www.wysiwygwebbuilder.com

I get a lot of spam from bots filling in the contact us page. Is there a way to prevent this, such as only allowing access to the form if it is linked to from another page in the website? Or maybe another way?

WWB supports several captchas, including recpatcha, math captcha and hcaptcha.

I already use ReCaptura. Interesting that one of the buttons "Reset Form", that doesn't get emailed because there is no field, does get emailed when a spammer is involved. I think this means that they are not filling in the form, but somehow invoking it and getting past ReCapture.

Maybe the form is sent from another part of your website?

There is no way way to get by the recaptcha if the built-in form script is used.

I'm using the built in form script (Use build in php form script is checked).
what is interesting is that the contents emailed to me includes "Reset Form:Reset Form". This is not sent when someone actually fills in the form and then clicks on submits (see below). There is a Reset button on the form that blanks out all the fields, but perhaps the fact that is included in the email to me might be a clue as to how they are accessing it? I searched my website and don't have any other mechanism to submit the form.

Contact Us
IP Address : 113.177.208.126
Referer : www.headscratchers.com/contactus.php
FirstName : BfMdQwNrzJohu
LastName : JPjtbSCpuyRUBzA
Email : rizzofxs13@gmail.com
ValidateEmail : rizzofxs13@gmail.com
SpeakerEngagementsInfo : Yes
ThinkSmarterInfo : Yes
FutureWebinars : Yes
FutureWorkshops : Yes
WorkshopInfo : Yes
Subscribe-HeadScratcherPost : Yes
PhoneNumber : JfzTgvyLeDsN
Company Name : utTgwBnY
Location : MPKSZBrvA
SubmitButton : Send Info
Reset Form : Reset Form
Info On On-Line Workshops : Yes
Source :
Comments : gcSLaAiIMpbvmKrt

The built-in script removes the reset button from the message.
So, if the reset button is included in the message then it looks like the message is sent via another script.

Please make sure there are no other script on your website. Maybe you have previously added a script for test purposes?

I went through the entire website and could not find any other contact us forms that have what this form has. In any case, I deleted everything but this form. I even changed the form so that the email would have a contactus sent from address instead of my address. So I know that the spammers are using this form. Is there another way they can break into this, stuff the fields, and send it, and bypassing the php script to actually send it?

I assume you are using the built-in recaptcha (not the extension)?

As an extra security step you can also enable PHP validation in the advanced settings of the form.

The form is old. I'm using recaptcha v2. I assume the extension. I think i originally created the form before the buildin recaptcha was created.
Is this not secure?

For the extension it is important that it is the first element on the page (in the Object Manager) otherwise the form script may be processes before checking the captcha. Also, it was implemented using third party scripts.
The built-in version is 'smarter' and does not reply on third party libraries.

It is defintely NOT the first element. I'll switch to the built-in version and see what happens. It looks like I can select captcha v2 in the element. If so, do I need to make sure it's the first element in the page? I'll do this later today, and let it be for a few days and see what happens. I get a dozen spammers a day, so if it works, it should be obvious. Will let you know, thx.

The built-in version will automatically generate the correct code, independently of the element's position the page.

Note that reCapatcha will not stop spammers from manually entering spam.

I used the built in captcha along with the PHP validation. It worked. I've received ZERO auto spammer entries in the last 36 hours when I would normally receive at least 10 or 20. Thanks so much for your help.
Regards