Plugin recommendation: anti-spam (Contact Form 7)

Anyone got a recommendation for a lightweight plugin that works well to combat spam with forms that use Contact Form 7?

Brief explanation of how it works behind the scenes is also appreciated if you have that information.

Not lightweight, a complete security plugin, but eliminates SPAM completely from CF7 forms. I use it instead of WordFence, works great: WP Cerber Security, Anti-spam & Malware Scan – WordPress plugin | WordPress.org

I am not a programer, so my explanation about technical solution can be ridiculous, sorry. I just know that it works really great.

Since I didn’t want to keep Jetpack / Akismet installed on my ClassicPress sites, I looked for other options, including for anti-spam.
Finally, I chose CleanTalk:

Not only it will protect Contact Form 7, but also comments, etc. I have now been using it on several sites for six to eight months, and it has been working well. Moreover, no captcha.
And pricing is very reasonable: $8 a year for one website, $16 a year for three websites, etc.
Regarding the way it works, you will find relevant information on their website—sorry, my technical qualifications are not sufficient for explaining it.

I find that the original CF7 Really Simple captcha works well enough and it’s very lightweight.

I’m running this on a CP 1.0.2 site with CF7 v5.1.4 (PHP7.2) and it seems fine. It may not be the most robust solution but worth a try?

Captcha is banned by the United Nations as a torture to humanity.

Second only to spam itself. - I jest! ROFL.

Bizarrely, the UN uses captchas in various places on its own website.

The CF7 captcha looks something like this:

In my opinion, this is about as simple as you’re going to get. And probably as lightweight as you’re going to get given that it’s mostly already integrated into CF7. Admittedly, it may not offer the strongest protection, as already mentioned.

If human interaction is to be avoided, I think the only alternatives are to use a Google invisible reCaptcha (which carries a big overhead) or a cloud service as suggested by @jfmayer (overhead unknown).

Cerber looks like a neat plugin (one I hadn’t come across before) but it seems to be aimed more at security than anti-spam.

My tuppence worth.

I’m also using Really Simple Captcha and have had decent results so far. A few spams still get through (about 1 every 3 weeks), I can’t complain.

I’ve been finding Contact Form 7 attracting more and more spam… I assume that as the most popular plugin it is being targeted. I recently made up my own little contact form as part of my personal theme template and I am using that now on all my sites (it also writes to the database and stores all messages). I hate captcha so I experimented with honeypot fields but didn’t find them effective (possibly because I didn’t set it up properly). I’ve just gone with a very simple maths question. Had zero spam so far.

I’ve tried honeypots and also found them to be ineffective. But then I tried a maths question doofer and while it was better, quite a lot of spam still got through. So I went back to the really simple captcha.

Interesting. Do you think the spam is getting through because a robot is solving the problem, or has it been entered manually?

The trouble with honeypots is that bots figure them out in time. It’s probably trivial to program a bot to just not fill in fields that are set to display:none; or visibility:hidden;, for example. This would sidestep probably 90%+ of honeypots. The honeypot technique worked great in the beginning, but, while bots have become smarter, honeypots have largely remained the same.

I recommend WPBruiser, but you’ll need a paid add-on to get it to work with CF7.

OK, I will repeat:

WP Cerber. No human interaction. No one spam.

And the last time:

No torture to your visitors. No torture to you.

And the bonus:

Why you demand humans prove to the machine they are not a machine? Demand a proof from bots, not from humans!

Sorry, but when I see captcha, I know, that it was an incompetent developer. Laziness to use modern antispam methods is not an option.

Is Cerber using reCAPTCHA v3 (invisible reCAPTCHA)?

That’s a good question @ozfiddler and one I did look into. Seeing as the spam stopped as soon as I replaced the maths question with RSC, it appeared to be bot related. The system logs also seemed to confirm that.

Both systems obviously work on the same principle of needing basic human input, whether numbers or letters so on that basis it shouldn’t have made any difference. However, RSC is an image but, in this particular case, the maths questions were pure text making it easier for a bot to read.

In any case, I stopped using maths questions because, although the questions were simple, according to feedback from clients, people felt “challenged” by them and embarrassed if they got it wrong. And although it’s not exactly “torture”, it does relate to the comments made by @LinasSimonis.

I’d agree with that. There was a time when honeypots in hidden fields were all I used and they were very simple and effective but slowly the bots caught on. It was sweet while it lasted.

As I understand - no, they use their own solution. They have an option to enable capchas, but you know my opinion about it

From the Cerber documentation:

The Cerber spam detection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser and is it a real form has been submitted by clicking a submit button.

and

You can enable reCAPTCHA and Cerber anti-spam protection at the same time

I am surprised this still works. I have never written a spam bot, but I have written other kinds of web scrapers and automation tools. I almost always do this by automating a real browser.

Also, lightweight is a requirement for a reason: I am going to review the code for this plugin before installing it. Around 200 lines of code for Really Simple Captcha, and around 20,000 for WP Cerber…

Another preference that I should have mentioned up-front is free.

So that leaves Really Simple Captcha, a Recaptcha integration (could be the v3 invisible one), and of course Akismet.