How to stop spam form submissions on your WordPress
Enable spam protection for WordPress forms with Cerber anti-bot engine and block form submissions from specific countries
WP Cerber Security enables you to protect all contact forms on a website. The anti-spam engine is compatible with virtually any form. Tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms, and WooCommerce forms.
WP Cerber’s anti-spam engine is a great alternative to Google’s reCAPTCHA.
Enabling the anti-spam engine
To enable spam protection, go to the Anti-spam plugin admin page and enable Protect all forms on the website with bot detection engine.
In most cases, the anti-spam protection works fine with default settings. But as a professional solution, Cerber offers several options to fine-tune its anti-spam algorithms.
Block form submissions from specific countries
The professional version of WP Cerber enables you to configure a set of GEO rules that allow you to permit or block form submissions from a configurable list of countries. If you want to be in touch with people in several countries only, this is the right way. Get the professional version of WP Cerber here. Note that these settings affect all forms on your website except the standard WordPress registration form. To create the list of countries:
- Go to the Security Rules admin page and click the Countries tab.
- Click Submit forms.
- Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window. To remove a country from the list, click on the country name in the right window.
- Once you’ve created the list, set its type. If you want to block form submissions from the selected list of countries, click Selected countries are not permitted to Submit forms, other countries are permitted to. If you want to allow form submissions, click the second option Selected countries are permitted to Submit forms, other countries are not permitted to.
- Click the Save all rules button.
Restrict form submissions on WordPress with country GEO rules
Block form submissions from specific IP addresses
To completely block form submissions from a given IP address or an IP network or any combination of them, add them to the Black IP Access List. Keep in mind that entries in both IP access lists have the highest priority which means they are processed before any other security rules and plugin settings. Know more: Using IP Access Lists for protecting WordPress.
Exceptions for a set of IP addresses and IP networks
You can set up exceptions for a given IP address or an IP network or any combination of them by adding them to the White IP Access List. Know more: Using IP Access Lists for protecting WordPress.
Exceptions for specific HTTP requests
Usually, you need to configure anti-spam exceptions if you use a technology that communicates with your website by submitting forms or sending POST requests programmatically. In such cases, Cerber’s anti-spam engine can block legitimate requests because it recognizes them as generated by bots. This leads to false positives, which you can see on the Activity tab. Such log entries are marked as Spam form submission denied.
Read more on how to configuring URL-based exceptions
Disable anti-spam inspection for logged in users
If you trust your logged-in users, you can disable the anti-spam inspection for all of them. The users will be able to submit any form, including comments, without an anti-spam check.
Safe anti-spam mode
If you come across some incompatibility with another plugin or theme, you can enable a special mode that tells the plugin to use less restrictive policies when it detects spam. The safe mode makes it compatible with the rest of the plugins and themes. Use it with caution.
Is Cerber anti-spam engine compatible with reCAPTCHA?
Absolutely. The spam detection engine is compatible with any captchas, including reCAPTCHA that you can activate in the plugin settings. Please note: activating reCAPTCHA for the login form doesn’t protect a website from hackers.
How does the anti-spam engine work?
The Cerber spam protection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser, and is it a real form that has been submitted by clicking a submit button by a human. Also, to make a decision, the plugin tracks all suspicious and malicious requests from an IP address by using its Activity log.
How to stop spam user registrations on your WordPress?
Cerber Security has five anti-spam and antibot options, which can be enabled simultaneously to stop the registration spam nightmare.
Follow this guide: How to stop spam user registrations on your WordPress.
Let’s sum up the capabilities of Cerber anti-spam engine
- You can set up anti-spam protection for WordPress registration form and comments, for contact and WooCommerce forms
- You can permit or deny form submissions from specific countries by configuring GEO rules *
- You can set up exceptions for IP address, network, or a specific request URI
- If something goes wrong, you can enable safe anti-spam mode
- You can enable reCAPTCHA and Cerber anti-spam protection at the same time
- You can get notifications on email or mobile phone about spam activity
- Performance of the anti-spam engine can be monitored on the Activity tab
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WP Cerber Security 8.6.3
What is RID and how to use it
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
Countries Security Rules …..number 4 seems ambiguous. “Once you’ve created the list, set its type. If you want to block form submissions from the selected list of countries, click Selected countries are permitted to Submit forms, other countries are not permitted to. If you want to allow form submissions, click the second option Selected countries are not permitted to Submit forms, other countries are permitted to.”
It seems logical to me that if the “selected countries” are permitted to submit forms the first option should be clicked or enabled. The first option reads: ” Selected countries are permitted to Submit forms, other countries are not permitted to”
I wish to allow only the US to submit and block all other countries. Which option is the correct selection?
Thanks for pointing out! In the paragraph, you’ve mentioned we mistakenly use the first choice instead of the correct, second one. We’ve corrected the mistake. So the right phrase is: “If you want to block form submissions from the selected list of countries, click Selected countries are not permitted to Submit forms, other countries are permitted to.”
I’ve installed WP Cerber on an existing site. An old administrator is blocked from logging in, with the message “spam detected” in a red pop-up box. He can login when I disable WP-Cerber, but I do not see any record of the login-attempt on the traffic logs. Any idea?
WP Cerber does not show “a message “spam detected” in a red pop-up box”. It looks like you have another anti-spam plugin on your website. Most likely, your issue is caused by a plugin conflict.