Custom Spam Rules for Gravity  Forms

Create your own rules to stop form spam submissions on your WordPress website.

This post is followed-up with another post containing more advanced examples and demos that have been found effective in 2022/2023.

Gravity Forms is the most well known, and most used, form plugin available for WordPress. It’s a great tool, and one that I use on many of the sites I work on. Spam form submissions is an issue on just about any site with a publicly available web form. Many options exist to help deter spam submissions, but with tools like Puppeteer it’s become increasingly difficult to accurately identify a spam visitor vs. a real visitor. A good deal of spam protection works, but not for 100% of cases. Some junk always leaks through.

If you can spot patterns yourself, you can create your own rules that work well to reduce the spam you’re receiving. Spammers write scripts to apply to many websites, so that can hit as many sites as possible. Gravity Forms are easily identifiable in this way, and so are the spam protection options that may be enabled. But when a site has obscure rules that aren’t used anywhere else, it becomes an edge case and the spam script may fail and move on. I’ve found that a few very rudimentary rules can lead to effective relief. You may need to tweak and adjust your rules as time goes on, but it’s still well worth considering protecting your WordPress web forms from spam submissions and notifications.

Adding Spam Rules

Adding custom spam rules to a form, or all forms, is very simple and involves working with the gform_entry_is_spam action filter. Returning false in a hooked function tells Gravity Forms that the submission is not spam, while returning true flags a submission as spam.

/**
 * Gravity Forms Spam Checks
 *
 * @param mixed $is_spam
 * @param mixed $form
 * @param mixed $entry
 */
function kevinlearynet_gforms_spam_check($is_spam, $form, $entry)
{
  // Organization
  $organization = isset($entry[6]) ? trim($entry[6]) : null;
  $organization = strtolower($organization);
  if ('google' === $organization) {
    return true;
  }

  // Non-threat
  return false;
}
add_filter('gform_entry_is_spam', 'kevinlearynet_gforms_spam_check', 10, 3);

I’m using this to add a simple spam rule to my own contact form. Any submission with a trimmed Organization value that’s equal to google will be flagged as spam and won’t send me a notification. The entry record will still be created in Gravity Forms, so you’ll have a record of the submission, just in case it isn’t actually spam. The experience for the spammer is denticle to a successful form submission, so any bot will likely assume that it’s succeeded without being flagged. More information on the gform_entry_is_spam filter hook can be found in the Gravity Forms Documentation.

Meet the Author

Kevin Leary, WordPress Consultant

I'm a freelance web developer and WordPress consultant in Boston, MA with 17 years of experience building websites and applications. View a portfolio of my work or request an estimate for your next project.