Captcha

Hi @pixelsandinkstudio

I hope you’re well today!

Captcha, Honeypot and Akismet enabled all together is a pretty powerful combo and while there’s never a 100% protection, it definitely should eliminate most of spam submissions.

But you wrote: “forminator seems to be recording submissions that fail captcha“. And this is something that should not be happening at all.

Forminator only saves successful submission and if captcha verification fails, submission cannot be made. So no submission should ever be saved if captcha doesn’t validate.

If you say it does it, it would suggest that either there’s some loophole that we are not yet aware of that allows bypassing it (though I would assume that Akismet should still prevent most of such submissions) or the captcha itself fails – as in “it actually doesn’t work sometimes”.

With that said, let me ask first:

1. How did you determine/what made you suspect that there was failed captcha verification for those saved spam submissions?

2. I just tried to make a submission, deliberately not solving captcha; I got a proper error and no confirmation of submission; could you check and confirm if my submission (as Adam WPMU) got saved or not?

3. In “Behavior” settings of the form where you enable Akismet, is Akismet set to “Fail submission” or to “Mark as Spam”?

4. Do you have any caching plugin active and/or is there any server side cache and are you using any additional security plugins on site? if yes, what are those?

5. And last but not least, could you share export of the form with us so we could test it on our end?

To do that:

– go to “Forminator -> Forms” page in site’s back-end
– click on a little “gear” icon next to the form in question
– select “Export” option from the drop-down menu there
– copy given export code and put it at https://pastebin or download export json file and put it at your Google Drive, Dropbox or similar
– share a link to it in your response below.

Note:

1. this will not include any submitted data/form submissions and none of configured credentials (such as e.g. reCaptcha keys or other); we don’t need them anyway

2. if there’s any other “sensitive information” on the form that you’d rather not share – you may want to make a copy of the form first, edit it to remove them and then share export of that copy

Best regards,
Adam

Hi Adam – Thanks so much for the detailed response. Here are some of the answers to your questions.
1. I drew this conclusion because if I look at the analytics 90% of the spam gets saved in the form, but doesn’t reach the thank you page (where it would be saved as a conversion). I suppose another possibility is the spam is getting past the captcha and other measures I have in place but clicks off after the submission has been completed but before the thank you page has had a chance to load. We’ve been getting several spam submissions per day, but we usually only see conversions for legitimate submissions.
2. I did not see your submission, so I suppose this supports the idea the spam is actually making it past the recaptcha.
3. It had previously been marked “mark as spam”. I just changed it to fail the submission.
4. Yes, the website is built on divi running on wpengine.
5. https://pastebin.com/1NmwgwtV

Hi @pixelsandinkstudio

Thank you for additional details. I made some tests with your form on my lab site and I was not able to replicate the same issue. The additional thing, which was mentioned by Adam above “while there’s never a 100% protection”, could be that the current spam bots technology is developing all the time, same as spam protection technology. Taking this into account, can you switch from Captcha V2 to V3, observe the site for a few days (give some time for V3 to learn the traffic on the site), and see if will that give better results?

Kind Regards,
Kris

Hi @pixelsandinkstudio,

We haven’t heard from you in a while, I’ll go and mark this thread as resolved. Note that you can still reply on this topic.

If you have any additional questions or require further help, please let us know!

Best regards,
Laura