Configuring exceptions for the anti-spam engine

Usually, you need to configure anti-spam exceptions if you use a technology that communicates with your website by submitting forms or sending POST requests programmatically. In such cases, WP Cerber can block legitimate requests because it can recognize them as generated by bots. This leads to false positives, which you can see on the Activity tab. Such log entries are marked as Spam form submission denied.

How to exclude specific requests from inspection

All anti-spam exceptions are configured on the Anti-spam admin page.

To exclude a specific request (form submission) from inspection by the anti-spam engine, you need to specify a request path and, optionally, a query string (request parameters) in the Query whitelist setting field.

If a request URI starts with or equals any of the specified strings, it will no be inspected and blocked.

To create complex rules, you can use REGEX expressions. Please see further details below.

Some examples

Exception #1 Permits any requests with the Request URI that starts with the specified string e.g. /ps/wc-ajax=whatever_till_the_end

Exception #2 Permits any requests if the Request URI matches the specified REGEX pattern e.g. /file-upload.php?user_id=23432

Anti-spam for WordPress – configuring exceptions

How to identify the Request URI

Go to the Live Traffic admin page. Find a legitimate request you need to whitelist and take its Request URI from the Request column. If your Request URI contains dynamic GET parameters like on the screenshot below, you may need to use a REGEX expression.

Request URIs on the Live Traffic page in the WordPress dashboard

Request URI on the Live Traffic page in the WordPress dashboard

Regular expressions

Query whitelist supports regular expressions, one pattern per line. To be excluded from inspection, the Request URI must match the whole REGEX pattern.

To specify a REGEX pattern, enclose a whole line in two { } braces. For instance, to exclude requests to a file-upload.php script with a numerical GET parameter user_id containing any number, specify this string:

{\/file-upload\.php\?user_id=\d+$}

Note: to specify the slash / character in a REGEX expression, you need to escape it with backslash \ this way: \/

WordPress anti-spam settings

How to disable anti-spam on a selected page

To avoid conflicts with third-party forms loaded from an external source and processed on a third-party website, you can configure exceptions for WP Cerber’s anti-spam by disabling its code on selected pages of your website. The list of pages is specified with a PHP constant CERBER_DISABLE_SPAM_FILTER. This constant should be defined in the wp-config.php file. Use a comma-separated string with page (post) IDs. If the list is configured, you see the list of pages on the WP Cerber anti-spam settings admin page. Here is an example of the list definition.

define( 'CERBER_DISABLE_SPAM_FILTER', '3, 45');

You need to use this feature if you have HubSpot forms on your website.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.