Spam Protection for Contact Form 7 – WordPress Plugin
Adds a timestamp, honeypot with random location, token matching, bad/spam word filtering, email and domain blacklist and an image captcha to your Contact Form 7 forms by adding the shortcode
[easimagecaptcha] to the form editor where you want the captcha to appear. This plugin uses the Font Awesome fonts as SVGs to display the icons used in the captcha.
The plugin does not use session and/or cookies nor save any private data.
Simple to use settings page for each contact from
You can turn on/off features in each form.
Text and error messages are translatable
Texts and error messages can be translated into any language, so -in this was- they can be personalized.
Customizable icon and selection amount
You can customize the amount of icons to display and the icons to select.
Loads with Ajax so as not to be cached by caching plugins
You can load the whole Contact Form 7 with AJAX or only the image captcha and the timestamp.
If you load the whole Contact Form 7 with AJAX the spam-bots can not find any form to work with.
To activate this function please use the
[ contact-form-7-ajax id="YOUR-CF7-ID" title="YOUR-CF7-TITLE"] shortcode.
If you load the image captcha and the timestamp with AJAX your caching plugin will not cache those.
Honeypot with random location
Honeypot is a computer security mechanism. It is a decoy that looks and operates like a normal form field, to protect by attract and detect potential attackers. With honeypot the plugin can detect if they are being targeted by cyber threats.
Basically, it’s a extra form field to detect whether the form filled by a genuine person or a spam-bot. The field is an invisible fields on the form. Invisible is different than hidden! Bots understand hidden fields and they will ignore it. The label is set to instruct the end user to absolutely nothing with the field and just leave it empty. The technique rely on the assumption, that an automated bot/script will complete every field in the form. However, some will get through, but not many.
The plugin also display the honeypot field in the form in a random location. Keep moving it around between the valid fields to prevent the spam-bot writer to detect the field easily.
The plugin also apply a timestamp as a hidden input on the form to ensure the minimum and maximum age of the “session”. On submission, the plugin will compare the submitted timestamp with the timestamp when the form was displayed. If it is more than 5 minutes or less than 3 seconds, then it is very likely an automated bot/script, because a bot ‘types’ much faster than a human.
The plugin will generate an anonymous “token” on each form request, this is essentially a unique secret code. This token will be encrypted with a random salt and also is going to be applied as a hidden input on the form when it is generated in the browser. After the submission of the form, first the token will be checked against the database and then stored for a months. What this does is ensure that, on every submission of the form, is your form and not some automated bot/script try to submission the from a different server. It also ensure that, every form used only one time. Spammer can download the form and submit it multiple times.
Bad/spam word filtering
Spam emails are different from email written by humans. Most of the time significantly different. Especially using words like “vicodin” or “viagra”. Those words are useful indicators for spam. The plugin will search this words in text and textarea fields. If any found, then it is very likely written by an automated bot/script.