Blog Post

Gravity Forms Antispam results

We have used the Gravity Forms plugin on Dev4Press for over ten years now, and having a good antispam solution is essential to keep contact form entries clean and not waste time sorting out what is spam or not.

Dev4Press new security plugin, coreSecurity Pro, has been running on Dev4Press for two months now (replacing the old GD Security Toolbox Pro that also had antispam support for Gravity Forms), and I want to do an analysis of how the antispam measures work for Gravity Forms contact forms. Right now, we have two forms that are protected with the coreSecurity Pro Antispam feature. This is a detail of the security logs in core security with some of the automatically captured contact entries and some of the main spam reasons.

Gravity Forms Antispam Results
Gravity Forms Antispam Results

How does the spam get to the website?

Now, there are various ways that spam gets to your website, and for WordPress, spam comes through any form that is open to the public – comments, forum posts, contact forms. If your website doesn’t allow anonymous submissions but allows open registrations, you still get a lot of spam, but this time from registered users. There are many ways this works, and spammers do find a way to spam most websites that need to have outside methods of communication. While most spam comes through comments because comments get wide visibility, contact forms do get a fair amount of spam, too. The problem for spammers with contact forms is that the contact form entries are not publicly displayed in most cases.

Also, there are two main groups of spam sources: bots and humans. Most spam is generated by bots that discover forms and post content. Some website owners like to use captcha solutions that can stop bots, but that will not stop humans from posting spam (it will not stop bots either; it will be less bots-generated spam, but it will not be eliminated).

Because of all that, and from our experience, the contact form entries spam comes mostly from real people who are paid to post spam. The spam coming through contact forms is created to sell something to website owners – AI, leads, social network followers, software…

Gravity Forms default protection against spam

Gravity Forms plugin includes a ‘honeypot’ anti-spam measure. This honeypot attempts to eliminate bots, but it does nothing for real people manually using the contact form. For what it does, a honeypot is effective. Gravity Forms has an official add-on for implementing reCaptcha, but that is also effective against bots but not against human spammers.

coreSecurity Antispam results

When it comes to the results of the coreSecurity Pro Gravity Forms Antispam feature, for the past two months, Dev4Press used all 20+ antispam features that the plugin includes, and based on the spam stopped, we have much clearer image of the effectiveness of the antispam measures and what can be done to improve it in the future.

Who was posting spam?

The contact form was protected by the honeypot built into Gravity Forms, which eliminates most of the bots. But, based on the outdated browsers (old user agent versions) that posted spam, a considerable number of spam messages are posted by bots. More advanced bots can go around honeypots if they are made specifically to recognize different versions of the honeypot. Still, most of the spam is posted by humans, and that, in turn, means a wide variety of spam messages, with most of the spam not repeating or containing small changes.

When it comes to content, bots’ messages are usually filled with a lot of links; they are long and clearly point to content generated to cover a lot of things. Human-posted spam is more targeted; it doesn’t rely on the links too much (usually one link or even no links in the content), it is not overly long, and it has more chance to be read by the website owner, and the link clicked.

When it comes to emails used by spammers, there are many legitimate-looking emails on Gmail or Yahoo, but a lot of emails are on domains related to spam messages or from disposable email servers.

What type of antispam measures were most effective?

When it comes to Gravity Forms spam, it is quite different from comments. Contact forms don’t get as much variety of spam as the comments do. But, there were still many antispam measures that were triggered over and over again. And, if the same email gets used for posting spam, coreSecurity Pro can used that to detect repeated offenders, even if the IP is different.

The most effective measures when it comes to Gravity Forms spam are:

  1. Too Many Links: any message with three or more links in the content gets flagged.
  2. Banned or Disposable email Domain: the list of domains is huge and expanded with every plugin version.
  3. Stop Forum Spam: free third-party API with a huge, up-to-date list of spammers by IP or email.
  4. Content/Subject Regular Expressions: growing list of regular expressions to detect common spam content.

And, the Existing Spam measure now has a decent-sized spam database to recognize the emails that are used over and over again to stop spam. That’s why it is very important not to remove existing spam from the database.

Spammers will get banned from accessing the website

The most important way to stop spammers is not to allow them access to the website at all. coreSecurity Pro tracks each spammer IP, and if the same IP is caught making multiple violations, that IP will be banned from even accessing the website. Now, spammers do use a large number of computers to deliver spam, and it is impossible to ban it all, but IPs that are repeatedly used can be blocked completely.

And coreSecurity Pro can share a list of already banned IPs via the Bridge feature, and that can instantly give you a big boost in stopping spammers on your website by getting the banned IPs from the Dev4Press API.

Improving coreSecurity Pro spam detection

coreSecurity Pro stopped a huge number of spam messages. In the past two months, it has caught 525 spam messages, but the plugin did not catch 35 messages that were spam. There is no way to create a system that will detect everything, or it will also have a lot of false detection. coreSecurity antispam was created to minimize false positive spam detections, and it is also designed to be expanded to detect more with an expanded Dictionary that includes more regular expressions, more denied domains, spam emails, and more. Every plugin version so far has added between 20 and 50 new patterns for better spam detection, and we manually expand the list as needed based on the spam that was missed.

Every new plugin version will expand antispam capabilities, and there are new antispam features planned for future plugin versions, too. Gravity Forms antispam measures are right now very effective, and they will minimize the spam your forms receive.

Let me know about your experience with spam, and how did you manage to stop spam on your website.

Please wait...
The best and full-featured forms plugin for WordPress
Gravity Forms Plugin

With Gravity Forms plugin for WordPress, you can create any number of custom forms using very easy to use drag and drop editor, and expand the plugin features using 50+ official addons for eCommerce, reports, polls and more.

Disclosure: This post contains affiliate links, which means that I receive compensation if you make a purchase using this link.
coreSecurity Pro plugin for WordPress
Proactive protection and security hardening

Deploy a wide array of security measures to stop spam registrations, spam content, various types of malicious threats, limit and ban access to repeated offenders and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

license management

License Code Validation and Management

Dev4Press License validation system updates will soon be deployed, including license code management via the Dev4Press Account Dashboard. All updates will be deployed on April 14, 2024.
panel options

In Development: SweepPress Pro 5.0 and Lite 3.0

In about two weeks, brand new, significant updates to SweepPress Pro and Lite plugins will be released, bringing several game-changing features to WordPress cleanup and maintenance tools already included.

GD Press Tools Pro 6.3

The new major release for GD Press Tools Pro, version 6.2 is here, and it brings some major changes. First of all, the plugin has two addons less, one addon is added and one more addon has been deprecated (but still included for now).

Leave a Comment

GeneratePress - The perfect lightweight theme for your next project
WP Rocket - Make WordPress Load Fast in a Few Clicks