Overview
WPiko Chatbot Pro implements a comprehensive 5-layer anti-spam protection system for the contact form feature. This multi-layered approach ensures your contact form receives only legitimate submissions while blocking automated spam attacks effectively.
Why Anti-Spam Protection Matters
Without proper spam protection, contact forms become targets for:
Automated Bot Attacks: Bots that submit hundreds of spam messages
Form Farm Spam: Services that mass-submit forms for SEO manipulation
Phishing Attempts: Malicious submissions trying to collect information
Resource Abuse: Attackers overloading your server with requests
Our 5-layer system works together to catch spam at different stages, ensuring legitimate users can always submit forms while bots are blocked.
Layer 1: reCAPTCHA v3 Score Validation
What It Does
Google reCAPTCHA v3 analyzes user behavior and assigns a score from 0.0 to 1.0 indicating how likely a submission is from a bot:
1.0: Definitely human
0.5: Uncertain (threshold boundary)
0.0: Definitely bot
The plugin rejects submissions below the configured threshold, preventing bot submissions from ever reaching your inbox.
What It Catches
Sophisticated bots using automation libraries (Selenium, Puppeteer, etc.)
Form-filling scripts and browser extensions
Bot farms with suspicious behavior patterns
Submissions from known malicious IP addresses
Configuration
Enable reCAPTCHA
Navigate to WPiko Chatbot → Contact Form Settings
Check “Enable Google reCAPTCHA”
Set your reCAPTCHA keys (see below)
Setting Up reCAPTCHA Keys
Visit Google reCAPTCHA Admin Console
Sign in with your Google account
Click “Create” or “+” to create a new site
Configure the following:
– Label: Your website name
– reCAPTCHA type: Select reCAPTCHA v3
– Domains: Add your website domain(s)
Accept the reCAPTCHA Terms of Service
Click Create
Copy your Site Key and Secret Key
Paste them into the plugin settings:
– reCAPTCHA Site Key: Paste in the designated field
– reCAPTCHA Secret Key: Paste in the designated field
Score Threshold Configuration
The score threshold determines what minimum reCAPTCHA score will be accepted. Adjust based on your needs:
| Score Range | Setting | Use Case |
|————-|———|———-|
| 0.9-1.0 | Very Strict | Highest security, may block some legitimate users |
| 0.7-0.8 | Strict | High security with balanced user experience |
| 0.5 | Balanced (Recommended) | Best for most websites |
| 0.3-0.4 | Lenient | Lower security, allows more submissions |
| 0.0-0.2 | Very Lenient | Not recommended – almost no protection |
Default: 0.5 (recommended for most sites)
Adjusting Your Threshold
Go to WPiko Chatbot → Contact Form Settings
Find “reCAPTCHA Score Threshold” field
Adjust the value (0.0-1.0) using the slider or by typing
Click “Save Changes”
Troubleshooting Your Threshold:
Getting too much spam? Increase the threshold to 0.6-0.7
Legitimate users blocked? Decrease the threshold to 0.3-0.4
Not sure? Start with 0.5 and monitor submissions
Monitoring Blocked Submissions
All submissions blocked by reCAPTCHA score are logged with:
Exact score received
Threshold value
User email and name
IP address
Timestamp
Privacy Considerations
reCAPTCHA is invisible to users in v3
Google analyzes user behavior to generate scores
Ensure your privacy policy mentions reCAPTCHA usage
When reCAPTCHA badge is hidden, you must display: “This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply” (automatically added by the plugin)
Layer 2: Configurable Score Threshold
What It Does
Instead of using Google’s default settings, this layer lets you customize exactly what score level you’ll accept. This gives you control over the spam vs. user experience balance.
Why This Matters
Different websites have different needs:
E-commerce sites: May be strict (0.7+) to prevent fraud
Blogs: Can be lenient (0.3-0.4) to maximize contact inquiries
Support portals: Should be balanced (0.5) for both security and accessibility
How to Use
Accessing Settings
WPiko Chatbot → Contact Form Settings
Look for “reCAPTCHA Score Threshold”
View the built-in scoring guide showing recommendations
Score Guide Reference
The plugin displays a helpful guide:
0.9-1.0: Very strict - may block some legitimate users
0.7-0.8: Strict - good balance for high-security needs
0.5: Balanced - recommended for most sites
0.3-0.4: Lenient - more spam may pass through
0.0-0.2: Very lenient - not recommended
Real-World Examples
Example 1: B2B Services
Threshold: 0.7
Why: Business users expect quick form processing; slightly higher threshold maintains security
Expected: ~95% legitimate submissions, ~5% false positives
Example 2: Content Blog
Threshold: 0.4
Why: Blog readers may use VPNs or privacy tools that affect scores; lenient threshold captures more comments
Expected: ~85% legitimate submissions, ~15% false positives
Example 3: News Website
Threshold: 0.5
Why: Balanced approach for general audience
Expected: ~90% legitimate submissions, ~10% false positives
Testing Your Settings
Submit a test form yourself → Check what score you receive
If you get a low score, adjust threshold accordingly
Use a VPN → Submit again to see if it affects your score
Ask team members to test from different locations
Layer 3: Honeypot Field
What It Does
A hidden field (website_url) that’s invisible to humans but visible to bots. When a submission includes a filled honeypot field, it’s automatically rejected.
How It Works
Field is positioned off-screen using CSS (position: absolute; left: -9999px)
Tab order is set to -1 (inaccessible to keyboard users)
Autocomplete is disabled
Legitimate users never see or interact with this field
Simple bots auto-fill all fields, including hidden ones
Submission is silently rejected if field contains data
What It Catches
Basic bot scripts that auto-fill all form fields
Simple form-filling bots that don’t check field visibility
Form-filling browser extensions with aggressive auto-fill behavior
Poorly written scrapers that target form fields blindly
What It Doesn’t Catch
Sophisticated bots that check CSS for display: none or visibility: hidden
Advanced scrapers that parse DOM attributes
Bots using browser automation with visibility detection
(That’s why we have the other 4 layers!)
Technical Details
The honeypot field uses:
Position-based hiding: Off-screen positioning
CSS hiding: Outside viewport
Accessibility bypass: Tab index -1
Attribute checking: Form validation checks field content
User Experience
No impact on legitimate users – they never know it exists
No accessibility issues – properly hidden with tabindex="-1"
No JavaScript required – works on all browsers
Silent failure – bot submissions fail without user confusion
Layer 4: Rate Limiting
What It Does
Limits each email address to a maximum of 3 submissions per hour. This prevents spam flooding attacks where bots send hundreds of identical or similar messages.
How It Works
When a form is submitted, plugin records: email address + timestamp
Before processing new submission, checks if same email has submitted in last hour
If already 3 submissions: form is rejected with rate limit message
Counter resets automatically after 1 hour
Each unique email address has its own separate counter
What It Catches
Spam flooding: Bot sending 50+ messages in rapid succession
Email harvesting: Automated attempts to collect email responses
Server resource abuse: Attackers trying to overload your server
Bulk spam operations: Services trying to mass-submit contact forms
What It Doesn’t Catch
Different email addresses (attacker could use 100 different emails)
Submissions spaced across multiple hours
Legitimate contacts who need to submit multiple times
(That’s why we have the other 4 layers!)
Configuration
Rate limiting is automatically enabled with these settings:
Max submissions: 3 per email address
Time window: 1 hour (3600 seconds)
Storage: WordPress transients (efficient, no database bloat)
Note: These settings are not user-configurable. The 3/hour limit is optimal for preventing abuse while allowing legitimate multiple submissions.
Technical Implementation
Uses WordPress transients for efficient tracking:
Transient Key: wpiko_contact_rate_{MD5_OF_EMAIL}
Value: Submission count
Expiration: 1 hour (automatically)
Benefits:
No database bloat – transients auto-expire
Fast lookups – cached in memory when possible
Scalable – works with multisite installations
Automatic cleanup – expired transients deleted by WordPress
Monitoring Rate Limits
Blocked rate limit attempts are logged:
Contact form rate limit exceeded - Email: user@example.com,
Count: 3, IP: 192.168.1.1
Example Scenarios
Scenario 1: Legitimate User Submits 3 Times in 1 Hour
Time 10:00 AM: Submit 1 ✅ (Counter: 1/3)
Time 10:15 AM: Submit 2 ✅ (Counter: 2/3)
Time 10:30 AM: Submit 3 ✅ (Counter: 3/3)
Time 10:45 AM: Submit 4 ❌ (Blocked – rate limit reached)
Time 11:00 AM: Submit 5 ✅ (Counter reset: 1/3)
Scenario 2: Bot Attack
11:00 AM: 50 submissions in 1 minute from same email
First 3 submissions: ✅ Processed
Next 47 submissions: ❌ All blocked by rate limit
Total spam reaching admin: Only 3 (vs 50 attempted)
Server load: Minimal impact
Layer 5: Timestamp Validation
What It Does
Validates that the form submission took at least 3 seconds from when the form was loaded. This prevents instant bot submissions while allowing legitimate users enough time to fill out the form.
How It Works
When contact form loads, plugin records current timestamp
This timestamp is stored in hidden form field: form_timestamp
When user submits, plugin calculates: submission_time - form_load_time
If time difference is less than 3 seconds: submission is rejected
If time difference is 3+ seconds: submission is processed normally
What It Catches
Instant bot submissions: Bots that submit immediately without delay
Automated form fillers: Scripts that submit as soon as form loads
API-based attacks: Direct API submissions with no form loading
Rapid-fire submissions: Multiple submissions in quick succession
What It Doesn’t Catch
Bots that intentionally wait (sophisticated bots can add delays)
Legitimate users who fill forms very quickly
Users with high typing speed
(That’s why we have the other 4 layers!)
Configuration
Timestamp validation is automatically enabled with:
Minimum time: 3 seconds
Timestamp format: Unix timestamp (seconds)
Storage method: Hidden form field
Verification method: Server-side calculation
Note: The 3-second minimum is optimal – long enough to catch instant bots, short enough for real users.
Technical Details
Server Validation:
current_time = 1635890403
form_timestamp = 1635890400
time_taken = 3 seconds
minimum_time = 3 seconds
Result: ✅ Submission accepted
If Too Fast:
current_time = 1635890401
form_timestamp = 1635890400
time_taken = 1 second
minimum_time = 3 seconds
Result: ❌ Submission blocked
Real-World Examples
Example 1: Legitimate User
10:00:00 AM: Form loads
10:00:05 AM: User submits form (5 seconds elapsed)
Result: ✅ Accepted (5 > 3 seconds)
Example 2: Fast User
10:00:00 AM: Form loads
10:00:03 AM: User submits form (3 seconds elapsed)
Result: ✅ Accepted (3 = 3 seconds, threshold met)
Example 3: Instant Bot
10:00:00 AM: Form loads via API
10:00:00.1 AM: Bot submits form (0.1 seconds elapsed)
Result: ❌ Rejected (0.1 < 3 seconds)
Example 4: User Clicking Back/Forward
10:00:00 AM: Form loads
10:00:01 AM: User accidentally clicks back button
10:00:02 AM: User returns to page (form reloads)
10:00:05 AM: User submits form (3 seconds from last load)
Result: ✅ Accepted (new timestamp prevents false positive)
Monitoring Timestamp Validation
Blocked timestamp validation attempts are logged:
Contact form submitted too fast (1 seconds) - Email: user@example.com,
Name: John Doe, IP: 192.168.1.1
How All 5 Layers Work Together
Typical Bot Attack Scenario
Attack: Bot sends 100 spam messages in 1 minute- reCAPTCHA Score Validation
Result: Bot behavior detected, score 0.15
Threshold: 0.5
Action: ❌ BLOCKED (too low score)
→ If bot bypasses Layer 1 (unlikely):- Timestamp Validation
Result: Form submitted in 0.5 seconds
Minimum: 3 seconds
Action: ❌ BLOCKED (too fast)
→ If bot adds delay (harder to do):- Honeypot Field
Result: Hidden field is filled
Expected: Empty
Action: ❌ BLOCKED (bot filled hidden field)
→ If bot checks CSS visibility:- Rate Limiting
Result: 4th submission from same email
Limit: 3 per hour
Action: ❌ BLOCKED (rate limit exceeded)
→ If attacker uses different emails:- reCAPTCHA Score Validation (again)
Result: Still shows bot behavior
Action: ❌ BLOCKEDRESULT: Out of 100 spam attempts:
- Layer 1: Blocks ~99 submissions
- Layer 2: Catches config misuse
- Layer 3: Blocks simple bots
- Layer 4: Limits damage per email
- Layer 5: Catches instant submissions
Final: 0-1 spam reaches admin (vs 100 attempted)
Legitimate User Scenario
Legitimate user submitting contact form- reCAPTCHA Score Validation
Result: Normal user behavior, score 0.92
Threshold: 0.5
Action: ✅ PASSED (0.92 > 0.5)- Timestamp Validation
Result: Form submitted after 8 seconds
Minimum: 3 seconds
Action: ✅ PASSED (8 > 3 seconds)- Honeypot Field
Result: Hidden field remains empty
Expected: Empty
Action: ✅ PASSED (field untouched)
Best Practices
1. reCAPTCHA Configuration
✅ Always enable reCAPTCHA v3 (not v2)
✅ Register your domain in Google Console
✅ Keep API keys secure and confidential
✅ Never commit keys to version control
✅ Rotate keys if compromised
✅ Start with threshold 0.5 and adjust based on results
2. Privacy Compliance
✅ Disclose reCAPTCHA usage in privacy policy
✅ Add links to Google Privacy Policy and Terms
✅ Inform users about data processing (done automatically)
✅ Ensure GDPR compliance if applicable
✅ Update your terms of service
3. User Experience
✅ Keep form simple and clear
✅ Provide helpful error messages
✅ Test forms regularly from different networks
✅ Test with VPN enabled
✅ Test on mobile devices
✅ Monitor user submissions for patterns
4. Security Maintenance
✅ Monitor logs regularly for attacks
✅ Review submission patterns monthly
✅ Adjust threshold based on real data
✅ Keep WordPress and plugins updated
✅ Use WordPress security plugins
✅ Enable WordPress debugging to catch issues
5. Performance Optimization
✅ Rate limiting uses efficient transients
✅ No database bloat from logs
✅ Validation happens server-side (secure)
✅ Minimal JavaScript overhead
✅ Caching-friendly (no blocking)
Troubleshooting
Common Issues
Issue 1: “Suspicious Activity Detected” Error
Symptom: Users see message even after filling form correctly
Causes:
reCAPTCHA score too high
User on VPN/Proxy
User with high privacy settings
Bot-like behavior detected
Solutions:
Lower reCAPTCHA threshold (try 0.4)
Advise users to disable VPN if possible
Check reCAPTCHA logs for actual score
Test form yourself to verify it works
Issue 2: “Submitted Too Fast” Error
Symptom: Forms rejected even when user filled them carefully
Causes:
User has very fast typing speed
Form pre-filled with user data
User copy/pasting form content
Mobile auto-fill
Solutions:
This is normal – 3 seconds is generous for filling a form
Ensure form isn’t artificially pre-filled
Users can pause between filling fields
Mobile browsers respect the 3-second minimum
Issue 3: “Too Many Submissions” Error
Symptom: User blocked after 3 legitimate submissions
Causes:
User testing form submission
User resubmitting due to errors
Network issues causing retries
User legitimately needs to submit multiple times
Solutions:
This is working as intended – 3/hour limit is high enough for most needs
User can wait 1 hour for counter to reset
Rate limit is per email address, not per IP
Consider creating separate contact form for high-volume submissions
Issue 4: reCAPTCHA Badge Not Hiding
Symptom: Badge still visible when “Hide Badge” option enabled
Causes:
CSS not loaded properly
Browser caching old CSS
Other CSS overriding setting
JavaScript errors
Solutions:
Clear browser cache (Ctrl+Shift+Delete)
Clear WordPress cache if using caching plugin
Check for CSS conflicts in browser console
Verify reCAPTCHA setup in Google Console
Issue 5: Forms Never Reach Inbox
Symptom: No emails received from form submissions
Causes:
Email server configuration
Emails going to spam folder
Server not sending emails
Admin email address incorrect
Solutions:
Test WordPress email: use WP Mail plugin
Check spam/junk folder
Enable WordPress mail logging
Verify admin email in Settings → General
Verification Steps
Test 1: reCAPTCHA Verification
Submit form yourself
Check browser console for errors
Verify Site Key is correct
Check IP address isn’t blocked by Google
Test 2: Timestamp Validation
Note the time form loads
Immediately submit (< 3 seconds)
Should be rejected with “too fast” message
Wait 5+ seconds and submit again
Should be accepted
Test 3: Rate Limiting
Submit form once – should succeed
Submit again immediately – should succeed
Submit third time – should succeed
Submit fourth time – should be rate limited
Wait 1 hour and try again
Test 4: Honeypot
Inspect page source for website_url field
Verify it’s hidden with CSS
Never fill this field manually
Try to fill it using browser console – submission should fail
Summary
5-layer anti-spam protection: The layers work together to catch ~99% of spam while maintaining excellent user experience for legitimate contacts.
Key Benefits:
✅ Invisible to legitimate users
✅ No CAPTCHA typing required (v3)
✅ Configurable and adjustable
✅ Well-logged for monitoring
✅ Performance-optimized
✅ Privacy-compliant
✅ Mobile-friendly
For questions or issues, refer to the troubleshooting section or contact support.
