Introduction
Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam or to mark entries as spam. It’s important to note that no single method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.
See also: Moderating Entries
First Steps
Form Status
If a form is no longer needed or not currently in use, switch its Status toggle on the Forms List page to “Inactive”, or move it to the “Trash”. Inactive and trashed forms will not accept or process submissions.
Honeypot
Gravity Forms includes a built-in honeypot feature available in the Spam Detection section of each form’s Form Settings.
When enabled, the honeypot detects spam using multiple techniques:
- A hidden honeypot field. The submission is spam if the field contains a value.
- A JavaScript-inserted site-specific version hash. The submission is spam if the value is missing or fails validation. Since version 2.7.
- An optional Submission Speed Check that measures the time between page load and user actions such as clicking submit, next, or previous. The submission is considered spam if the timing data is missing, invalid, or below the configured threshold. Since version 2.9.21.
Depending on your form settings, detected spam will either be blocked (not saved, no entry is created) or saved as an entry marked as spam.
If logging is enabled, the result of the honeypot checks will be recorded in the Gravity Forms core log.
The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.
If you think a bot has discovered the name attribute of your form’s hidden honeypot field, the gform_honeypot_input_name filter can be used to customize it.
Form Design
Fields
Out of the box, Gravity Forms automatically blocks spam submissions that send random or unexpected values to supported form fields as part of its built-in form validation feature. Refer to the State Validation article for more details.
Selecting the correct field types for your expected data can improve the accuracy of submitted values and reduce automated (bot) submissions.
| Value Type | Recommended Field Types |
|---|---|
| Name | Name Single Line Text |
| Email address | |
| Address | Address |
| Website / URL / Link | Website |
| Phone number | Phone |
| User-defined payment or donation amount | Product Number |
| Numeric values | Number Quantity |
| Dates | Date |
| Single-line text | Single Line Text |
| Multi-line text | Paragraph Text |
| Choice selections (single) | Multiple Choice Radio Buttons Drop Down Product Option Quantity Shipping Consent |
| Choice selections (multiple) | Multiple Choice Checkboxes Option |
| Terms & conditions / privacy policy | Consent |
| File uploads | File Upload |
Multi-Page Forms
The Page field can be used to split a long form into multiple pages (a multipage or paginated form). While its main purpose is improving usability, it also has the benefit of making it harder for bots to submit spam.
Configuring Next Button Conditional Logic on Page fields can prevent some bots reaching later pages of the form. If the submission is forced while the button is hidden or disabled, the form will fail validation.
Payment Forms
If you will be accepting payments using a card or payment add-on field, make your form multi-page (see above), and position the card/payment field on the last page of the form.
Using conditional logic on next buttons and enabling the required setting on fields on earlier pages will limit the use of the card/payment field to those who have successfully completed the earlier pages, reducing the risk of fraudulent carding activity.
Submit Button Conditional Logic
Add a single-line text, number, or multiple choice field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.
Here are some examples:
- A panda is black and _____
- 4 + 7 = _____
- What goes up, must come _____
- A cow has how many legs? _____
- The sky is typically what colour? _____
- What sound does a cat make? _____
- What do you call water when it is frozen? _____
- What is 10 minus 4? _____
In the settings panel of the Submit Button field, in the Form Editor, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit. If the submission is forced while the button is hidden or disabled, the form will fail validation.
Restrictions
In the Form Settings area of the form, you’ll find settings for limiting the number of entries, scheduling the form, and restricting use to logged-in users.
What Happens When a Submission Is Marked as Spam
Submissions that pass validation but are flagged and saved as spam appear in the form’s Entries section under the spam filter.
Configured notifications and add-on feeds are not processed.
For the confirmation, if enabled, the custom Spam Confirmation will be displayed, or the default text used by new forms will be displayed instead of the configured confirmations. The displayed confirmation can be customized using the gform_confirmation filter.
When viewing an entry through the spam filter, a note will often indicate which system or rule flagged it as spam.
For more information, refer to Reviewing Spam Submissions.
Logging
When an entry is marked as spam, logging can help identify the cause. For details on enabling logging and interpreting the results, see Troubleshooting Entries Marked as Spam.
