Hello!

I have a client that is using your Form Maker for a newsletter signup. We currently have a Google reCpatcha installed via the plugin however we are seeing spam coming through.

We've done a test, and if we disable javascript, we are able to submit the form and bypass the Google reCpatcha. Do you have any solution for this?

Normally, if we were to build a php form we would use server side validation as well and utilize a "honey pot" to hopefully stop bots.

Secondly, I see that we can block IP's which will certainly help. Unfortunately we see that the attacker we are worried about at the moment is their last section of their IP changing, and therefore we cannot block them unless we can block a partial IP? (ie. 188.143.232.40, where the bold section changes each entry.)

Thanks for your help!

Dear user,

Thank you for keeping us informed about this issue!

Are you mentioning, that you have disabled the browser Javascript? Actually spambots cannot run when browser JS is disabled, because they also run with Javascript.

But here's what we can do for you to overcome this issue. We can add a hidden field and write a few lines of code, which checks that this field is empty.

See, humans don't see the hidden field, so it must be empty, if the user is not a robot. But spambots ignore this fact and fill in content in the input.

Please contact us to [email protected], mentioning the link to your forum topic, in case you want us to make this implementation. Make sure to include the URL to this forum topic in your e-mail.

Thanks in advance!

Dear Robin,

I am happy to inform you, that our developers have provided the necessary code for fixing this problem. Here's what you need to do. Please open FMModelForm_maker.php file from /form-maker/frontend/models/ directory of your website And search with save_db keyword.

You will find two results, one of them is a public function. Please add the following if statement after one of those already present in this function:

if(isset($_POST['hidden_id']) &&  $_POST['hidden_id'])!= ''){
    return;
}

Hi, can we please revive this topic, as I don't see a clear solution here.

It seems like the plugin is lacking some basic backend validation. (It's easy to bypass the client side validation, if a human or bot wants to.) Simply by deactivated Javascript.

Due to the nature of spam and sophisticated bots it seems to me like server side validation is a basic requirement, and it shouldn't be too hard to implement.

I solved the problem temporarily by adding some custom logic to the savedata function in the following file: /form-maker/frontend/models/FMModelForm_maker.php

However, this was a pin point fix for my needs, and requires editing a plugin file, which should not be recommended if one wants to keep his plugin up to date.

Can you guys please implement a fix for this? It should lower spam significantly.
I would expect to have validation for email and the regex based fields (like phone numbers).
Again, I don't see why this would require much work from your developers, and it would be a great improvement for your plugin.

Thanks.

Hello Raphael!

Thank you so much for your notes and suggestions for Form Maker field validation!

Please note, that if Javascript is disabled on the page, spambots cannot run since they also use Javascript. But if you wish to have custom Javascript validation, as you edited in Form Maker files, you can add it to Form Options > Custom Javascript option.

Also, you can use Regular Expressions on Simple Text fields. Enable Validation (Regular Exp.) option on your fields and provide the RegEx pattern. There are also some built-in patterns in Common Regular Expressions, that are ready to use.

Thanks! Have a great day!

Hi,
Not all bots need javascript to work. Some of them can even manipulate ("disable" or "bypass") existing javascript. That's why JS should not be the only level of validation.
I have been receiving plenty of spam that should have been blocked. The bot found a way to bypass the js validation. And it happened quite fast. Less than 24 hours after I started using the plugin.
For example, all the spam came in with question marks "???" instead of a valid email address or phone number.

Is there an issue with adding some server side logic?

Hi Raphael!

Could we please take a look at the spam emails from admin dashboad of your website? Our developers will figure out a solution, and perhaps also add an extra validation with PHP to further updates of Form Maker.

Please send us temporary WordPress administrator access credentials using this contact form . Also make sure to indicate the link to this forum thread in your message. We'll check the issue as soon as possible.

Thanks! Have a wonderful day!

Okay, I've sent additional information. I hope you guys consider adding some PHP validations .

Thanks

Thanks a lot, Raphael!

We received your support ticket, I will take a look at the problem soon.
I'll keep you posted with the progress.

Thank you! Have a good day!

Hi Raphael!

Please be informed, that I discussed the possibility of adding server-side validation to Form Maker with our development team. They confirm, that this can be done, so we added a task to the development tasklist. Hopefully they will make these changes soon.

The PHP validation will check whether the required fields are filled, and additional it will scan the content of the email with submissions.
Thanks again for your suggestion! Is there anything else I can assist you with?

Have a wonderful day!

Perfect, thank you Agapi!
I'll be looking forward to this addition. It should significantly improve the plugin's spam control.

You are most welcome, Raphael!

Hopefully the release with these changes will be out soon. We really appreciate your thoughts and comments regarding the improvement of Form Maker plugin!
Have a good day!