If you own a website with a contact form, chances are you have been getting a lot of spam as well, and you are reading this blog post because you wanted a solution. Luckily, in this post, we’ll give you a solution that blocks 99% of those spam.
This is the plugin we recommend: Maspik – Spam blacklist
The plugin, by default, filters spam based on IP address, sender name, countries, empty source URL, blacklist words, etc. And it is compatible with Elementor forms, Contact Form 7, comments, and more.
Empty source URL have been working well for us and helped us to filter out at least 50% of the spam from our Elementor form. I have no idea if these spam bots purposely hide the source URL or if they think this would help their spam to get through.
Comparing It to Paid Plugins
There are also some popular paid plugins for comment and form spam solutions, such as Cleantalk and OOPSpam, so here we will make a quick comparison:
- Cleantalk – It’s a cheap and effective solution, but in our opinion, it is more bloated, and we don’t like some of the default options that set cookies, which interfere with our caching solution. Some of our client’s websites use them, but we prefer something simpler.
- OOPSpam – Kinda pricey for what it does, checking submitter IP with their database. From our testing, they also don’t have a very good detection rate and missed some spammy IPs from compromised servers.
However, we think Maspik falls short in the ability to check public records of bad IPs. As of writing, you can only filter IP based on countries or add specific IP to create your blacklist, this is why we also added some custom checks in the plugin.
Filtering Bad IPs with AbuseIPDB.com, Proxycheck.io & CIDR
As we notice, most spam bots use proxies scraped from the internet or compromised servers. So if we would like to block those spam, we need a way to identify those malicious IPs.
But at the same time, as more consumers with privacy in mind are using VPNs, we also do not want to block all IPs owned by datacenters.
Then we found AbuseIPDB.com and Proxycheck.io. AbuseIPDB maintains a big database where webmasters report malicious and spammy IPs, giving those IPs a risk score based on those reports.
Proxycheck.io help identifies if IP belongs to proxies or compromised server but can also differentiate IP from the consumer VPN provider, which can be helpful for us not to block ordinary VPN users.
Lastly, we also added a CIDR filter in case we need to block some IP ranges manually.
We tried adding 30,000 datacenters CIDR records from this list into the CIDR filter just to see if it slowed down from submission time, but it seems like it doesn’t have much impact looping through such a huge list.
And this is some testing to show you what it looks like when these filters work:
Since the author of Maspik published their code to Github recently, we also forked and added our custom filter to it, so anyone reading this can also use those filters by copying our code here:
We also made a pull request to the author, and it seems like the author would probably add those features into their release, which is great, so we don’t have to manually add the custom filter when upgrading the plugin.
After having all those filters in one, we feel this is currently the best plugin for our spam solution. However, we also recommend not relying only on plugins for spam issues, for example, you can also check out how we use Cloudflare WAF to filter bad IPs.
If these are something you would like someone to setup for you, optimize your WordPress website for best performance and host them on high-speed servers, we also offer Optimized WordPress Hosting services, where we handle all the weight lifting, and you can focus on what matters most to your business.