WordPress site getting SPAMMED, not sure how to stop it.

WordPress site getting SPAMMED, not sure how to stop it.

My website, FortressHarvard.com

has a Download button, and when you fill your Name and Email, then click the button, you get an email with the URL to my book's Preface and Chapter 1. Also, I get an email to my "info@" email's inbox with the name and email of the person requesting the downloading.

I am getting spammed there, by some sort of robot, and do not know how to stop it.

This started yesterday morning, and continued every few minutes, non-stop. I even added a CAPTA requirements this morning, but that had no impact.

How do I stop this SPAM?

curiouswebsterSoftware EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Clarification request.

Let me know if it's correct that a Bot is injecting different email addresses into your form + then submitting the form.

I think this is what you're saying.

Also, provide a clickable link to the page in question.
Dr. KlahnPrincipal Software EngineerCommented:
Adding a CAPTCHA seems like a good idea but in fact it doesn't do much to stop bot spam.  Mechanical Turk, as an example, has thousands of people who will do CAPTCHAs for a fraction of a penny each.

If your market is only within your country (or English-speaking countries) then add geoIP filtering to restrict connections to those countries you are interested in targeting.  My experience is that shutting off the ex-Soviet bloc, most of the Far East, all of Africa and South America will reduce these issues by over 90%.

If you are using Apache as the web server then add one or more of the security modules such as mod_honeypot, mod_spamhaus and mod_torcheck.  If you're using some other web server then find and install the Project Honeypot and Spamhaus plugins, and look for one that denies Tor access.
curiouswebsterSoftware EngineerAuthor Commented:
Yes, a Bot is injecting an Email address, without the Name field.

My domain is FortressHarvard.com but the URL does not change when you click the Download button (lower right) to display the landing page, which no longer pops up on arrival at the site.

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Howdy Robert!

Simple solution, is force a name to be input.

Also, seems like you're saying the download link works with CAPTCHA code removed + fails to work with CAPTCHA code installed. If this is true, then likely there's something a bit off in how your CAPTCHA code was injected into your form.

Looks like you're running the Pirate Forms plugin. Check their docs for how to integrate CAPTCHA code + if you have any challenges, open a support ticket with them, as they'll likely know a fix.
curiouswebsterSoftware EngineerAuthor Commented:
Is it possible that a Bot no longer needs to access my site? I guess I need to check into Google Analytics to see if there is traffic that roughly equals the amount of SPAM.

Thanks for the tip on CAPTCHA.
Julian HansenCommented:
Is it possible that a Bot no longer needs to access my site?
What do you mean by this?

A bot only needs to know where your form is sent and what parameters the form is expecting - it does not actually need to access the page that has the form.

In terms of a captcha on the page - this only works if you are verifying the captcha result in the form processing code. Displaying the Captcha is one part - but it only works if it is integrated into the backend form processor.

I just did a test. I created a form like so
<form method="post" action="https://fortressharvard.com/">
	<input type="hidden" name="add-to-cart" value="584">
	<input type="text" placeholder="Name" name="name1" id="name1" required="">
	<input type="email" placeholder="Email" name="email1" id="email1" required="">
	<input type="submit" name="submit-pop1" value="Download Preface &amp; Chapter 1" class="btn" id="submit-pop1"> 

Open in new window

Browsed to it - filled in my details and submitted - just got the link.

So this tells us while your CAPTCHA looks very nice it is not really doing anything as it is not wired up to your form processor.

How have you attempted to implement it?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

I'm using recaptcha from long time with the maximum strength and we have spamming even if the there was server side validation.
There is a new recaptcha version that may worth the try.

If there is a value that they always post like a name or url you can check for that when validating the form, for example in our case the bot put always the same name in required field so I added a server side validation to not allow this name..

When we installed a SSL license it drop a lot, but we still have a few.

Some spammer are human not bot so there is not much we can do about that.
curiouswebsterSoftware EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.