Help
Posted By Gregory

Configuring exceptions for the anti-spam engine


Usually, you need to configure anti-spam exceptions if you use a technology that communicates with your website by submitting forms or sending POST requests programmatically. In such cases, WP Cerber can block legitimate requests because it can recognize them as generated by bots. This leads to false positives, which you can see on the Activity tab. Such log entries are marked as Spam form submission denied.

How to exclude specific requests from inspection

All anti-spam exceptions are configured on the Anti-spam admin page.

To exclude a specific request (form submission) from inspection by the anti-spam engine, you need to specify a request path and, optionally, a query string (request parameters). Configure your exceptions in the Exclude these locations from scanning for spam setting field.

If the request URI starts with or equals any of the specified strings, it is not inspected by the anti-spam engine and so the request is not blocked.

To configure complex anti-spam exceptions, you can use REGEX expressions. Please see the details below.

Some examples

Exception #1 Permits any requests with the Request URI that starts with the specified string e.g. /ps/wc-ajax=whatever_till_the_end

Exception #2 Permits any requests if the Request URI matches the specified REGEX pattern e.g. /file-upload.php?user_id=23432

Anti-spam for WordPress exceptions

Anti-spam for WordPress – configuring exceptions

How to identify the Request URI

Go to the Live Traffic admin page. Find a legitimate request you need to whitelist and take its Request URI from the Request column. If your Request URI contains dynamic GET parameters like in the screenshot below, you may need to use a REGEX expression.

Request URIs on the Live Traffic page in the WordPress dashboard

Request URI on the Live Traffic page in the WordPress dashboard

Regular expressions

ou can specify a REGEX pattern in the Exclude these locations from scanning for spam setting field, one pattern per line. The entire Request URI is analyzed to match a REGEX pattern. You can view the full URI of a request on the Traffic Inspector log page.

To specify a REGEX pattern, enclose a whole line in two { } braces. For instance, to exclude requests to a file-upload.php script with a numerical GET parameter user_id containing any number, specify this string:

{\/file-upload\.php\?user_id=\d+$}

Note: to specify the slash / character in a REGEX expression, you need to escape it with backslash \ this way: \/

WordPress anti-spam settings

WordPress anti-spam settings

How to disable anti-spam on a selected page

To avoid conflicts with third-party forms loaded from an external source and processed on a third-party website, you can configure exceptions for WP Cerber’s anti-spam by disabling its code on selected pages of your website. The list of pages is specified with a PHP constant CERBER_DISABLE_SPAM_FILTER. This constant should be defined in the wp-config.php file. Use a comma-separated string with page (post) IDs. If the list is configured, you see the list of pages on the WP Cerber anti-spam settings admin page. Here is an example of the list definition.

define( 'CERBER_DISABLE_SPAM_FILTER', '3, 45');

You need to use this feature if you have HubSpot forms on your website.

See also: How to stop spam user registrations on your WordPress

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.