bmarshall511
commented
3 years ago @rosswintle Do you have Stop Forum Spam enabled?
Closed bmarshall511 closed 3 years ago
bmarshall511
commented
3 years ago @rosswintle Do you have Stop Forum Spam enabled?
rosswintle
commented
3 years ago No. Should I turn that on?
bmarshall511
commented
3 years ago Yeah, give that a try. It performs more checks to determine if a submission is spam & based on those email addresses, feeling pretty strongly they'll be marked as spam once enabled.
rosswintle
commented
3 years ago I'll give it a try. But that doesn't answer the question of what changed with the update that caused working spam protection to suddenly stop. Unless stop forum spam was somehow enabled before but not after the update?
bmarshall511
commented
3 years ago v4 used both the honeypot method & a on-demand hidden field to determine spam. The on-demand method used JS that injected a hidden field when the form was submitted. v5 doesn't currently have the on-demand method due to issues people were having with valid submissions being marked as spam. Most of the time is was due to JS being turned off, a JS error on the site that was killing the functionality or custom forms that didn't use the same core ID needed to trigger the on-demand method.
With that being said, there are plans to reimplement this on-demand functionality, but in a more full-proof way.
Let me know if enabling Stop Forum Spam helped.
rosswintle
commented
3 years ago This should really be made clear. I suspect that some spam bots are choosing not to fill in the honeypot as it's a hidden field that kinda looks like it might be a honeypot. You have good reason to do it, but you have removed a key spam protection method from the plugin and this is almost certainly why people are seeing increased amounts of spam.
I specifically installed Zero Spam because it implemened David Walsh's trick. This was the key selling point of your plugin.
Ideas:
If the main problem is the script not running then you need to be able to tell the difference between:
a) a submission that is real (not spam) but where the script failed b) a submission that is spam but where the script worked
I believe that with your method, these both look the same because they don't have the extra field added.
So you need a way to detect if JS failed.
Could you hook into the form's output and add an extra field with some dummy value:
<input type="hidden" name="js-enabled" value="0">and toggle that value to 1 when your JS runs.
Then in the form processing you check if that value is 1 and if it is then you look for the hidden field.
In case a) then you can detect that JS hasn't run and use a fallback method of spam detection. Or just allow it through. But maybe you can report to the user that JS isn't working and so ZeroSpam will not work.
In case b) you know that JS is enabled and you can look for the dynamically-added field.
This may be something like the "more fool-proof way" you are thinking of. But my immediate concern is that you may lose more users through the lack of the on-demand hidden field trick than you do from broken JS and people won't know to come back to Zero Spam once you add the method back in.
Hope this was helpful.
bmarshall511
commented
3 years ago Understood, but v5 doesn't say it uses David Walsh's technique. You're right, prior versions did. And yes, reintegrating it is on the roadmap (https://github.com/bmarshall511/wordpress-zero-spam/issues/247). There are several methods to do this for a fool-proof solution, just haven't had time to add it yet.
Closing this for now. Will reopen if WP Forms spam is still getting through using the current detection methods.
https://github.com/bmarshall511/wordpress-zero-spam/issues/241#issuecomment-788193932