Category: Uncategorized

The amount of traffic from malicious bots compared to all traffic on the internet has grown significantly in recent years. According to calculations, in 2016 the amount of traffic was still less than 20%, but in 2022 it had already increased to more than 30% ( Statista ). Because of this, the amount of spam sent via website forms is also increasing. You should protect yourself before this becomes a problem.

Contents

Harm caused by spam

Your website's form factor is detrimental in many ways.

• you have to sift through a large number of messages to find the real ones and all of your response times slow down
• your site will slow down, which will lead to both lower search engine visibility and you may need to upgrade your server to a more efficient one
• bots may sign up for your email marketing list, leading to unnecessary emailing in your campaigns
• you may receive malicious links, become a victim of phishing, or your site may be hijacked
• if you analyze visitor data for commercial purposes, your data is no longer correct

The longer the problem is allowed to continue, the bigger the problems and risks become.

Bot spam and spam sent by people

Most spam can be prevented. Spam is often shared in junk mail sent either by humans or bots. Spam sent by people is either individual Actors or commercial companies of several Actors whose task is to send a specific message via forms. The behavior between genuine customers and spammers is similar. Therefore, separating these groups from each other is challenging. This guide focuses on Malicious bot spam, but there is also a brief mention below of how to prevent human spam on your WordPress site. Spam sent by bots is a computer program developed for the purpose. A well-designed bot can send an incredible amount of messages. The bot is able to open links and fill in forms automatically. If there is no blocking on the form, this is very easy. Bots have developed significantly recently, and a large part of bot spam prevention methods can be bypassed today. When designing websites, it is absolutely necessary to take into account that it is possible to automatically send a lot of spam via an unprotected form placed on the site. Spam sent by people is almost impossible to completely prevent. Spam from Malicious bots, on the other hand, can be prevented using techniques that the bot does not yet recognize. However, this is a constant race between spammers and block developers.

Bots' goals

The reassuring thing about this race is that most of the Malicious bots only market a specific message. This may be a commercial advertisement or other information, which is tried to be visible in as many places as possible. Your own site will probably be able to continue operating. It's just being used to spread this message. A smaller number of bots aim to damage your site or fish for data. However, there are some bots whose purpose is to harm your site and hinder your business. These bots may put so much load on your site that your site can no longer handle it and the whole site crashes. Another group of Malicious bots, on the other hand, may try to find weaknesses in your site and possibly fish for various types of information that can be used in criminal activities.

Frequently used ways to prevent form spam

It is possible to try some easy-to-install ways to prevent harmful bot spam. The customer's user experience is very important in choices. Due to the short-term nature of the customers and the user experience, it is not advisable to install additional tasks on the site for the customer to solve. Your website's forms should always work quickly and easily for customers. The same form, on the other hand, should be very difficult for a bot to use. Some commonly used methods are mentioned below.

Ghosting

Ghosting is a very effective and so far less frequently used method. The dxw3 Bot Spam Block plugin uses this method. In ghosting, the elements of the form on the website are ghosted, ie they practically disappear. Since bots can't find elements, they can't spam. However, the form is normally visible to the actual user. The advantage of this method is its ease of use. Once the protection is turned on, no other settings are required. On the site, the visitor does not have to solve additional tasks or press buttons, but uses the form normally.

Honeypot

Honeypot is currently one of the most popular and effective means of protection against form-sent spam. As the name suggests, the idea of the honeypot is based on its ability to lure a bot into a trap. At its simplest, the form's programming code includes a field to be filled in, which is visually hidden from the customer. The bot reads the code and the customer visually sees the form. So the customer doesn't fill in anything in the field, but the bot thinks that it needs to be filled out. If there is information in the field, the submission of the form will be rejected. Honeypot with its different versions is still a reasonably good way to prevent spam. However, it has become more and more vulnerable because nowadays bots read the code (CSS/JavaScript) used to hide it and know how to react accordingly.

Speed limit

Another promising way to stop bot form submission is to use rate limiting. The power of the bot is based on its speed. The bot user tries to submit forms very quickly and efficiently. However, if sending the form too quickly or filling in the fields is blocked, bot sending can be blocked. The problem with this method might be the browser's "autofill" function, the purpose of which is to increase user-friendliness. Due to the Autofill function, filling out the form is very fast. However, if you know how to set the right time limits, user friendliness can be maintained and still prevent bots from working.

IP address blocking

Certain types of bot traffic can be blocked by blocking based on IP addresses. It is possible to save harmful IP addresses or to prevent fast and repeated form submissions from the same address. However, Malicious IP addresses must be recorded and retrieved so that they can be compared. Often the first spam transmission is successful anyway and the next one comes from somewhere else. However, this method prevents a large amount of spam, depending on the implementation method.

Cookie-based blocking

Some sites use cookies that store session data on the user's computer. If something is not set on the site on a page other than the form page itself, the form submission will be rejected. However, since bots today easily read cookies and use JavaScript, this method does not always prevent bots. When implemented correctly, it can be effective and forms protected by dxw3 use cookies to prevent form submissions.

Validation of fields

It is worth Validating the fields of the forms, that is, checking that the entered information is appropriate. However, this hardly hinders the operation of the bots very much, because the bots know how to enter the information correctly.

CAPTCHA

At one time, Google's CAPTCHA was a very popular anti-spam method. However, this method is disappearing, as it weakens the user-friendliness a lot. Adding various Riddles in connection with submitting the form is harmful.

reCAPTCHA/hCAPTCHA

reCAPTCHA is more user-friendly than CAPTCHA. Many sites use reCAPTCHA. The algorithm behind it tries to determine whether it is a bot or a human. Although it is more user friendly, it still imposes an extra step on the customer before the form can be submitted. In addition, the bot may circumvent this block and its effective use requires a little more work from the site administrator.

Changing the original URLs and file names

An effective way to prevent some bot spam is to change the standard WordPress URLs and the names of some files. In this case, finding the form itself is made a degree more difficult.

WAF

Mainly the bigger software houses offer comprehensive anti-spam services. However, the problem with these systems is both their price and their vulnerability, the so-called 0 to attacks. These services rely on complex algorithms to determine what is spam. However, the algorithms are often unable to recognize new types of spam, allowing it to get through. Some genuine mail may also be filtered out.

Additional questions

One way to prevent bots from working has traditionally been to ask various simple questions. The form might ask, for example, how much is 1+3. Or it might have some easy verbal questions. However, it is challenging to set these methods in such a way that they are completely user-friendly and effective. The calculation task can be solved and the verbal task may be difficult for the user.

Email verification

Blocking of e-mail addresses or domain names can be used especially in validating the registration form. Known Malicious domains are not accepted. Harmful e-mail addresses can be blocked if the registration must be confirmed with a link sent to the e-mail. This method should not be used extensively, as it weakens the user experience.

JavaScript as a security method

Using JavaScript to block various functions or change their functions over time is an effective means of protection. If implemented correctly, JavaScript can block most malicious bots. Certain elements related to the function of the form can be made usable later. For example, when the form-filler has performed a certain action on his computer using the keyboard or mouse, the condition set for bots is dynamically removed. Another way is to allow the use of the form only later by scheduling the form to be usable after a certain time. Many bots fill out the form very quickly, so by timing you can block the submissions of several bots. The problems with JavaScript-based technologies are, for example, bots that know how to execute JavaScript and solve these obstacles. Another problem is users who have disabled their browser from running JavaScript. In this case, the technology may block bots and at the same time some real users. Ghosting does not have this problem.

Try blocking spam sent by bots from your own form with the spam tester on this site.

Blocking human spam

Spam sent by people can be partially blocked with the help of the Akismet add-on, for example. Often, to screen spam sent by people, you have to use a comprehensive library of blockable words or IP addresses. Blocking is therefore not as effective, but if this kind of spam is a problem, you should use one of the many WordPress plugins.

WordPress Contact Form 7 and WPForms spam blocking

Almost without exception, WordPress homepages have a page that also has a contact form. Contact form 7 and WPForms are the most common plug-ins for WordPress websites for implementing a contact form. The CF7 plugin doesn't have any anti-spam by default, so sending spam is very easy. However, Google's reCAPTCHA can be connected to CF7. WPForms, on the other hand, now offers its own token-based protection by default, as well as numerous third-party plugins. Token-based protection is relatively easy for bots to circumvent, and for example, this site's simple spam Tester is able to send messages through a form protected in this way. So it's worth testing the protection of your own form with dxw3's bot spam online tester . dxw3's form-based blocking was previously partially based on cookies. This can be a very effective and invisible way to prevent spam. Honeypot was also used at the time. Today, blocking is based on ghosting. If the above methods do not help, or if you otherwise want an easy and effective form-based blocking, you should get and install the dxw3 Spam Block add-on on your WordPress site. This add-on does not require settings, but works automatically after activation. However, if you use some method to optimize the CSS code, read the related note in the general installation instructions .

This is how you install the Contact Form 7 contact form on the example page of your site

1. Open the WordPress admin view under Plugins – Installed Plugins. Click "Add new".
2. Enter "Contact Form 7" in the search box in the upper right corner and click Contact Form 7 – "Install now". After that, click on the same button "Enable".
   
3. After that, click "Contact" in the admin menu. You can see only one form at this time. The form usually works with its default settings, but you can edit the settings by clicking on the name of the contact form. By default, form submissions arrive in the site administrator's email box. You can also see the default fields of the form by clicking on the name of the form "Contact Form 1".
4. Click on the code in square brackets "Short code". Copy the code with square brackets to the clipboard, eg Ctrl+C/Command-C.
5. After this, the short code must be placed in the place you want, where the form is to be placed. If you want to place the form on a specific page, click "Pages" in the admin menu.
6. Next, either add a new page or click on the title of the finished page. In page editing mode, click the plus sign in the upper left corner to add a block. Type "short" in the search box.
7. Drag the block to the desired position on the page. Set the code copied to your clipboard as the value of the block. After that, save the page from the top right corner "Update".

Everything is ready. Your contact form will now send you contacts entered through your site. Your site's e-mail must of course be set up correctly. Try your form and if you do not receive the message entered through the form in your maintenance email, there may be a problem with the email settings. In this case, you should try resetting your site's password. If you do not receive a message about the password reset you requested, your email settings need to be fixed. However, if you receive a password reset message, there is a problem with your form.

Advanced spam settings

When your form is set up correctly, you will receive the messages you tried in your email. After that, however, it won't be long before spam bots find your form. You should immediately block the reception of spam mail with additional settings. Contact Form 7 can connect Google's CAPTCHA/reCAPTCHA, the purpose of which is to prevent spam. However, CAPTCHA can be tricky to set. It may add extra tasks for your visitors before they can submit their message. In addition, the new CAPTCHA requires some settings, and it is possible that you will block some Transmissions for nothing or let bots through. The easiest way to get there is to install the Bot Spam Block plugin on your site. The add-on works automatically after activation. You only have to set the license code for the add-on. Your visitors won't notice the plugin works, and they won't have to complete extra image tasks or solve equations. The plugin still prevents bot spam from being sent.

Technical Search Engine Optimization should be considered early enough. In this case, the price paid for the optimization is reasonable. Asking a professional for advice is the best search engine optimization guide for you. A good and reliable partner advises the best solution without a separate charge. Sometimes, however, it is worth asking a professional to make solutions for you, thanks to which your search engine visibility will not suffer, but will improve over time.

The structure and challenge of WordPress

It is reasonably easy to change the functionality and appearance of WordPress homepages, even for free, due to the huge range of themes and plugins. Many have set up a website themselves by choosing a theme suitable for their business. Functions have been added to the theme with the help of plugins. In this way, it is possible to build your own website at very low costs. However, hunger often increases when eating, and some sites can have dozens of supplements. Since add-ons are often developed to suit many users and environments, the add-on usually includes code that is not used at all. Loading unnecessary code often slows down the site and the user experience deteriorates. If the site is developing into a more complex entity, you should contact a professional at this stage at the latest. Many add-ons can be modified to better suit their purpose. Sometimes it is reasonably easy to implement the functions with your own add-on tailored to your needs. This ensures that there is as little unnecessary code as possible.

Search engine optimization and user friendliness

In terms of search engine visibility, the content your site offers to visitors is very important. You should know how to anticipate the problems of your intended visitors that you offer answers to on your site. However, this is only part of the whole that determines search engine visibility. Your website must also be user-friendly. Slow and poorly designed pages get a bad rating from Google. This rating, on the other hand, determines how often and how prominently your site is displayed in search results. Google has defined core web vitals as user-friendliness ratings. These show the quality of different areas of your site. Users want to access fast web pages even with a slow connection. The content must also be the right size for the size of the screen in use. Buttons and other elements of the site should not bounce around the screen when different elements load at different times, but should remain in place and the same size. If you have problems getting your site to pass Google's tests, please contact us . This can often be fixed with reasonable effort. The WordPress site does pass the tests. Don't hesitate to choose some other exotic platform for your website. You will regret it later when you need new features or if this other system is discontinued. There are an overwhelming number of free and paid features available for WordPress. Overall, a WordPress site is certainly the most affordable.

WordPress and Elementor

Building a WordPress site with a separate page builder is much easier. If you have not previously used eg Gutenberg tool, one alternative is to implement Elementor. You can download Elementor for free from the WordPress plugin library. With Elementor, you can easily build content without programming skills using drag-and-drop blocks. At the same time, you will see your page almost the same as it was when it was published. The basic version of Elementor does not include a form generator (Form Builder). The form generator is a feature of Elementor Pro. Elementor Pro has much more functionality, and Elementor Pro is often installed on websites instead of Elementor. One good reason to get Elementor Pro is precisely its easy-to-use element for building forms. With this element, you can add, for example, a contact form to your site very quickly and easily. It is also easy to change the fields and layout of the form. There is plenty of material to get started with Elementor on their support page: Elementor help . Below I explain how to add the form to your page. There is also plenty of information on adding form functions and modifying the appearance of the form on the same Elementor support pages. At the same time, it is important to consider the security of the form. Spamming bots find your form very quickly, so it's worth protecting it from spamming bots at the same time.

Installing an Elementor form

1. Open the editable page with the "Edit with Elementor" option.
2. The sidebar on the left side of the view contains elements that can be dropped onto the page. If you are using the Pro version, the "Pro" elements can be found right below the "Basic" elements. The easiest way is to write the word "form" in the top search tool.

   

3. Drag and drop the "Form" element on your page to "Drag widget here". When dropped, the element transforms into a sketch-like form.

   

4. You can select more fields and change the current fields in the "Form Fields" section of the left sidebar. To add a field, press "+ Add item".

   

5. Be sure to protect your form. More on this below .

You can see more examples of form editing in the video: How to Use Elementor's Form Builder .

Protection means are found as standard in the Elementor form

You can protect the form in Elementor Pro with the standard security measures found in Pro.

1. 1. In the "Form Fields" section, click "+ Add item". After that, select "Honeypot" from the drop-down menu.

      

   2. The field becomes Invisible on the form itself. Remember to save the page by pressing "Update" at the bottom of the page. Nothing else is needed.

A honeypot is usually a moderately good protection method. However, the bot developed to test this site's form easily sent mail through a honeypot-protected Elementor Pro form. The standard security measures of the Elementor Pro form also include Google's Captcha. How to install it is not covered in this article, as it requires registration with the Google service. Google also has its own requirements for the use of Captcha and in some cases separate sensitivity settings.

Protecting your Elementor form more efficiently with a plugin

The easiest and most effective way to protect your Elementor Pro form is to use the Bot Spam Block plugin. The add-on has been specially developed to block spam sent by bots. The only setting for the add-on is the license key. Otherwise, the add-on works easily, efficiently and automatically without unnecessary settings. It also does not harm the actual user of the form, because the user does not have to solve extra tasks or riddles.

Elementor and dxw3 now offer a package where the Buyer of Elementor Pro gets the dxw3 Bot Spam Block add-on at the end of the store.

This requires that you 1) order the Elementor Pro plugin by clicking the image below.

2) After this, request a 100% coupon code either via email info@dx-w3.com or via the contact form .

And 3) return here to the store to Redeem the add-on with the coupon code.