If you are receiving a huge amount of SPAM submissions in your wp-admin / Classifieds section and do not know where are these submissions coming from or do not know what you can do about it then this article should help you out.
How are spammers sending spam on my site?
By default on activation WPAdverts automatically creates in wp-admin / Pages panel a page with the [adverts_add] shortcode. This page allows anyone to fill the form and post a classified ad.
The submission form is a 3 step form (fill the form -> preview -> publish) and the spambots were unable to fully submit it, but unfortunately it changed in 2021 and it looks like some of the bots can complete all 3 steps (or maybe the WPAdverts got enough popularity that they are targeted the WPAdverts forms now).
Since version 1.5.5 (released on 22nd July 2021) we have some additional tools to help you prevent spam submissions, so if you are using WPAdverts older than 1.5.5 try upgrading WPAdverts to the latest version first.
Where is the classifieds spam coming from?
You need to start with finding the page with the [adverts_add] shortcode, to do that go to wp-admin / Pages panel and in the top right search field search for “adverts_add” (without the quotes), this should find all the possible pages where the spammers can submit Ads.
Quick Note. If you have more than one page with the [adverts_add] shortcode probably you can delete the remaining ones, unless you are using these shortcodes with Custom Fields extension and form_scheme param to set a different form for each of the [adverts_add].
What about user spam registrations?
One other entry point can be the default wp-login.php page. If you are getting quite a lot of random users registered on the website, the go-to wp-admin / Settings / General panel and see if the “Anyone can register” checkbox is checked. If it is then anyone (including spambots can register on your site).
The easiest solution for this problem is either disable registrations or install one of the available reCAPTCHA integration plugins in the WordPress plugins directory.
To protect yourself from the classifieds spam there are few options:
Do not allow users to post Ads in the frontend at all
If you do not want the users in the frontend to submit classifieds ads then you can simply trash the pages and the spam should stop.
Allow only logged-in users to post Ads
If you want only logged-in users to be able to submit the ads then you can edit the page with [adverts_add] shortcode and add the “requires” param to it like this
This will allow only users with “read” capability (by default in WP that is any logged-in user), the anonymous users will see a message asking them to register or login. The message users will see you can modify with a requires_error param, for more details on this please refer to the [adverts_add] docs.
Allow anonymous users to submit Ads (but not bots)
One option here is to use the [adverts_add] shortcode with the moderate=”1″ param, the spambots will still be able to submit ads, but the ads will not be published until the administrator will approve them.
Using moderation will only stop the spammers from instantly showing the Ads on the [adverts_list] page, the administrator will still need to review and delete the spam so this is not an ideal solution.
The better solution is to use one (or even better all) of the 3 methods introduced in version 1.5.5.
The honeypot method is enabled on every WPAdverts installation by default.
This technique adds a new field to the form but hides the field from the user (via CSS) so the user cannot see and fill it, while the bot reading the page HTML source will find and fill the honeypot field. When the field is filled WPAdverts knows that only the bot could fill it and stops the submission.
By default, the field is named website_address as the bots love entering URLs (hoping they will be shown on the website), but to make it harder for them you can customize the Honeypot field name and title from wp-admin / Classifieds / Options / Core / Spam panel.
The Timetrap is also enabled by default.
This method inserts a hidden input into the form and fills the field value with encrypted current date and time. On submission, WPAdverts decodes it and compares the value to the current date and time.
If the result is smaller than 5 seconds then the submission is denied as it is extremely unlikely that a person can load the page, fill the form and submit it within 5 seconds.
That being said if you have some special case where the time could be shorter you can adjust this value in wp-admin / Classifieds / Options / Core / Spam panel.
The user filling the form too fast will see an error message like on the image below
The above two features are enabled by default, this one requires some configuration and fine-tuning to your needs.
Go to wp-admin / Classifieds / Options / Core / Spam panel, you will see the form as on the screenshot below
The first field “Max. Links In The Content” allows you to enter the maximum number of links the user can enter in the description field (and in the contact message). Bots like to post multiple links at once so probably a value of 3 or 4 will catch quite a lot of spam.
The “Blacklisted Phrases” field is basically a list of phrases that will prevent a user from posting an Ad if he will use a blacklisted phrase in the content. There is a great list of common spam phrases created by Jeff Starr from Perishable Press, but I am not prefilling the “Blacklisted Phrases” field as we do have customers in adult and gambling niches and the list could disallow their customers to post ads.
One tip I can give you is to add a [/url] to blacklisted phrases as many spambots are trying to post BBCode formatted URLs and this will instantly stop them.
Now, if a real user will enter too many links or will use spam words he will see an error message and would be able to correct his text – well technically spambot will be able to do that as well but I think we are still far away from the day when the spambots will be able to read and understand the error messages.
If you want anyone (except spambots) to submit classifieds, then right now the best option is to install and configure the WPAdverts reCAPTCHA integration this should prevent all spambots from submitting ads.
This plugin is available in the StartUp (and higher) package so if you do not have one you would need to purchase it.
Which method should I use?
In short, use all of them. The free ones (all except reCAPTCHA) combined should stop most or maybe even all automatic spam, the reCAPTCHA integration is only an additional layer of security in an unlikely event when someone will target your website specifically.
What else can I do?
There are services that will discard the spam requests before they will even reach your site, one that works well and that I use on one of my sites is Sucuri.net, unfortunately, it is quite expensive, an alternative is the free WordFence plugin, but I do not use it personally, so cannot tell if it stops the WPAdverts spam, maybe someone using both WordFence and WPAdverts on a site can comment on that?
One more option is to use a hosting company that comes with some kind of protection built-in, for example, i am using the SiteGround to host my sites including the WPAdverts demo, and the demo site did not get a single spam submission so far.
Sure the SiteGround is a bit more expensive than other hosts but if you consider the additional features it adds and the WP support I think this is the best WordPress hosting at least in terms of features&performance/price ratio.