Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam. It’s important to note that no single anti-spam method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.
Gravity Forms includes a built-in honeypot feature which can be enabled on the Form Settings > Form Options page of each form. When enabled, the form will include a field that is hidden from visitors but is visible to bots. If this field contains a value when the form has been submitted, the submission will be ignored; the entry is not saved, notifications, and add-ons are not processed.
The validation failure will be recorded in the Gravity Forms core log:
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is honeypot input empty? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is version_hash input valid? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Are both inputs valid? false
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::handle_abort_submission(): Result from Honeypot: true
[date and time] - DEBUG --> GFFormDisplay::process_form(): Aborting early via gform_abort_submission_with_confirmation filter.
The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.
If HTML5 is enabled on the Forms > Settings page, the
autocomplete='new-password' attribute will be added to the input, which should help prevent the input from being filled by browsers.
Our reCAPTCHA Add-On adds Google reCAPTCHA v3 functionality into your toolbox. Refer to documentation here.
The built-in Captcha field is another method to reduce spam from bots, although it can introduce accessibility issues. This integrates Google’s reCAPTCHA version 2 and the third party Really Simple CAPTCHA plugin.
Submit Button Conditional Logic
Add a single-line text field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.
Here are some examples:
- A panda is black and _____
- 4 + 7 = _____
- What goes up, must come _____
- A cow has how many legs? _____
On the Form Settings page of the form, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit.
If you will be accepting payments using a card or payment add-on field, position it on the last page of the form.
Enabling the required setting on earlier fields can limit the use of the card/payment add-on field to those who have completed the previous form pages, reducing the risk of fraudulent carding activity.
Block Search Indexing
Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.
Cloudflare provides a variety of services, including IP Access Rules, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC, that can safeguard your site and forms. With IP Access Rules, you can easily block entire countries.
Gravity Forms includes built-in support for the Akismet Anti-Spam plugin by Automattic. We also have an Akismet Add-On which enhances the integration with form level settings to help improve the quality of the data sent to Akismet for evaluation.
The following add-ons are from certified developers:
- Gravity Perks Blocklist by Gravity Wiz can be used to validate submissions against the WordPress Disallowed Comment Keys. Disallowed Comment Keys was formerly known as Comment Blocklist (WordPress 5.4) and Comment Blacklist (WordPress 5.3 and earlier).
- Gravity Perks Limit Submissions by Gravity Wiz can be used to limit the number of entries that can be submitted by almost anything (user, role, IP, URL, field value) for almost any time period.
- Gravity Forms OpenAI by Gravity Wiz can be used to check if content from the form submission complies with OpenAI’s content policy.
- G-Forms hCaptcha by Web & App Easy B.V.
- Friendly Captcha for WordPress by Friendly Captcha GmbH.
- Simple Cloudflare Turnstile by Elliot Sowersby, RelyWP.
- BSK Forms Blacklist by BannerSky.com.
- Gravity Forms Block Email Domains by Road Warrior Creative.
- Gravity Forms Email Blacklist by hallme.
- Byteplant Email Validator by byteplant.com.
- Byteplant Phone Validator by byteplant.com.
- Dilli Email Validator by Dilli Labs LLC.
- Toolbelt by Ben Gillbanks.
- Anti-Spam by CleanTalk.
- Cerber Security, Antispam & Malware Scan.
- WPBruiser + Gravity Forms Extension.
- Human Presence by Human Presence Technology.
- Zero Spam for WordPress by Highfivery LLC.
Block by IP
- Block IPs for Gravity Forms by Team Bright Vessel.
Code snippets can be used in the theme functions.php file or custom functionality plugins.
The gform_entry_is_spam filter can be used to mark submissions as spam.
- Integrate with the ZeroBounce Email Validation API
- Check field values for URLs
- Rate limit submissions based on the IP address
- Check that first and last name inputs contain different values
- Use ipapi.co to check country code for IP address
- Gravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)
- Stopping Jerks in Gravity Forms by Ipstenu (Mika Epstein)
Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.
Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity Forms, Gravity Flow, or Gravity SMTP product roadmap pages.