How to Stop Contact Form Spam in Wordpress Without Captcha
Spam is dangerous
Unfortunately, most webmasters have to deal with SPAM at some stage. The first unsolicited electronic messages targeting wealthy Americans were transmitted via telegraph in 1864. Today, spammers send millions of spam messages every hour.
Spam isn’t just a nuisance; it can be dangerous. Hackers often send links to malware in an attempt to convince you to download and execute a malicious program. Today, electronic spam is the top source of malware infections, and it continues to be the primary infection vector.
I use WordPress for my website. It is by far the most popular CMS followed by Shopify, Joomla, Drupal and others. WordPress is used by over 33% of all the websites on the Internet. CMS helps me create and manage my site without any coding.
Expert’s advice
Last year, I asked a friend of mine to recommend the best way to stop spam on my website. He works as a computer forensic expert in Sydney. His answer was short, “Spammers sending links, block these links, and spam will go away”.
He is right when you think about it. When sending spam, spammers want to trick a recipient into clicking the link in the spam email. It is rare to get a spam message without some hyperlinks. It is valid for spambots or human spammers. Unlike spambots, human spammers can quickly solve CAPTCHAs, and bypass honeypots to spam websites.
Other anti-spam options
Additionally, CAPTCHAs (or reCAPTCHAs) look ugly and unprofessional, while honeypots become ineffective against modern spambots. Even the most recent, the third incarnation of Google’s reCAPTCHA, while made faster and more stable, still comes with plenty of issues. Unfortunately, it also does not provide a hundred per cent defence against spam. It is being defeated.
Hiding email addresses by using a WordPress plugin like “Email Address Encoder” or applying a similar technique is also ineffective against sophisticated spambots or human spammers.
Using Wordpress “comment spam tools” to block spam
The good news is that WordPress has built-in comment spam tools that can help. Of course, there is no “one size fits all” method that will protect from spam, but they can be very effective.
- Go to the Settings > Discussion panel
- Scroll down to Comment Blacklist
Enter one word per line as follows:
- http://
- https://
- www.
Save changes, and you are almost done. In the contact form settings, I suggest editing “Messages” to notify users that no web links are allowed. They are rarely needed for establishing initial communication with customers.
I use the “Contact Form 7” plugin on my website and also block free emails like gmail.com or hotmail.com similarly from being used to contact me via the web contact form.
Be mindful to test your keywords thoroughly to make sure they don’t block something important. The keywords must be “unique” and block content that is irrelevant specifically to you. Feel free to experiment with an unofficial blacklist “wordpress-comment-blacklist” available on GitHub. The blacklist is exceptionally comprehensive and currently contains over forty thousands keywords. To avoid blocking relevant content, I strongly encourage to deploy the blacklist mentioned above in the staging environment first.
Blocking by IP
With some rare exceptions, spammers Internet Protocol (IP) addresses or IP ranges should never be blacklisted permanently. Dynamically assigned IP addresses changing regularly and IP ranges are often getting reassigned to new Internet Service Providers (ISP).
Another issue that makes blocking spamming IP addresses useless is how modern spambots operate. Typically, these bots have at least two or three IP addresses preprogrammed. A spambot will hit your contact page using one of these IP addresses. If unsuccessful, it will automatically switch to the next IP address try again.
Blacklisting “user-agents”
Spambots often appear in logs as an outdated version of a web browser. For some reasons, spammers seem to love using Vivaldi, Opera, Kinza as user-agents for their spambots. Blocking them is relatively easy with Apache or Nginx user-agent filtering.
You may find the following regular expressions terms useful for that purpose.
Regular Expressions
Vivaldi\/1\.96\.1147\.42
Kinza\/4.*
OPR\/[1-5][0-9].*
Chrome\/(6|7|8|9|10|11|12|13|14|15|16)\.
Firefox\ 4\.0
Hooray, No Spam
With these easy steps, I was able to solve the spam problem on my site. I am not getting it through for almost a year without slowing down my site by installing new WordPress Plugins or paying ridiculous amounts of money for anti-spam subscription-based services.
Let’s don’t be idealistic; spammers will continue to send spam hoping that someone will read them. They are inventive and most likely would come up with something new to deliver their junk.
Well, two can play at that game!
