Knowledge Base

Protecting Against Fake Submissions from Web Forms: A Detailed Guide for PHP and WordPress

Forms on websites, such as contact, registration, reservation, and quote request forms, are indispensable components of digital interactions. However, these forms are highly susceptible to abuse by spam submissions, bots, and fake users. Especially even when reCAPTCHA is used, if spam forms are still being received, more advanced measures are necessary.

In this article, we explain more than 10 advanced security techniques that can be applied to combat fake forms, both on PHP-based sites and WordPress-based systems, step by step with example code.

---

1. Google reCAPTCHA v2 / v3 Usage

• Using reCAPTCHA v2 (“I’m not a robot”) or v3 (background risk analysis) reduces spam.

• However, advanced bots can pass reCAPTCHA v2. Therefore, it is not sufficient on its own.

PHP Example:

$response = $_POST['g-recaptcha-response'];
$remoteip = $_SERVER['REMOTE_ADDR'];
$secret = 'YOUR_SECRET_KEY';
$verify = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret={$secret}&response={$response}&remoteip={$remoteip}");
$captcha_success = json_decode($verify);
if (!$captcha_success->success) die("Bot detection");

---

2. Honeypot Method

Hidden fields that the user does not see but bots fill in.

PHP:

if (!empty($_POST['honeypot'])) {
  die("Bot detection!");
}

HTML:

Plugin for WordPress:

• WP Armour – Honeypot Anti Spam

---

⌛ 3. Form Submission Time Control

Bots usually fill out the form very quickly. Applications received in less than 3 seconds can be rejected.

session_start();
if (time() - $_SESSION['form_start'] < 3) die("Sent too quickly, may be a bot");

---

‍♂️ 4. IP and User-Agent Control

Block the same IPs or invalid user-agents that come with a large number of forms.

if ($_SERVER['HTTP_USER_AGENT'] == '' || preg_match('/curl|bot|python/i', $_SERVER['HTTP_USER_AGENT'])) die("Bot detection");

---

5. Smart Form Field Analysis

Bots usually fill in every field. However, if logical data is not entered in optional fields, this may be spam.

• If no field is left blank > suspicious

• If random characters are entered in the name > suspicious

---

6. IP and Country Based Blocking

Block bots from certain countries with Cloudflare or GeoIP.

• PHP GeoIP

• For WordPress: iQ Block Country

---

7. Two-Factor Authentication (Form confirmation email)

An email is sent to the user after the form is submitted. No action is taken unless confirmed.

• Especially recommended for quote/reservation forms.

---

8. JavaScript Controlled Submit

Trigger the form submission process only with JS. Non-JS systems (bots) cannot submit.

document.querySelector("form").addEventListener("submit", function(e) {
  // this check should be done on the server
});

---

9. In Addition to reCAPTCHA: Friendly CAPTCHA or hCAPTCHA

• Friendly CAPTCHA → more comfortable in terms of user experience

• hCAPTCHA → more visual testing, Google reCAPTCHA alternative

For WordPress: hCaptcha for WordPress plugin

---

10. Smart Logging + Manual Review

• Which IPs have submitted how many times and when?

• In which fields is the same data always entered?

• Keep track of these by keeping logs

$log = date("Y-m-d H:i:s") . " | " . $_SERVER['REMOTE_ADDR'] . " | " . $_POST['email'] . "\n";
file_put_contents("form_log.txt", $log, FILE_APPEND);

---

11. Spam Detection with Content Control (with Regex)

Block if there are certain character patterns in the email, name, message fields:

if (preg_match('/(viagra|casino|win money|bit.ly|http\:|https\:)/i', $_POST['message'])) {
  die("Spam content detected");
}

---

️ 12. Akismet Usage (WordPress Recommendation)

• Akismet is WordPress's spam filtering system.

• It is especially effective against comment + form spam.

• Works integrated with Gravity Forms, Contact Form 7.

---

13. Jetpack Anti-Spam (Premium)

• Provides IP-based data in addition to form field analysis

• Recommended for WordPress-based corporate sites

---

Additional Security Steps

• Publish all your forms over HTTPS

• Create a "Blacklist" for frequently received spam data (example emails, names)

• Show your forms only to logged-in users (like WordPress comment form)

---

Conclusion: A Layered Approach is Essential for Form Security

reCAPTCHA alone is not enough to protect a web form. Especially in widespread systems like WordPress, bots can target forms by exploiting plugin vulnerabilities. Therefore, it is necessary to use methods such as honeypot, time control, content analysis, and IP restriction together.

It is recommended to use at least 4-5 of the methods in this list together for a structure that will stop spam by 95% without disrupting the user experience.