Bots, Gravity Forms and Spam on WordPress

Spam on forms is a problem that has been around for as long as forms have and there are solutions out there to reduce spam, but unfortunately, blocking them off 100% is an impossible task to achieve.

Before attempting to solve spam, it’s important to understand two things:

1. Where does spam come from?
2. How do bots work?

Where does spam come from

There are two sources of spam, each one with their own challenges and solutions to reduce the amount of spam.

Bots. This is the most common way that forms get spammed and as more solutions are designed to reduce their activity, the smarter the bots get.

Manual Entries. This is trickier to solve, because you’re battling individuals that are entering in the form details by hand, so implementing solutions that solve for bots, generally don’t work for manual entries.

Let’s talk a little bit about solutions for a bot and why it may not work for manual entries.

1. Adding CAPTCHA or reCAPTCHA to a form. This is one of the most popular methods floating around. We don’t know Google’s secrets on how this feature works, but we know it does an excellent job at stopping bots. A user that is manually spamming however, can easily bypass this by checking the box or selecting the part of a picture that has the bus.
2. Adding a test question. This is used much less and it can get annoying for legit users. The idea here is that you’d add a question that is simple for a user to answer, for example: 4 + 4 = ____________. If the answer is left blank or incorrect, then the form wouldn’t submit. Bots are smart enough now to detect numbers and do quick math, so it’s common for a bot to bypass this. A user that is manually spamming can also easily bypass this.
3. Honeypot Field. This is one of my favorite and should be added to every form, even if you have other spam solutions implemented. This is a hidden field that asks a basic question. For example: What is your name? A bot will see that question and assume that it’s a question on the form, and populate it with a fake name. At form submission, if that field is filled in, we know that a bot filled it in, so we would trash the form instead of sending it off to be processed. A user that is manually filling out a form with spam would not be stopped by this solution, because the field is hidden, so a user would never be able to see it to fill it in.

How do bots work?

A bot is a simple computer script that reads the HTML of a webpage, scans for input fields, fills them in, and finally, looks for a submit button to process the form.

The way that bots get smarter is that the programmer creating a bot will create additional logic to look for certain questions and fill them out with canned values. Earlier in this article we talked about how a bot might recognize a simple math equation. A programmer can easily create some logic that says to look for a question that contains a math formula. So if the bot sees an integer, followed by an operator, followed by another integer, the programmer can say that the odds are in their favor to assume that the question is a math question and they’ll perform that operation.

It’s important to also realize that how a bot sees a form is not the same as how a user sees a form. A user is able to see placements, colors, some things are hiding, some things are not. A bot on the other hand, all it sees is the plain HTML, so when you’re hiding elements in CSS, a bot doesn’t see it as hidden — it actually sees the element on the page. This leads me into my next point:

There is a misconception that multi-step forms prevent/helps with spam, and I want to clear this up.

Firstly, understanding multi-step forms: Multi-step forms is simply a one-page form, broken down into different blocks of input fields. Between a combination of CSS and JavaScript, a multi-step form is programmed to only display one block of input fields at a time. As the user fills out the field correctly, the programmer hides the field group that has been filled out, and displays the next one.

The HTML page however, has the entire form. Because remember what we said before, the field groups are hidden/displayed by a combination of CSS and JavaScript, but a bot doesn’t see a web page the same way as a human, so the bot doesn’t realize that something on the page is hidden. In the HTML, the bot will still see everything and it can fill out the entire form and submit it, just like any other single-page form.

Where a multi-step helps prevent spam is from the manual entries. The multi-step creates enough of an annoyance for a user that they don’t want to keep going through the form, especially if they don’t know how long it is or what questions to expect next.

Conclusion

Use CAPTCHA / reCAPTCHA & Honeypot for bots.
Use Multi-step to limit human spam.

Never expect spam to be prevented 100%