Hello everybody!
Today I'm writing my first second question and would be very happy about your answers. It's about spam. How do you fight spam on your pages, especially regarding forms?
It is important for me that the method is also GDPR compliant. So no IP addresses may be saved or sent to external sites. Background of the whole thing: I have a WordPress Plugin which shows after a Voting a feedback form and so far I got feedback (currently only one person, but I want to address the problems of each individual person) that it is probably very susceptible to spam.
My current solution is a simple "honeypot" solution. So it creates an input field with the name website, which is hidden by the user. When submitting the form it is checked if the field is filled. The field must not be filled and cannot be filled, because the user can't see the field. The solution works quite well.
Since I do not assume that this is the most elegant solution, I would be interested in your approaches. How do you solve your spam problems?
If possible, only PHP and JavaScript solutions (jQuery works too), because I work with WordPress. It is not about complete solutions, but approaches and ideas. Simply because I like to try and learn.
Thanks in advance!
I think it's quite a good solution, which will keep a lot of bots out. However, bots are getting better, and such honeypot fields are a rather old concept...
Another idea would be to add a Captcha (for example "I am not a robot" verification by Google). On top of that there are algorithms for analyzing a text for emotions and intents, which might help you categorize spam even then.
However, let me tell you something: AI is catching up, and even if that weren't bad enough, there are services on the dark web on which humans earn money by solving Captchas (even the fancy Google ones) for bots - so that the bots can still do their thing - or by filling whole forms manually. It's a fraction of a cent per Captcha or form-fill, but that adds up over the hours, and these people are very trained in doing their thing by doing it for hours.
Battling spam is like fighting windmills. You start out with a form, and bots will swarm it. You use a honeypot field, however bots might not even use it. You add a Captcha, but somehow the spam still keeps coming your way. You add an intent-detection algorithm, which at least puts spam into a moderation queue, but spam-bot authors aren't dumb, and if your site is an interesting enough target, they will find a way to fool the system. I have seen some such posts even here on Hashnode, which take reference to the specific article... arghh.
The solution I propose is to not solve the problem. Currently, JAMStack is one of the most hyped new things in webdev; for a good reason. You do your thing (create/admin a website), and leave the complicated stuff to the experts, who do that as their thing all day. They are also GDPR-compliant, and if you put a link, it's usually not even your problem anymore, because the user leaves your page (briefly) :)
This means, instead of putting a form onto your Wordpress page, you might want to put a link to a survey site, or use an embed for one. The survey site will then conduct the voting and feedback taking for you, and use their battle-tested algorithms to fight bots and spam for you. You will receive the results (which then are, GDPR-wise, your problem again) from the other service and can do whatever you need to do with them.
Of course, GDPR-wise, you can also check out the other service's options to see if you can trigger the deletion of certain records, which would fill that gap in your control-chain. GDPR, however, is still a very difficult topic, and even many big companies struggle a lot with how to handle (sub-)contractors and data-transfer for processing purposes.