Kevinleary.net, LLC.

Advanced Spam Rules for Gravity Forms in WordPress

Stop WordPress form spam in Gravity Forms with custom spam filtering rules.

This is a follow-up to an earlier post that outlined the same method and approach, but additional examples are provided here that have been found effective in 2022/2023.

Just about every website with contact forms has issues with spam submissions. Common approaches that have worked for years are no longer effective at blocking spammers. This is largely due to the sophistication of the technologies and tools available today. Machine learning combined with programmatic browser API’s like Puppeteer has resulted in form spam that is very difficult to effective block. To combat sophisticated spam I’ve found that specific, simple and most importantly uncommon approaches work well.

This isn’t another article telling you to use reCAPTCHA, honeypots and other traditional solutions that are ineffective in 2022/2023. Instead I’ll offer an alternatve approach that I’ve found effective while working with Gravity Forms in WordPress. The same approach should work well with other WordPress form plugins including Ninja Forms, Contact Form 7, Forminator and others. The approach would also work outside of WordPress, provided that you had a way to intercept and filter submissions and identify them as spam.

Gravity Forms Spam Check Hook

Gravity Forms provides a hook, gform_entry_is_spam, that allows you to add custom spam rules. Using it we we can add basic spam protection methods that are effective at specific scenarios.

Rate Limiting by IP Address

Using this example we can mark entries as spam when multiple submissions occur in a given time period that all share the same IP address.

/**
 * Spam Check IP Address Rate Limits
 *
 * @param bool  $is_spam indicates if the submission has been flagged as spam
 * @param array $form    the form currently being processed
 * @param array $entry   the entry currently being processed
 */
function kevinlearynet_gforms_spam_ip_limits( $is_spam, $form, $entry ) {
  // Already flagged as spam
  if ( $is_spam ) {
    return $is_spam;
  }

  $ip_address = empty( $entry['ip'] ) ? GFFormsModel::get_ip() : $entry['ip'];

  // Invalid IP address
  if ( ! filter_var( $ip_address, FILTER_VALIDATE_IP ) ) {
    return true;
  }

  // Track count of submissions by IP
  $key = wp_hash( "kevinlearnet-gforms-ip-limits__{$ip_address}" );
  $count = (int) get_transient( $key );
  if ( $count >= 3 ) {
    return true;
  }
  $count++;
  set_transient( $key, $count, HOUR_IN_SECONDS );

  // Non-threat
  return false;
}
add_filter( 'gform_entry_is_spam', 'kevinlearynet_gforms_spam_ip_limits', 11, 3 );

Email Domain

If your a B2B company and generally aren’t interested in receiving any submissions from non-business domains then you can flag submissions as spam based on the email addresses’ domain name. This example will mark any submissions from an @gmail.com email as spam.

/**
 * Spam Check Email Domain: @gmail.com
 *
 * @param bool  $is_spam indicates if the submission has been flagged as spam
 * @param array $form    the form currently being processed
 * @param array $entry   the entry currently being processed
 */
function kevinlearynet_gforms_spam_gmail( $is_spam, $form, $entry ) {
  // Already flagged as spam
  if ( $is_spam ) {
    return $is_spam;
  }

  // Email domain: gmail.com
  $email = isset( $entry[2] ) ? trim( $entry[2] ) : null;
  $email = strtolower( $email );
  if ( ! filter_var( $ip_address, FILTER_VALIDATE_EMAIL ) ) {
    return true;
  }
  if ( str_ends_with( $email, '@gmail.com' ) ) {
    return true;
  }

  // Non-threat
  return false;
}
add_filter( 'gform_entry_is_spam', 'kevinlearynet_gforms_spam_gmail', 11, 3 );

Create Your Own

You can use this same approach to mark common submission patterns you see on your website as spam. We can recognize spam when we see it, if you can identify what it is you recognized as spam then you can create a logical filter for your specific case. This is the high level approach I recommend, and have found to generally work well for my clients.

Resources

Meet the Author

Kevin Leary, WordPress Consultant

I'm a freelance web developer and WordPress consultant in Boston, MA with 16 years of experience building websites and applications. View a portfolio of my work or request an estimate for your next project.