I am using Gravity forms on my WP site, and after 1 week of going live I received 85k+ spam form entries from my contact page in 3 days.
I quickly enabled reCaptcha to stem the flow, but I am now worried that with such a big influx of spam I'll get a massive bill from Google.
They say you get 10k assessments a month, but I can't find a simple explanation of what an assessment is. I'm currently getting about 15-18 reCaptcha requests per min (according to the Google Cloud Console). Are requests different to assessments?
Same goes for Google Maps. Google say you get a certain amount free ($200 per month), but I cannot find what this equates to, and how to even judge how I am doing based on the information available for the API in Google Cloud Console.
As my maps are on the same page as my contact form I am concerned if the page is getting that much traffic, I'll get walloped for maps charges too.
Any suggestions on alternative services, or ways to stop the spam traffic hitting the page altogether?
I did think about duplicating the page and the form and moving them to a new URL and getting rid of the old, but I'm not sure if this will help…
It's not a high traffic site at all, so I wasn't banking on having to pay for any Google services.
reChaptcha is pretty useless nowadays. I’d recommend switching to cloudflare with bot protection and geo blocking. I don’t know how Google Maps payment system works but my guess would be you’d need hundreds of thousands if not millions of real interactions with the map for it to cost you anything.
What kind of site is it? I agree with the other commenter, moving to cloudflare turnstile and using bot protection with geo blocking will mitigate a lot. If most of that traffic is bots you don’t want it anyway.
I’m not sure but have you tried akismet anti spam plugin? It helps me get rid of spam
I even still gets spam after reChaptcha
Use Cloudflare to manage spam and monitor usage
They will count bot attempts.
Cloudflare Turnstile and hCAPTCHA are great alternativea.
And also check out cleantalk.org and oopspam.com
For cloudflare, you can add more rules like [https://webagencyhero.com/cloudflare-waf-rules-v3/](https://webagencyhero.com/cloudflare-waf-rules-v3/) to help minimize the bots
edit: always nice being down voted for giving information
They recently lowered their limit to 10K challenges per month as you stated. Alternatives are Turnstile and hCAPTCHA. Both are very similar to reCAPTCHA, making them drop-in replacements. Gravity Forms also supports them.
Another way is to put your site behind Cloudflare (DNS level protection), install the OOPSpam plugin and enable spam protection for Gravity Forms. This way you will be able to stop most bots before they hit your website and OOPSpam will take care of the rest of the abuse and manual spam.
This plugin worked wonders combating spam and surprisingly it works without any settings [https://wordpress.org/plugins/honeypot/](https://wordpress.org/plugins/honeypot/) Just install it and activate, that’s all.
I have installed it on around 12 sites and none gets spam.
Try this and let me know your experience here.
I had a form on a page that suddenly started to get a number of spam submissions every day. Since the spam submissions were all from bots, and they usually don’t have JavaScript enabled, I just went into the code for the form submit and changed it so if the user did not have JavaScript enabled, it would look like the form was submitted but in actuality it was not. This got rid of all my spam submissions instantly. Yes, the drawback is that people who come to my site with JavaScript turned off (which I am guessing is a very, very small number) would not be able to successfully submit the form. But of course, if you have JavaScript turned off, I think you should know that a lot of websites don’t work as well for you.
https://wordpress.org/plugins/gravity-forms-zero-spam/
I have found this plug-in to be very helpful at eliminating spam
Try [Prosopo Procaptcha](https://prosopo.io/) – it’s easy to set up and has a very generous free tier. Turnstile [can be defeated by captcha solvers](https://2captcha.com/api-docs/cloudflare-turnstile).
hcaptcha is a good alternative
Integrate your website to cloudflare as soon as you can if not, Cloudflare is a must use to avoid any vulnerable activities.
>my maps are on the same page as my contact form I am concerned if the page is getting that much traffic
I wouldn’t worry about that, your site is most likely not actually LOADING for those 85k spam messages, at most a bot is requesting the page to get the HTML code (for form inputs), and not executing the Javascript that loads the maps.
And to be honest, after a while the page may not even be called to begin with, it could be bots just raw POSTing data to the endpoint for the form after they learned what data to submit.
I don’t have a good alternative for maps, but here’s what I do in some cases to avoid reCaptcha. I create a new field and give it a name that looks legit (eg. city name). I then implement [custom field validation](https://docs.gravityforms.com/gform_field_validation/) for that field and hide it using CSS.
If the field contains any value, I fail the validation routine and the form never gets submitted. This has worked great so far for GravityForms and ContactForm7…
Use turnstile by cloudflare
85k+ after one week, that’s abnormal. Sounds like ddos attack, itf that’s new domain. At least put Wordfence and figure out what is doing it. Google will start charging for recaptcha from October.
On some websites I manage for family and friends I implement the following:
1) Gravity Forms
2) Gravity Forms Zero Spam
3) Really Simple Captcha, which allows you to add a field to the Gravity form with either a simple math equation or alphanumeric text string.
That combo seems to have eliminated spam, no google recaptcha needed. Several of the sites had google recaptcha prior to my implementing the above. I removed completely.
Other comments suggested 2 options that will also work: adding the honeypot plugin, and requiring javascript in order for a successful form submission. I have never needed either as what I implement above seems to work great, but at least you have options to implement as you feel appropriate.
I have 909+ plus sites running Google Captcha and no one’s ever received a bill. 18 years it seems now
85K spam entries ? That is enough to crash most severs. Man, people are so evil,