I’m encountering a persistent spam issue on a WordPress site that utilizes GravityForms. Even with several security measures in place, including Akismet, reCaptcha, and GravityForms Zero Spam, spam submissions are still flooding in.
Cloudflare is set to block traffic from outside the country, but it seems this spammer is deliberately targeting our site. This month alone, we’ve recorded 8 spam submissions, each originating from different IP addresses throughout the United States, mostly from regions like New York, Ohio, and Colorado.
What adds to the challenge is that they keep using the same or slightly altered personal information—same name, phone number, email, and address, with just minor tweaks in spelling and formatting. I have activated the “No Duplicates” feature for emails and project descriptions, and I’ve just enabled it for phone numbers as well, but the spam continues unabated.
To make matters worse, my analytics reveal that these spam visits are linked to Google Ads, which means my client is effectively paying for this unwanted influx of traffic. I’m looking for any further advice on measures we can take to combat this issue.
have you tried honeypot fields? they’re surprisingly effective against manual spammers too. also worth checking your forms for hidden referrer data - you can often spot patterns that reveal the spam source. maybe temporarily kill your google ads and see if the spam completely stops?
Been there with spam attacks burning through ad budgets. Your current protection is decent, but there’s a smarter way.
I built an automated spam detection system that crushes these persistent spammers way better than individual plugins:
Set up a workflow that analyzes submission patterns in real time. When someone submits a form, automatically check their data against your spam database. Found similar names, phone numbers, or addresses (even slight variations)? Flag or block instantly.
The magic is the learning system. Every time you mark something as spam, feed that data back into your detection rules. Soon you’re catching variations before they hit your form.
For Google Ads, add automatic IP blocking. System detects spam from an IP? Instantly adds it to your Cloudflare block list. No more paying for the same spammer’s return visits.
Throw in honeypot fields invisible to real users but obvious to bots. They fill those? Automatic rejection.
The whole system runs in the background and gets smarter over time. Way more effective than playing whack-a-mole with individual spam submissions.
Check out Latenode for building this kind of automated protection: https://latenode.com
Manual spam eating your ad spend is the worst. Since this spammer’s using the same info with slight tweaks, you need fuzzy matching on your forms. I set up custom validation rules in GravityForms that catch phonetic similarities and character swaps - stuff like “John” vs “Jon” or phone numbers in different formats. Way better than the basic “No Duplicates” feature. For Google Ads, try negative audience lists. Export those spam IP addresses and upload them as exclusions so you stop bidding on that traffic. Also consider time-based restrictions. Real users don’t usually submit forms the second they land on your page. Adding a minimum wait time before submission helps weed out automated spam and rushed submissions.