Introduction
Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam. It’s important to note that no single anti-spam method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.
Solutions
Honeypot
Gravity Forms includes a built-in honeypot feature which can be enabled on the Form Settings > Form Options page of each form. When enabled, the form will include a field that is hidden from visitors but is visible to bots. If this field contains a value when the form has been submitted, the submission will be ignored; the entry is not saved, notifications, and add-ons are not processed.
The validation failure will be recorded in the Gravity Forms core log:
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is honeypot input empty? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is version_hash input valid? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Are both inputs valid? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::handle_abort_submission(): Result from Honeypot: true
[date and time] - DEBUG --> GFFormDisplay::process_form(): Aborting early via gform_abort_submission_with_confirmation filter.
The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.
Captchas
The Cloudflare Turnstile Add-On offers an alternative to reCAPTCHA with a focus on privacy and user experience. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session, without the use of cookies.
Our reCAPTCHA Add-On adds Google reCAPTCHA v3 functionality into your toolbox. Refer to documentation here.
The built-in Captcha field is another method to reduce spam from bots, although it can introduce accessibility issues. This integrates Google’s reCAPTCHA version 2 and the third party Really Simple CAPTCHA plugin.
Akismet
Gravity Forms includes built-in support for the Akismet Anti-Spam plugin by Automattic. We also have an Akismet Add-On which enhances the integration with form-level settings to help improve the quality of the data sent to Akismet for evaluation.
Submit Button Conditional Logic
Add a single-line text field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.
Here are some examples:
- A panda is black and _____
- 4 + 7 = _____
- What goes up, must come _____
- A cow has how many legs? _____
On the Form Settings page of the form, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit.
Multi-Page Forms
If you will be accepting payments using a card or payment add-on field, position it on the last page of the form.
Enabling the required setting on earlier fields can limit the use of the card/payment add-on field to those who have completed the previous form pages, reducing the risk of fraudulent carding activity.
Block Search Indexing
Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.
Google recommends using the noindex directive, but if the page is already indexed, you’ll also need to remove it via webmaster tools.
Cloudflare
Cloudflare provides a variety of services, including IP Access Rules, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC, that can safeguard your site and forms. With IP Access Rules, you can easily block entire countries.
Our Cloudflare Turnstile Add-On enables integration with the Cloudflare Turnstile service.
Plugins
The following add-ons are from certified developers:
- Gravity Perks Blocklist by Gravity Wiz can be used to validate submissions against the WordPress Disallowed Comment Keys. Disallowed Comment Keys was formerly known as Comment Blocklist (WordPress 5.4) and Comment Blacklist (WordPress 5.3 and earlier).
- Gravity Perks Limit Submissions by Gravity Wiz can be used to limit the number of entries that can be submitted by almost anything (user, role, IP, URL, field value) for almost any time period.
- Gravity Forms Zero Spam by GravityKit uses JavaScript to append a custom input to the form; if the input is not found in the submission or value does not match the expected value, the submission is marked as spam.
- Gravity Forms OpenAI by Gravity Wiz can be used to check if content from the form submission complies with OpenAI’s content policy.
The following add-ons are from third-party developers:
Captchas
- G-Forms hCaptcha by Web & App Easy B.V.
- Friendly Captcha for WordPress by Friendly Captcha GmbH.
Field Validation
- BSK Forms Blacklist by BannerSky.com.
- Gravity Forms Block Email Domains by Road Warrior Creative.
- Gravity Forms Email Blacklist by hallme.
- Byteplant Email Validator by byteplant.com.
- Byteplant Phone Validator by byteplant.com.
- Dilli Email Validator by Dilli Labs LLC.
Spam Blockers
- Toolbelt by Ben Gillbanks.
- Anti-Spam by CleanTalk.
- Human Presence by Human Presence Technology.
- Zero Spam for WordPress by Highfivery LLC.
- OOPSpam by OOPSam LLC.
Block by IP
- Block IPs for Gravity Forms by Team Bright Vessel.
Code Snippets
Code snippets can be used in the theme functions.php file or custom functionality plugins.
Field Validation
The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.
- Integrate with QuickEmailVerification API
- Prevent submission based on a word list
- Prevent submission if a URL is entered into Text or Paragraph fields
- Prevent submission of Cyrillic characters
Spam Filter
The gform_entry_is_spam filter can be used to mark submissions as spam.
- Integrate with the ZeroBounce Email Validation API
- Check field values for URLs
- Rate limit submissions based on the IP address
- Check that first and last name inputs contain different values
- Use ipapi.co to check country code for IP address
- Gravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)
- Stopping Jerks in Gravity Forms by Ipstenu (Mika Epstein)
Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.
Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity Forms, Gravity Flow, or Gravity SMTP product roadmap pages.