Security Blog
Security Blog

How to stop spam form submissions on your WordPress

Enable antispam protection for WordPress forms with Cerber antibot engine and deny form submissions from specific countries


Cerber Security is capable to protect all contact forms on a website. The anti-spam engine is compatible with virtually any form. Tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms and WooCommerce forms. It’s a great alternative to reCAPTCHA.

To enable protection go to the Antispam plugin admin page and check Protect all forms on the website with bot detection engine.

In most cases, the antispam protection works fine with the default settings. But as a professional solution, Cerber offers several options to fine tune its anti-spam algorithm.

Block form submissions from specific countries

A set of GEO rules allow you to permit or block form submissions from a set of specific countries. If you want to be in touch with people in your country only, this is the right way. GEO rules are available in the Cerber Security Pro version. Note that this setting affects all forms on your website except the standard WordPress registration form. To create the list of the countries:

  1. Go to the Security Rules admin page and click the Countries tab.
  2. Click Submit forms.
  3. Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window. To remove a country from the list, click on the country name in the right window.
  4. Once you’ve created the list, set its type. If you want to block form submissions from the selected list of countries, click Selected countries are not permitted to Submit forms, other countries are permitted to. If you want to allow form submissions, click the second option Selected countries are permitted to Submit forms, other countries are not permitted to.
  5. Click the Save all rules button.
Restrict form submissions on WordPress with country GEO rules

Restrict form submissions on WordPress with country GEO rules

Block form submissions from specific IP addresses or a network

To completely block form submissions from a given IP address or an IP network or any combination of them add them to the Black IP Access List. Keep in mind that entries in both IP access lists have the highest priority which means they are processed first before any other rules and settings. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for a set of IP addresses and IP networks

You can set up exceptions for a given IP address or an IP network or any combination of them by adding all of them to the White IP Access List. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for specific HTTP requests

Usually, you need to specify such an exception if you use a plugin or some technology that communicates with your website by submitting forms or sending POST requests programmatically. In this case, Cerber can block these legitimate HTTP requests because it recognizes them as generated by bots. That may lead to multiple false positives which you can see on the Activity tab. These entries are marked as Spam form submission denied.

To exclude specific requests from inspection by Cerber, you need to specify a query string (a request URI) that is used for sending POST requests to your website. This string must not include the hostname or the site domain. Cerber antispam engine looks for the specified string in an HTTP request URI and if a request URI contains specified string, the antispam engine doesn’t inspect the request.

 

To exclude specific requests from inspection go to the Antispam admin page and enter some unique part of requests string (query path) into the Query whitelist setting. You need to use some part that uniquely identifies all requests you want to exclude.

Query whitelist supports regular expressions, one pattern per line. To specify a REGEX pattern, enclose a whole line in two { } braces. For instance to exclude requests to the file-upload.php script with a single numerical GET parameter user_id add this string: {\/file-upload\.php\?user_id=\d+$}

Note: to specify the slash / character in a REGEX expression, you need to escape it with backslash \ this way: \/

Disable antispam inspection for logged in users

If you trust logged-in users, you can disable antispam inspection for all of them. The users will be able to use any form including comments without antispam check.

Safe anti-spam mode

If you come across some incompatibility with another plugin or theme, you can enable a special mode that tells the plugin to use less restrictive policies when it detects spam. Safe mode makes it compatible with the rest of the plugins and themes. Use it with caution.

Is Cerber antispam engine compatible with reCAPTCHA?

Absolutely. The spam detection engine is compatible with any captchas including reCAPTCHA that you can activate in the plugin settings. Please note: activating reCAPTCHA for the login form doesn’t protect a website from hackers.

How does the antispam engine work?

The Cerber spam detection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser and is it a real form has been submitted by clicking a submit button. Also, to make a decision, the plugin tracks all suspicious and malicious requests from an IP by using its Activity log.

How to stop spam user registrations on your WordPress?

Cerber Security has five antispam and antibot options which can be enabled simultaneously to stop the registration spam nightmare.

Follow this guide: How to stop spam user registrations on your WordPress.

Let’s sum up the capabilities of Cerber anti-spam engine

  • You can set up anti-spam protection for WordPress registration form and comments, for contact and WooCommerce forms
  • You can permit or deny form submissions from specific countries by configuring GEO rules *
  • You can set up exceptions for IP address, network or a specific request URI
  • If something goes wrong, you can enable safe anti-spam mode
  • You can enable reCAPTCHA and Cerber anti-spam protection at the same time
  • You can get notifications on email or mobile phone about spam activity
  • Performance of the anti-spam engine can be monitored on the Activity tab

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments