Captcha Free Anti Spam for Contact Form 7 (Simple No-Bot)

Description

Simple No-Bot uses javascript to detect if Contact Form 7 is being submitted by a spam bot.

We wrote this when clients were reporting hundreds of bogus contact forms were getting past Honeypot, but did not want to add a captcha that would impact conversions.

This lightweight script has been extremely effective for eliminating Contact Form 7 spam messages. It does not pretend to be a complete anti spam solution.

IMPORTANT

SNB REJECTS SUBMISSIONS UNLESS THE USER INTERACTS WITH THE FORM. In earlier versions of SNB, the submit button was disabled until this threshold was met. You can now set this option in wp-config.php (see below).

In most cases it will be enabled after the user starts typing in the first field. It has not broken your form.

Please report any feedback and false negatives/positives on our support form at http://www.lilaeamedia.com/contact/ before posting a crappy review. Thanks.

New! Improved!

You can now hook Simple No Bot into any form. The filter below will return TRUE if bots are detected.

$is_spam = FALSE; // you can use whatever flag is being used by your plugin. 
$is_spam = apply_filters( 'snb_test_spam', $is_spam );

We have strengthened the XHR protocol to use SHA1 hashes. Not military grade, but secure enough for our purposes. We have also added some behavioral analysis to detect pesky bots that can mimic browsers and run scripts.

SNB now keeps a list of IPs as they are flagged as spam and automatically fails them. The oldest IPs are pruned when it reaches 100 (or SNB_MAX_SPAM_IPS, see below). If you are using W3 Total Cache, the list is flushed when you flush all caches. You can also pass ?snb_flush=true as Admin to do the same thing.

You can disable the submit button until the event threshold is reached by adding the following flag to wp-config.php:

define( 'SNB_DISABLE_SUBMIT', TRUE );

SNB will keep a log in the SNB plugin directory for debug or analysis if desired. Add the following definition to wp-config.php:

define( 'SNB_DEBUG', TRUE );

Other configurable options:

define( 'SNB_MIN_EVENTS', 2 );
define( 'SNB_SPAM_IP_LIFESPAN', 60 * 60 * 24 * 30 ); // 30 days
define( 'SNB_MAX_SPAM_IPS', 100 );

Support

Please report any feedback and false negatives/positives on our support form at http://www.lilaeamedia.com/contact/

(c)2019 Lilaea Media

Installation

  1. To install from the Plugins repository:

    • In the WordPress Admin, go to “Plugins > Add New.”
    • Type “simple no-bot” in the “Search” box and click “Search Plugins.”
    • Locate “Simple No-Bot Captcha Alternative for Contact Form 7” in the list and click “Install Now.”
  2. To install manually:

    • Download the IntelliWidget plugin from https://wordpress.org/plugins/simple-no-bot/
    • In the WordPress Admin, go to “Plugins > Add New.”
    • Click the “Upload” link at the top of the page.
    • Browse for the zip file, select and click “Install.”
  3. In the WordPress Admin, go to “Plugins > Installed Plugins.” Locate “Simple No-Bot Captcha Alternative for Contact Form 7” in the list and click “Activate.”

FAQ

Why not just use Recaptcha 3?

Google is great and all, but with every recaptcha, font, map or tag you use, you are passing each visitor’s usage information to Google and strengthening their control over the web.

How does it work?

The browser automatically generates a string from input events and passes it to the server via XHR. The server generates a unique token, stores a session in a transient record and returns token to the browser. The browser then injects a new input field to WPCF7 form that contains token and hashed event string. When form is submitted, server compares hashed string to stored event string and rejects form if it does not match or if no corresponding session exists.

Does it work without Javascript

No. Contact forms will fail if Javascript is not enabled.

Does it require cookies?

Not currently. We may add more behavioral analysis if the latest generation of JS-empowered bots continues to proliferate.

Reviews

September 21, 2017
After I installed this, no test message I tried to send myself would go through. Every attempt was met with the orange-border error message, indicating a spam fail. My comment blacklist was empty, so that couldn't have been the cause. Plus, the same message worked fine after disabling this plugin. Besides, Contact Form 7 added nonce verification in version 3.1, so I guess I shouldn't need this anyway.
May 9, 2017
At some point, honeypot stopped filtering spam on our client sites. We installed this and the bogus emails stopped. Highly recommended. Thanks Lilaea Media!
Read all 3 reviews

Contributors & Developers

“Captcha Free Anti Spam for Contact Form 7 (Simple No-Bot)” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

2.1.5 Disabling the submit button before user interaction is now optional. Reduced minimum events to 2.
2.1.3 Added general plugin support. Strenghened hashing and XHR protocol. Added spam IP list. Added debug log.
1.0.5 Simplified validation
1.0.2 Change wp nonce functions to wpcf7 nonce functions
1.0 Initial release