IntroductionSolutionsHoneypotCaptchaSubmit Button Conditional LogicMulti-Page FormsBlock Search IndexingPluginsField ValidationSpam BlockersBlock by IPCloudflareCode SnippetsField ValidationSpam Filter
Introduction
Spam is a problem which impacts all publicly accessible forms and fighting it is complicated by the fact that spammers and bots are constantly evolving their methods. The good news is there are a number of solutions you can use to reduce the amount of spam which is successfully submitted. But note that there』s not any single anti-spam method in the world able to catch 100% of spam, because of that you can find hundreds of different anti-spam techniques and services, therefore for better results we recommend using multiple solutions at the same time.
Solutions
Honeypot
Gravity Forms includes a built-in honeypot feature which can be enabled on the Form Settings page of each form. When enabled the form will include a field which is hidden from visitors but is visible to bots. If this field contains a value when the form is submitted the submission will be ignored; the entry is not saved, notifications, and add-ons are not processed.
The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.
If HTML5 is enabled on the Forms > Settings page the autocomplete='off' attribute will be added to the input, which should help prevent the input being filled by browsers.
Captcha
Our reCAPTCHA Add-On adds Google reCAPTCHA v3 functionality into your toolbox. Refer to documentation here.
The built-in Captcha field is another method to reduce spam from bots although it can introduce accessibility issues. This integrates Google』s reCAPTCHA version 2.
Submit Button Conditional Logic
Add a single line text field to your form which asks a simple question. A real person should be able to answer the question correctly whereas most bots won』t.
Here are some examples:
A panda is black and _____4 + 7 = _____What goes up, must come _____A cow has how many legs? _____
On the Form Settings page of the form you would enable button conditional logic based on this question field. If the submitter doesn』t input the correct answer the form can』t submit.
Multi-Page Forms
If you will be accepting payments using a card or payment add-on field position it on the last page of the form. Enabling the required setting on a number of fields located on earlier pages can help ensure the card/payment add-on field is only used by those who have successfully completed the earlier pages in the form, reducing the chances of your form being used for fraudulent carding activity.
Block Search Indexing
Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.
Google recommends using the noindex directive but if the page is already indexed you』ll also need to remove it via webmaster tools.
Plugins
Gravity Forms includes built-in support for the Akismet Anti-Spam plugin by Automattic. We also have an Akismet Add-On which enhances the integration with form level settings to help improve the quality of the data sent to Akismet for evaluation.
The following add-ons are from certified developers:
Gravity Perks Blocklist by Gravity Wiz can be used to validate submissions against the WordPress Disallowed Comment Keys. Disallowed Comment Keys was previously known as Comment Blocklist (WordPress 5.4) and Comment Blacklist (WordPress 5.3 and earlier).Gravity Perks Limit Submissions by Gravity Wiz can be used to limit the number of entries that can be submitted by almost anything (user, role, IP, URL, field value) for almost any time period.Gravity Forms Zero Spam by GravityView uses JavaScript to append a custom input to the form; if the input is not found in the submission or value does not match the expected value the submission is marked as spam.
The following third-party plugins also offer integrations with Gravity Forms. Any listing here is not a recommendation or endorsement of fitness for any purpose.
Field Validation
BSK Forms Blacklist by BannerSky.comGravity Forms Block Email Domains by Road Warrior CreativeGravity Forms Email Blacklist by hallmeG-Forms hCaptcha by Web & App Easy B.V is an alternative to reCaptcha.Byteplant Email Validator by byteplant.com enhances validation of Email type fields.Byteplant Phone Validator by byteplant.com enhances validation of Phone type fields.Dilli Email Validator by Dilli Labs LLC enhances validation of Email type fields.
Spam Blockers
Toolbelt by Ben GillbanksAnti-Spam by CleanTalkCerber Security, Antispam & Malware ScanWPBruiser + Gravity Forms ExtensionHuman Presence by Human Presence Technology
Block by IP
Block IPs for Gravity Forms by Team Bright Vessel
Cloudflare
Cloudflare offers a number of services which can protect your site (and forms) such as IP Access Rules that would allow you to even block entire countries easily, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC to name just a few.
Code Snippets
Code snippets can be used in the theme functions.php file or custom functionality plugins.
Field Validation
The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.
Integrate with QuickEmailVerification API
Spam Filter
The gform_entry_is_spam filter can be used to mark submissions as spam.
Integrate with OOPSpam Anti-SpamIntegrate with the Plino spam filtering serviceIntegrate with the ZeroBounce Email Validation APICheck field values for URLsRate limit submissions based on the IP addressCheck that first and last name inputs contain different valuesUse ipapi.co to check country code for IP addressGravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)