ANTI Spam Techniques
In recent years spam became a real problem for site owners, this day’s spammers will send not only unsolicited emails but they will also try to submit any form on your site, they really do not care what the form does they only want to submit it. Since WPJB version 4.4.4 we have implemented some methods to stop automatic spam, these techniques are simple to a user (basically not visible to a user) and hard for bots submitting spam.
Currently, we have two of them implemented HoneyPots and TimeTraps, you can configure them in wp-admin / Settings (WPJB) / Anti-SPAM panel, below all the techniques are briefly described:
Before explaining how the HoneyPot works, we need to understand how the SPAM bots work. Basically, a SPAM bot is a robot browsing internet looking for HTML forms to fill and submit. Usually, the bot does not understand the form he is trying to submit he just fills all the available fields and submits the form.
This is where HoneyPot field comes in, HoneyPot is a seemingly regular text field, using CSS it is hidden from users but visible to bots. Since the user has no way to fill this field WPJB expects it to be empty, but a bot will fill it with some random text to make sure no required fields are left blank. When WPJB detects that HoneyPot field is filled it stops form submission and logs potential SPAM submission in the logs.
The HoneyPot has a couple of options:
- Enable HoneyPot – allows to enable this feature, it is recommended to do so.
- HoneyPot Title – by default it is “Required Field”, some bots will try to analyze the form they are submitting so it is best to name the HoneyPot field like a field that should be filled and submitted, avoid things like “HoneyPot”, “SpamTrap” or etc., or anything that might suggest this field should not be filled.
- HoneyPot Name – as above but in the name use only a-z, 0-9 and _ characters.
TimeTrap is a hidden field filled by WPJB, user does not see it and cannot change its value. The value is of this field is encoded current date and time using a random encoding key. When user submits the form the date-time in the form is decoded and compared against current date-time, if difference between current time and form generation time (ie time saved in hidden TimeTrap field) is smaller than 2 seconds it is reasonable to consider this submission a SPAM, since it’s unlikely that user will be able to fill job application or job form in less than 2 seconds.
The TimeTraps has a couple of options:
- Enable Timetrap – allows enabling this feature.
- Timetrap Delta (in seconds) – define minimum time (in seconds) between form generation and submission, ie. minimum time after which normal user could submit the form.
- Timetrap Encode Key – some random string used to encode the date time in a hidden field.
If any of these anti-spam techniques will detect a spam bot it will log it’s IP and a message, if the error messages from this IP address will appear over and over you can consider banning this person from your site altogether.
All anti-spam techniques described above aim to provide some anti-spam protection without breaking user experience, but this are rather simple methods, it might turn out that some dedicated hacker is trying to post spam on your site, in this case the only thing you can do is enable reCAPTCHA on your site.
To do that, first signup for reCAPTCHA API key here https://www.google.com/recaptcha/intro/index.html, then go to wp-admin / Settings (WPJB) / reCAPTCHA panel, enter your API code there and select form for which you wish to enable reCAPTCHA.