Add simple spam prevention

[timiwahalahti]

IMO wplf should contain very basic spam prevention which is built-in and hidden feature. One option to achieve this is to add a honeypot field, but is it effective way anymore? Another option that did come to my mind, is detect if Akismet is activated and use it.

I was also wondering if we should save, mark and delete spam after a X amount of days (example same cycle with comment spam) or not.

Opinions?

[k1sul1]

Akismet has given me a lot of false positives from form submissions, one time effectively blocking form submissions entirely while using Gravity Forms, so I probably wouldn't go that way.

There's a working example of how to implement Google reCAPTCHA on the README, but that could be an optional feature in the core, similarly to Polylang support.

When invisible reCAPTCHA comes out I don't think spam from forms is going to be a problem, unless you have a problem with planting a script from Google to your site.

[timiwahalahti]

I agree that Akismet tends to give a lot false positives and it's not a perfect solution.

But Google reCAPTCHA isn't always a option because, let's say for example, we don't want any reCAPTCHAs to our company contact form because options aren't that pretty. That's why I was wondering some default behind the scenes way. Maybe invisible reCAPTHCA is the way in future.

I'm in favor of adding Google reCAPTCHA into core as a optional feature, after invisible version comes out, and let user choose if form/forms should use it or regular reCAPTCHA.

[anttiviljami]

I would vouch for a simple <input type="text" name="message_" style="position:fixed;left:100%"> honeypot enabled by default, but obviously would need to be filterable.

[aoloe]

Personally, I would prefer a way to add spam prevention by hooking to external plugins...

[anttiviljami]

@aoloe example?

[aoloe]

i don't have an example.

but it might be possible to use hooks (like the wplf_validate_submission filter) for it...

[anttiviljami]

Ah, I see. I agree that it would be cool to have external spam filter plugins specifically for wplf. I don't however see it as a bad idea to include a simple honeypot to get rid of that pesky 90% of all spam.

[timiwahalahti]

@k1sul1 should we also include this feature in 1.5? Can make PR this week.

[k1sul1]

I don't see a reason why not to.

Or I do: 1.5 is going to raise the bar so high that I don't think that we'll be able to top that in a while.

Many fixes. Such features. Wow.

[luizbills]

My suggestions:

• Add a hidden/honeypot field with Javascript. In backend we check if this field don't exists (since most bots don’t process Javascript) or if it is filled (since bots love to fill fields).

• prevents any submit made in a very short time (less than 10 seconds). Of course, configurable with hooks.

[timiwahalahti]

Made a PR #157 about this, let's continue the discussion there.