WordPress site getting SPAMMED, not sure how to stop it.

curiouswebster used Ask the Experts™
WordPress site getting SPAMMED, not sure how to stop it.

My website, FortressHarvard.com

has a Download button, and when you fill your Name and Email, then click the button, you get an email with the URL to my book's Preface and Chapter 1. Also, I get an email to my "info@" email's inbox with the name and email of the person requesting the downloading.

I am getting spammed there, by some sort of robot, and do not know how to stop it.

This started yesterday morning, and continued every few minutes, non-stop. I even added a CAPTA requirements this morning, but that had no impact.

How do I stop this SPAM?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Clarification request.

Let me know if it's correct that a Bot is injecting different email addresses into your form + then submitting the form.

I think this is what you're saying.

Also, provide a clickable link to the page in question.
Dr. KlahnPrincipal Software Engineer

Adding a CAPTCHA seems like a good idea but in fact it doesn't do much to stop bot spam.  Mechanical Turk, as an example, has thousands of people who will do CAPTCHAs for a fraction of a penny each.

If your market is only within your country (or English-speaking countries) then add geoIP filtering to restrict connections to those countries you are interested in targeting.  My experience is that shutting off the ex-Soviet bloc, most of the Far East, all of Africa and South America will reduce these issues by over 90%.

If you are using Apache as the web server then add one or more of the security modules such as mod_honeypot, mod_spamhaus and mod_torcheck.  If you're using some other web server then find and install the Project Honeypot and Spamhaus plugins, and look for one that denies Tor access.
curiouswebsterSoftware Engineer


Yes, a Bot is injecting an Email address, without the Name field.

My domain is FortressHarvard.com but the URL does not change when you click the Download button (lower right) to display the landing page, which no longer pops up on arrival at the site.

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David FavorFractional CTO
Distinguished Expert 2018

Howdy Robert!

Simple solution, is force a name to be input.

Also, seems like you're saying the download link works with CAPTCHA code removed + fails to work with CAPTCHA code installed. If this is true, then likely there's something a bit off in how your CAPTCHA code was injected into your form.

Looks like you're running the Pirate Forms plugin. Check their docs for how to integrate CAPTCHA code + if you have any challenges, open a support ticket with them, as they'll likely know a fix.
curiouswebsterSoftware Engineer


Is it possible that a Bot no longer needs to access my site? I guess I need to check into Google Analytics to see if there is traffic that roughly equals the amount of SPAM.

Thanks for the tip on CAPTCHA.
Most Valuable Expert 2017
Distinguished Expert 2018
Is it possible that a Bot no longer needs to access my site?
What do you mean by this?

A bot only needs to know where your form is sent and what parameters the form is expecting - it does not actually need to access the page that has the form.

In terms of a captcha on the page - this only works if you are verifying the captcha result in the form processing code. Displaying the Captcha is one part - but it only works if it is integrated into the backend form processor.

I just did a test. I created a form like so
<form method="post" action="https://fortressharvard.com/">
	<input type="hidden" name="add-to-cart" value="584">
	<input type="text" placeholder="Name" name="name1" id="name1" required="">
	<input type="email" placeholder="Email" name="email1" id="email1" required="">
	<input type="submit" name="submit-pop1" value="Download Preface &amp; Chapter 1" class="btn" id="submit-pop1"> 

Open in new window

Browsed to it - filled in my details and submitted - just got the link.

So this tells us while your CAPTCHA looks very nice it is not really doing anything as it is not wired up to your form processor.

How have you attempted to implement it?

I'm using recaptcha from long time with the maximum strength and we have spamming even if the there was server side validation.
There is a new recaptcha version that may worth the try.

If there is a value that they always post like a name or url you can check for that when validating the form, for example in our case the bot put always the same name in required field so I added a server side validation to not allow this name..

When we installed a SSL license it drop a lot, but we still have a few.

Some spammer are human not bot so there is not much we can do about that.
curiouswebsterSoftware Engineer



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial