A WordPress site with web-facing forms will be spammed. If there’s a form to be filled in, it will be filled in by spammers, even when there is no clear motivation for doing so. Spammers register for membership of any site they find, they fill in forms for gated content, they submit fake email addresses that clutter mailing lists, they take surveys, and they bombard comment forms with gibberish and SEO spam.
Spam is more than an annoyance: it skews the data web-based businesses have available to them, lands the site’s domain on email blacklists when it sends mail to people who didn’t sign up, presents a security risk, consumes hosting resources, and makes a mess. All of which takes time and money to deal with.
I’ve discussed spam registrations and random form-filling with many WordPress users, and a common question is why do spammers do it? What benefit does the spammer get from signing up to a membership site or submitting fake addresses to a mailing list? It’s hard to work out from the point of view of site owners because often there is no real benefit to the spammers.
WordPress spammers hope to find sites that let them send spam emails, submit spam comments, publish spam posts, or to join the site as a prelude to a deeper attack. All of this web form spamming is automated. Simple bots scour the web for forms to fill in. It’s not difficult to automate the filling in of web forms: the bots are unsophisticated and the spammers aren’t skilled developers. Because bandwidth is cheap, it’s easier to spam every form than it is to be selective. So, if a form has an email field, they’ll put an email in it, a name field gets a name, and so on.
In many cases, WordPress sites are spammed as a side effect. If the site is properly secured, the spammers don’t gain anything, but they don’t lose anything either, and in the morally challenged mind of the spammer, that means building more sophisticated bots isn’t worth the effort.
All of which is interesting, but it doesn’t help WordPress site owners handle spam. The only way to stop spam data reaching databases is to implement systems that can distinguish between authentic submissions and junk — preferably without asking users to jump through hoops to demonstrate their status as a human being.
The best way to filter out spam today is Google’s most recent iteration of reCaptcha: Invisible reCaptcha. Old versions of reCaptcha asked users to carry out vision-based tasks that were easy for humans and difficult for machines. This system annoyed users and is based on an outdated assumption: in 2017, sophisticated machine vision is accessible, accurate, and inexpensive. Invisible reCaptcha uses a mixture of on-page behavior and data analysis to automatically categorize visitors as bots or humans in a way that is largely transparent to users. If you’re having WordPress spam problems, take a look at the Invisible reCaptcha for WordPress plugin.