Hi there! I’m dealing with a major headache on my WordPress website. Someone is bombarding my contact forms with bogus submissions and I think it might be a business rival trying to mess with me. My site uses contact forms built with plugins like Gravity Forms to gather basic info from visitors. The problem started a few weeks ago when I began receiving tons of fake entries every day. What I’ve noticed about these attacks: - The IP addresses keep changing and look real (probably using proxy networks) - Browser signatures are different each time - The behavior seems too sophisticated for basic bots I’m pretty sure they’re using some kind of browser automation tool to make it look like real people are filling out the forms. This is really frustrating because it’s hard to tell which submissions are legitimate customers. Has anyone else run into this kind of problem? I’m looking for practical solutions that actually work against these sneaky automated attacks. Any advice would be amazing!
ugh same thing happened to me last month! honeypot fields saved my butt - they’re invisible to real users but bots fill them out anyway. also try adding a simple math captcha, works better than recaptcha against these sneaky automation tools imo
Browser automation detection might be your best bet here. I had a client dealing with sophisticated form spam that bypassed traditional captchas and honeypots. We implemented JavaScript challenges that check for automation fingerprints like webdriver properties, timing anomalies, and mouse movement patterns. Real browsers behave differently than automated ones even when they’re trying to mimic human behavior. You can also try requiring users to interact with multiple form elements before the submit button becomes active - automation scripts often struggle with these multi-step interactions. Another approach that worked well was implementing a scoring system that evaluates submission patterns over time rather than blocking individual requests. This catches coordinated attacks while letting legitimate users through without friction.
I faced something similar with my e-commerce site and found that implementing time-based validation helped significantly. These automation scripts often fill forms too quickly compared to human users. Setting a minimum time threshold before form submission is allowed caught most of the fake entries in my case. Also consider enabling session tracking to detect rapid-fire submissions from the same source. What really worked for me was combining multiple defense layers rather than relying on just one method. The IP rotation you mentioned is tricky but watch for patterns in the actual form data - automated tools often use similar text patterns or formatting even when rotating other details.