used to reject partial (e.g. domains) or complete email addresses. When a rejectable value is found, the field fails validation and the form is re-displayed with a validation error. See Automatically Block Unwanted Emails Using Code for a complete code snippet.

The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.

Spam Filter

The gform_entry_is_spam filter can be used to mark submissions as spam.

Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.

Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity FormsGravity Flow, or Gravity SMTP product roadmap pages.