Fighting Spam

• Introduction
• Solutions
• Honeypot
• Submit Button Conditional Logic
• Multi-Page Forms
• Block Search Indexing
• Cloudflare
• Integrations & Plugins
• Akismet Add-On
• Cloudflare Turnstile Add-On
• reCAPTCHA Add-On
• Captcha Field (legacy)
• Certified Developer Add-Ons
• Third-party Plugins
• Code Snippets
• Field Validation
• Spam Filter

Introduction

Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam or to mark entries as spam. It’s important to note that no single method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.

Submissions that are saved and marked as spam can be found in the Entries section of the form via the spam filter. Configured notifications, confirmations, and add-on feeds will not be processed. For more information, refer to Reviewing Spam Submissions.

See also: Moderating Entries

Solutions

Honeypot

Gravity Forms includes a built-in honeypot feature, which can be enabled in the Form Options section of the Form Settings page of each form. When enabled, it uses multiple methods to identify spam. Depending on your configuration, the submission will either be discarded or saved as an entry flagged as spam.

The result of the honeypot checks will be recorded in the Gravity Forms core log:

[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is honeypot input (name: [input name]) empty? false 
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is version_hash input valid? false 
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Are both inputs valid? false 
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::handle_abort_submission(): Result from Honeypot: true 
[date and time] - DEBUG --> GFFormDisplay::process_form(): Aborting early via gform_abort_submission_with_confirmation filter. 

The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.

If you think a bot has discovered the name attribute of your form’s hidden honeypot field, the gform_honeypot_input_name filter can be used to customize it.

Submit Button Conditional Logic

Add a single-line text or multiple choice field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.

Here are some examples:

• A panda is black and _____
• 4 + 7 = _____
• What goes up, must come _____
• A cow has how many legs? _____
• The sky is typically what colour? _____
• What sound does a cat make? _____
• What do you call water when it is frozen? _____
• What is 10 minus 4? _____

In the settings panel of the Submit Button field, in the Form Editor, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit. If they manage to force the submission, it will not be processed.

Multi-Page Forms

If you will be accepting payments using a card or payment add-on field, position it on the last page of the form.

Enabling the required setting on earlier fields can limit the use of the card/payment add-on field to those who have completed the previous form pages, reducing the risk of fraudulent carding activity.

Block Search Indexing

Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.

Google recommends using the noindex directive, but if the page is already indexed, you’ll also need to remove it via webmaster tools.

Cloudflare

Cloudflare provides various services, including IP Access Rules, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC, that can safeguard your site and forms. With IP Access Rules, you can easily block entire countries.

Our Cloudflare Turnstile Add-On enables integration with the Cloudflare Turnstile service.

Note: If you decide to use Cloudflare services, please make sure to keep Rocket Loader disabled, and exclude form pages from Cloudflare’s caching to prevent potential issues.

Integrations & Plugins

Akismet Add-On

The Akismet Add-On sends form submissions to the Akismet service for analysis. As of version 1.1, the Akismet plugin by Automattic is no longer required. Submissions identified as spam are saved, with the entry marked as spam.

Cloudflare Turnstile Add-On

The Cloudflare Turnstile Add-On offers a captcha with a focus on privacy and user experience. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session, without the use of cookies. Submissions are blocked or fail validation.

reCAPTCHA Add-On

The reCAPTCHA Add-On adds support for the score-based Google reCAPTCHA v3 or Enterprise functionality, without using a form field. If the reCAPTCHA script doesn’t run or the response is invalid, the form will fail validation without any-field specific errors. Entries are marked as spam when their score from the reCAPTCHA response is less than or equal to the configured threshold.

Captcha Field (legacy)

The built-in Captcha field can reduce spam from bots, but it’s no longer recommended because it can introduce accessibility issues. It integrates with Google’s legacy reCAPTCHA version 2 (checkbox or invisible) or the third party Really Simple CAPTCHA plugin. Submissions are blocked or fail validation.

Certified Developer Add-Ons

The following add-ons are from certified developers:

• Gravity Forms Block Email Domains by GravityKit (previously by Road Warrior Creative) allows you to define a comma separated list of email domains to block on each email field.
• Gravity Forms Zero Spam by GravityKit uses JavaScript to append a custom input to the form; if the input is not found in the submission or value does not match the expected value, the submission is marked as spam.
• Gravity Forms Advanced Phone Field by Gravity Wiz enhances the Phone field with automatic phone number validation.
• Gravity Forms Blocklist by Gravity Wiz can be used to validate submissions against the WordPress Disallowed Comment Keys. Disallowed Comment Keys was formerly known as Comment Blocklist (WordPress 5.4) and Comment Blacklist (WordPress 5.3 and earlier).
• Gravity Forms Email Validator by Gravity Wiz enhances the Email field with automatic email and email domain validation.
• Gravity Forms Limit Submissions by Gravity Wiz can be used to limit the number of entries that can be submitted by almost anything (user, role, IP, URL, field value) for almost any time period.
• Gravity Connect OpenAI by Gravity Wiz can be used to check if content from the form submission complies with OpenAI’s usage policies. See How to Use AI to Boost Gravity Forms Moderation (with GC OpenAI) for more details.

Third-party Plugins

The following solutions are from third-party developers:

Captchas

• ALTCHA
• Captcha 4WP
• Captcha.eu
• Friendly Captcha for WordPress
• hCaptcha for WP
• TrustCaptcha
• WordPress Captcha Plugin Pro
• WP Image CAPTCHA Pro

Field Validation

• Blacklist Manager
• BSK Forms Blacklist
• Byteplant Email Validator
• Byteplant Phone Validator
• DeBounce Email Validator
• Dilli Email Validator
• Disposable Email Blocker
• Gravity Forms Email Blacklist

Spam Detection

• CleanTalk
• Fullworks
• Maspik
• No Spam AI
• OOPSpam
• ShieldPro
• SilentShield
• WP Armour

Block by IP

• Block IPs for Gravity Forms

Code Snippets

Code snippets can be used in the theme functions.php file or custom functionality plugins.

Field Validation

Since version 2.9.15, the Email field has a dedicated filter, gform_email_field_rejectable_values, which can be used to reject partial (e.g. domains) or complete email addresses. When a rejectable value is found, the field fails validation and the form is re-displayed with a validation error. See Automatically Block Unwanted Emails Using Code for a complete code snippet.

The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.

• Integrate with QuickEmailVerification API
• Prevent submission based on a word list
• Prevent submission if a URL is entered into Text or Paragraph fields
• Prevent submission of Cyrillic characters

Spam Filter

The gform_entry_is_spam filter can be used to mark submissions as spam.

• Integrate with the ZeroBounce Email Validation API
• Check field values for URLs
• Rate limit submissions based on the IP address
• Check that first and last name inputs contain different values
• Use ipapi.co to check country code for IP address
• Gravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)
• Stopping Jerks in Gravity Forms by Ipstenu (Mika Epstein)

​Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.

Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity Forms, Gravity Flow, or Gravity SMTP product roadmap pages.