Enable the logging

First of all, make sure that traffic logging is properly enabled in the Traffic Inspector settings.

1. “Logging mode” is not set to “Logging disabled”
2. “Save request fields” is enabled

Now, when a form is being submitted, all the form fields are saved to the Traffic Inspector log and can be viewed on the Live Traffic log page by clicking “Details” in an appropriate row.

View submitted forms

To view all submitted forms, go to the Live Traffic log page and click the small “Form submissions” button. To view submitted form fields, hover the mouse over the row and click the “Details” link. Note that it shows you all form submissions, including the WordPress comments form. To view forms denied as spam, use the advanced search.

Viewing submitted form fields in the Traffic Inspector log

Viewing spam form submissions only

To view all denied spam form submissions, click the “Advanced Search” button, select “Spam form submission denied” in the “Activity” field, and click the “Search” button under the search form. You will see all logged and denied spam form submissions.

Filtering out spam form submissions using the advanced search

Prevent saving sensitive data to the log

If a form field is intended to submit sensitive or personal data, you can disable saving data from such a field by adding the name of the form field to the “Mask these form fields” list. Now, before saving form fields to the log, real field values are replaced with asterisks. Hint: field names are shown in the “Form Fields” sections in the Traffic Inspector log.

Please know more on how to handle personal data in the logs from these articles: Deleting personal data from the logs and Exporting personal data from the logs.

How to exclude specific requests from inspection

All anti-spam exceptions are configured on the Anti-spam admin page.

To exclude a specific request (form submission) from inspection by the anti-spam engine, you need to specify a request path and, optionally, a query string (request parameters) in the Query whitelist setting field.

If a request URI starts with or equals any of the specified strings, it will no be inspected and blocked.

To create complex rules, you can use REGEX expressions. Please see further details below.

Some examples

Exception #1 Permits any requests with the Request URI that starts with the specified string e.g. /ps/wc-ajax=whatever_till_the_end

Exception #2 Permits any requests if the Request URI matches the specified REGEX pattern e.g. /file-upload.php?user_id=23432

Anti-spam for WordPress – configuring exceptions

How to identify the Request URI

Go to the Live Traffic admin page. Find a legitimate request you need to whitelist and take its Request URI from the Request column. If your Request URI contains dynamic GET parameters like on the screenshot below, you may need to use a REGEX expression.

Request URI on the Live Traffic page in the WordPress dashboard

Regular expressions

Query whitelist supports regular expressions, one pattern per line. To be excluded from inspection, the Request URI must match the whole REGEX pattern.

To specify a REGEX pattern, enclose a whole line in two { } braces. For instance, to exclude requests to a file-upload.php script with a numerical GET parameter user_id containing any number, specify this string:

{\/file-upload\.php\?user_id=\d+$}

Note: to specify the slash / character in a REGEX expression, you need to escape it with backslash \ this way: \/

WordPress anti-spam settings

How to disable anti-spam on a selected page

To avoid conflicts with third-party forms loaded from an external source and processed on a third-party website, you can configure exceptions for WP Cerber’s anti-spam by disabling its code on selected pages of your website. The list of pages is specified with a PHP constant CERBER_DISABLE_SPAM_FILTER. This constant should be defined in the wp-config.php file. Use a comma-separated string with page (post) IDs. If the list is configured, you see the list of pages on the WP Cerber anti-spam settings admin page. Here is an example of the list definition.

define( 'CERBER_DISABLE_SPAM_FILTER', '3, 45');

You need to use this feature if you have HubSpot forms on your website.

See also: How to stop spam user registrations on your WordPress

The fastest way to stop spammers is to enable the antispam engine for the WordPress registration form. To enable protection:

1. Go to the Antispam plugin admin page
2. Enable Protect registration form with bot detection engine in the Cerber antispam engine section
   
3. If you have a separate, non-standard registration form or a membership plugin, enable Protect all forms on the website with bot detection engine
4. Click the Save Changes button

Change the default registration and login URL

The next thing you need to do is to change the default WordPress registration URL to a custom one. That allows you to block automated spam attacks. Follow this guide: Custom login and registration URL for WordPress.

Set the limit on user registrations from one IP address

The third step is to set the limit to the number of user registrations from one IP address. By default, three user accounts are allowed to be registered from one IP address within one hour. This feature is available in Cerber Security Pro.

1. Go to the plugin admin Dashboard
2. Click on the Users tab
3. Enter appropriate values in the Registration limit fields

Block new user registrations from specific countries with GEO rules

The country-based GEO rules enable you to set a list of countries from which users are permitted to register on your WordPress. If you want to get new users from your country only, this is the right way. GEO rules are available in  Cerber Security Pro. To create the list of the countries:

1. Go to the Security Rules admin page and click the Countries tab
2. Click Register on the website.
3. Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window.
4. Once you’ve created the list, set its type. If you want to permit new user registrations from the selected list of countries, click Selected countries are permitted to register on the website, other countries are not permitted to. Otherwise, if you want to block registrations, click the second option Selected countries are not permitted to Register on the website, other countries are permitted to.
5. Click the Save all rules button.

Block user registrations on WordPress from specific countries with GEO rules

Enable reCAPTCHA for the WordPress registration form

The last but not the least option is to enable reCAPTCHA for the WordPress registration form. Before you can start using reCAPTCHA on the website, you have to obtain a Site key and a Secret key on the Google website. To get the keys you have to have Google account. Register your website and get both keys here: https://www.google.com/recaptcha/admin

Read more: How to set up reCAPTCHA for WordPress and WooCommerce registration, reset password and login forms.

How to protect a contact form on your WordPress

The Cerber antispam and bot detection engine is capable to protect virtually all contact forms on a website. It’s tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms and WooCommerce forms.

Follow this guide: How to stop spam form submissions on your WordPress.

WP Cerber’s anti-spam engine is a great alternative to Google’s reCAPTCHA.

Enabling the anti-spam engine

To enable spam protection, go to the Anti-spam plugin admin page and enable Protect all forms on the website with bot detection engine.

In most cases, the anti-spam protection works fine with default settings. But as a professional solution, Cerber offers several options to fine-tune its anti-spam algorithms.

Block form submissions from specific countries

The professional version of WP Cerber enables you to configure a set of GEO rules that allow you to permit or block form submissions from a configurable list of countries. If you want to be in touch with people in several countries only, this is the right way. Get the professional version of WP Cerber here. Note that these settings affect all forms on your website except the standard WordPress registration form. To create the list of countries:

1. Go to the Security Rules admin page and click the Countries tab.
2. Click Submit forms.
3. Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window. To remove a country from the list, click on the country name in the right window.
4. Once you’ve created the list, set its type. If you want to block form submissions from the selected list of countries, click Selected countries are not permitted to Submit forms, other countries are permitted to. If you want to allow form submissions, click the second option Selected countries are permitted to Submit forms, other countries are not permitted to.
5. Click the Save all rules button.

Restrict form submissions on WordPress with country GEO rules

Block form submissions from specific IP addresses

To completely block form submissions from a given IP address or an IP network or any combination of them, add them to the Black IP Access List. Keep in mind that entries in both IP access lists have the highest priority which means they are processed before any other security rules and plugin settings. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for a set of IP addresses and IP networks

You can set up exceptions for a given IP address or an IP network or any combination of them by adding them to the White IP Access List. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for specific HTTP requests

Usually, you need to configure anti-spam exceptions if you use a technology that communicates with your website by submitting forms or sending POST requests programmatically. In such cases, Cerber’s anti-spam engine can block legitimate requests because it recognizes them as generated by bots. This leads to false positives, which you can see on the Activity tab. Such log entries are marked as Spam form submission denied.

Read more on how to configuring URL-based exceptions

Disable anti-spam inspection for logged in users

If you trust your logged-in users, you can disable the anti-spam inspection for all of them. The users will be able to submit any form, including comments, without an anti-spam check.

Safe anti-spam mode

If you come across some incompatibility with another plugin or theme, you can enable a special mode that tells the plugin to use less restrictive policies when it detects spam. The safe mode makes it compatible with the rest of the plugins and themes. Use it with caution.

Is Cerber anti-spam engine compatible with reCAPTCHA?

Absolutely. The spam detection engine is compatible with any captchas, including reCAPTCHA that you can activate in the plugin settings. Please note: activating reCAPTCHA for the login form doesn’t protect a website from hackers.

How does the anti-spam engine work?

The Cerber spam protection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser, and is it a real form that has been submitted by clicking a submit button by a human. Also, to make a decision, the plugin tracks all suspicious and malicious requests from an IP address by using its Activity log.

How to stop spam user registrations on your WordPress?

Cerber Security has five anti-spam and antibot options, which can be enabled simultaneously to stop the registration spam nightmare.

Follow this guide: How to stop spam user registrations on your WordPress.

Let’s sum up the capabilities of Cerber anti-spam engine

• You can set up anti-spam protection for WordPress registration form and comments, for contact and WooCommerce forms
• You can permit or deny form submissions from specific countries by configuring GEO rules ^*
• You can set up exceptions for IP address, network, or a specific request URI
• If something goes wrong, you can enable safe anti-spam mode
• You can enable reCAPTCHA and Cerber anti-spam protection at the same time
• You can get notifications on email or mobile phone about spam activity
• Performance of the anti-spam engine can be monitored on the Activity tab

Google’s reCAPTCHA is a human verification mechanism that created and maintained by Google as a free web service. WP Cerber supports reCAPTCHA for WooCommerce and WordPress forms as an anti-spam feature.

Why does reCAPTCHA not protect WordPress from bots and brute-force attacks?

It’s possible because WordPress has three authorization methods that enabled by default. That means hackers can exploit three entrances on any WordPress powered website. The first one is using the default WordPress login form. Two other methods are invisible for you but known for hackers and specialized software that hackers use. Cybercriminals use them for obtaining users’ passwords and consequently to get access to the WordPress Dashboard with admin privileges.

Any captcha-based mechanism, including reCAPTCHA, can protect WordPress against a brute-force attack to an ordinary login form only. The other two WordPress authentication methods are still unprotected. Why? Because reCAPTCHA is developed to protect websites from robots via a human verification mechanism. Hackers are not robots even if they use botnets. That’s why reCAPTCHA does not protect websites from being hacked.

I see plenty of plugins that offer using reCAPTCHA to protect login form. I have a question for you: do those plugins protect your website completely including the following two methods like WP Cerber does.

1. Cookie-based authorization
2. XML-RPC authorization

Does it mean reCAPTCHA useless?

Nope. reCAPTCHA can be successfully used as a spam-prevention mechanism for registration, contact, and password reset forms. Vital parts of WordPress must be protected with a specialized security solution only.

How do I protect my website from spam?

To protect WooCommerce and WordPress forms, WP Cerber Security offers two options

1. Cerber antispam and bot detection engine, follow the instruction: Antispam protection for WordPress forms
2. Using reCAPTCHA, follow the instruction: How to set up reCAPTCHA.

How to bypass reCAPTCHA

Is it possible that bots can solve reCAPTCHA without a human? Sounds unbelievable but they can do that by using an interesting method. The method is based on using voice captcha called Audio Challenge and one of those online speech recognition services like Google Speech Recognition API. A hacker takes an audio file with voice captcha generated by reCAPTCHA and then recognize it with a speech recognition service. Is not it brilliant?

This method has been discovered back in 2012. Fortunately, this method is not exploitable in real circumstances  – when Google service identifies multiple attempts to solve the captcha from the same IP address, the voice captcha is changed into a more complex voice that cannot be identified using this approach. So, to successfully use this method hackers have to use a lot of IP addresses. To achieve that hackers can infect a significant amount of mobile devices with malicious software. But there is a question. Is the ability to post spam comments or register with a fake name on a website worth it? It’s easier to hire a bunch of guys from a poor country to do that manually in a bulk mode.

Want to know more? Subscribe to the Cerber’s newsletter.

reCaptcha widget by Google

reCAPTCHA is a human verification mechanism that provides a free anti-spam service. It can be used along with the WP Cerber anti-spam engine.

When reCAPTCHA is configured for a form on your website, a couple of JavaScript scripts are loaded from Google’s servers every time the web page with the form is being displayed. If you have enabled a visible version, those scripts will display a reCAPTCHA widget inside the form. With invisible reCAPTCHA, those scripts will display a reCAPTCHA badge at the corner of a browser screen.

Every time a user submits the form with reCAPTCHA, the WP Cerber plugin makes an HTTP request to Google’s server to make sure that the form has been submitted by a human, not a bot. If Google’s server replies with negative “No it ‘s a bot”, further processing of the form will be interrupted and the user sees the message: ERROR: Human verification failed. Please click the square box in the reCAPTCHA block below.

By the way: Why reCAPTCHA does not protect WordPress from brute-force attacks.

Configuring reCAPTCHA for WordPress forms

You can easily set up reCAPTCHA on a website having the WP Cerber Security plugin installed. Before you can start using reCAPTCHA on any website, you have to obtain a Site key and a Secret key on the Google website for your website.

Note: currently WP Cerber supports reCAPTCHA v2 only.

Register your website and get both reCAPTCHA keys here: https://www.google.com/recaptcha/admin

Note: If you are going to use an invisible version, you must get and use Site key and a Secret key for the invisible version only.

1. After keys have been created for you, go to the reCAPTCHA settings page of the WP Cerber plugin. It’s located under the Anti-spam menu.
2. Copy keys to the appropriate fields in the reCAPTCHA settings.
3. Check checkboxes for all forms you want to be protected with reCAPTCHA.
4. Make sure that the reCAPTCHA widget is displayed correctly.
5. Done!

reCAPTCHA for WooCommerce

Important note for WooCommerce users: you cannot enable and use two visible reCAPTCHA widgets (for two forms) on the same page. Only one widget per page is allowed. So, if you have two forms on the same page, choose only one, more important form or use the invisible version. Alternatively, you can configure Cerber’s anti-spam engine which doesn’t have such limitations.

reCAPTCHA for WordPress comment forms

If you need to align the visible reCAPTCHA widget, use a custom CSS style with site Customizer.

1. To get to the WordPress Customizer, navigate to Appearance / Customize menu from your WordPress dashboard. You will be taken directly to the Customizer interface, with your theme preview on the right, and the Customizer menu on the left. Scroll down and click
2. Scroll down and click Additional CSS.
3. Enter the following CSS code to align the reCAPTCHA widget to the right.

#cerber-recaptcha > div {
 text-align: right;
 width: auto !important;
 height: auto !important;
}

Note: When editing CSS style in the site Customizer, your changes will automatically be applied to the preview window, but they won’t actually be saved until you click the Save & Publish button.

Is there an alternative to reCAPTCHA?

Cerber’s anti-spam and bot detection engine is a great alternative to Google’s reCAPTCHA. This engine protects WordPress comment forms and is capable to protect virtually all contact and registration forms on a website. Unlike reCAPTCHA that sends visitors’ data to Google’s servers, the engine process all data locally on the website, which makes it easier to comply with GDPR and prevents leakage of sensitive and personal data.

• How to stop spam user registrations on your WordPress
• How to stop spam form submissions on your WordPress
• Configuring exceptions for the antispam engine

The anti-spam engine tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms.

Troubleshooting reCAPTCHA

First of all, inspect the Activity tab. If you see the message “reCAPTCHA settings are incorrect”, that means your key and secret are not correct and have not been recognized by Google’s server.

If you see the message “Request to the Google reCAPTCHA service failed”, that means that your web server is unable to connect to Google’s server. Ask hosting your provider for help. Most likely your hosting provider blocks outgoing HTTP requests from your website by using a firewall.

Disadvantages of reCAPTCHA

Some website owners have a negative experience with reCAPTCHA. From time to time we get complains about broken layout on forms. Sometimes the layout of a page conflicts with styles of the reCAPTCHA widget. If you have such an unpleasant experience let us know or enable Cerber’s anti-spam engine instead.

Be aware

Although Google offers this service for free, in fact, it’s not completely free. Google is a huge business and normally doesn’t offer something for free. So, you have to pay something in return and in this case, you share some, known to Google only, details about your visitors’ browsers and your website.

The following explanation has been taken from Google’s website; you can check it when you register your website on the reCAPTCHA service page.

You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data and the results of integrity checks, and sending that data to Google for analysis. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at

What does reCAPTCHA look like?

From time to time, your users come across a bit complicated graphical reCAPTCHA with a set of pictures. That means Google wants to get help with training Google AI (a neural network) to recognize objects on photos which they took on streets. In this case, the user has to select proper images according to the explanation above them.

reCAPTCHA for WordPress

reCAPTCHA as anti-spam for WooCommerce

reCAPTCHA for WordPress comment form

reCAPTCHA plugin for WooCommerce

reCAPTCHA anti-spam plugin for WordPress