Divi WordPress Theme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress fix Reply To: Contact Form Spam

Discussion in 'Misc WordPress Requests' started by bcworkz, Dec 28, 2017.

  1. bcworkz


    Reply To: Contact Form Spam, by bcworkz

    DO not place form confirmations on same page

    Sure, that’ll make it easier for non-coders to kill the form handling scripts by simply deleting the page, but it does require user intervention to suppress “direct posting” of spam. There are some valid reasons to handle confirmations on the same form page. This does not need to be a problem because all forms should incorporate a nonce scheme to prove the POSTed data comes from a legitimately served form and not from some spammer script.

    With a nonce scheme, users do not need to manage the disabling of form handling script, the script provides its own security to make disabling unnecessary. Do make note though that the nonce scheme implemented by WP is not a true nonce scheme. WP “nonces” can be used any number of times within 24 hours, giving spammers a sizable time frame in which to work. A true nonce that can only be used once is highly desirable to automatically prevent direct post spam.

    The OP might be looking for a better form building plugin. I’m unable to recommend any form building plugin that uses true nonces, but it would be a feature to look for. Even utilizing the WP nonce scheme would be much better than nothing. I would walk away from any form plugin that does not utilize some sort of nonce scheme. Forms typically manage nonce values in a hidden field, so checking the form’s source HTML will generally demonstrate that a nonce is being used.

    Also realize that nonces alone will not prevent spam, they merely guarantee that a form from your server submitted the data. Spammers can still spam by using your form (assuming it still exists). Removing forms that use true nonces will definitely stop spam even when the handling script remains.

    Reply To: Contact Form Spam

Share This Page

Monarch Social Sharing Plugin