How we completely eradicated form spam on WordPress

Flood of spam email messages

What is Form Spam and Why Should You Care?

Form spam is a disruptive, malicious means of using a website’s contact and form submissions to send messages containing phishing scams, malware, advertisements, or abuse to the site owners.

Most of these form spam scams are executed by bots programmed to find web forms and automatically fill them out with predetermined copy containing annoying – or sometimes dangerous – content. As the bots are automated, it allows them to send nearly endless spam to a multitude of destinations. 

When your form submissions are filled with spam it takes valuable time to sift through and find genuine leads and interested parties. It’s not only a waste of time and effort, though. Unaware website owners can fall prey to malware or other data-stealing scams and risk having passwords or other sensitive information falling into the hands of scammers.


The Worst Offender – “Eric Jones”

Over time, the complexity of these bots has improved to the point where traditional methods of battling them are no longer effective. One such bot, the “Eric Jones” bot, has plagued websites for the past few years. 

This bot has been such a nuisance that there are entire blogs dedicated to fighting it, and online marketing subreddits have multiple posts going back years with marketing professionals discussing how to block this scammer.

But why has it been such a problem compared to other form spam scams?

Website owners and bloggers have reported daily spam by this bot, and whoever has set it up changes IP addresses constantly to get around IP blocking. The bot has been programmed in such a way that it operates without using any web browser, instead using direct PHP scripts and bypassing traditional methods of spam prevention.


Old Methods of Prevention

In the past, the three best ways to prevent form submission spam have been CAPTCHA, ReCAPTCHA, or honeypot techniques. 

CAPTCHA, or “Completely Automated Public Turing test to tell Computers and Humans Apart” (easy to see why we say CAPTCHA) is a method to determine if a user on a webpage is human or computer. It does this by presenting the user with distorted text or other visual perception tests which AI are unable to discern, and only allowing access to a successful input. 

ReCAPTCHA is a Google-designed version of CAPTCHA which uses AI and machine learning to create faster, less disruptive CAPTCHA tests. Otherwise it works just like regular CAPTCHA.

Honeypot protections generally use one of two methods for protecting against form spam: an empty field is inserted into the form which is unseen by a human user, and if filled in the submission will be assumed to have been bot-filled and will be automatically discarded; the other method is timing how long form completion takes, and if it is filled too quickly it will be discarded as spam.

These techniques have been in use for years, and have been quite effective. However, the Eric Jones bot bypasses these methods and is running rampant across the web.


How can you prevent form spam on WordPress?

Users have tried using a multitude of different plugins for their websites along with all the methods mentioned above. It doesn’t matter: the bot still makes it through these techniques and fills your comments and forms with spam.

After trying a multitude of different methods, we found that the only strategy that has been absolutely effective at preventing Eric Jones spam on WordPress is by using Gravity Forms – already one of our favourite form plugins – and installing the Gravity Forms – Zero Spam plugin.  It is ridiculously simple to set up and use (and we’ve seen the gamut of WordPress plugins).

It operates using simple javascript code, and whenever messages are sent through forms it sends a ping via the javascript, which a bot would not be able to respond to without a user agent. Additionally, as the bot operates without using a browser, it will not have javascript enabled. Zero Spam will detect this and prevent the form from submitting.

David Walsh – a prominent web developer and blogger – uses this same technique, and says that it has brought his blog from up to 8000 spam messages daily down to zero. 

Yes, that’s right. Not less bot spam – no bot spam. While it won’t prevent human users from submitting unwanted forms, it has completely eliminated one of the most damaging tools at scammers’ disposal. 

This plugin has revolutionized our clients’ sites and prevented hundreds of unwanted form submissions. No need to assemble a patchwork of plugins and code if you use WordPress; it’s all right here.

That’s all for how to prevent website contact form spam. If you have any questions – or wish to help us improve this post – let us know on our contact page (not you, Eric Jones!).