In my opinion, this is about as simple as you’re going to get. And probably as lightweight as you’re going to get given that it’s mostly already integrated into CF7. Admittedly, it may not offer the strongest protection, as already mentioned.
If human interaction is to be avoided, I think the only alternatives are to use a Google invisible reCaptcha (which carries a big overhead) or a cloud service as suggested by @jfmayer (overhead unknown).
Cerber looks like a neat plugin (one I hadn’t come across before) but it seems to be aimed more at security than anti-spam.
I’ve been finding Contact Form 7 attracting more and more spam… I assume that as the most popular plugin it is being targeted. I recently made up my own little contact form as part of my personal theme template and I am using that now on all my sites (it also writes to the database and stores all messages). I hate captcha so I experimented with honeypot fields but didn’t find them effective (possibly because I didn’t set it up properly). I’ve just gone with a very simple maths question. Had zero spam so far.
I’ve tried honeypots and also found them to be ineffective. But then I tried a maths question doofer and while it was better, quite a lot of spam still got through. So I went back to the really simple captcha.
The trouble with honeypots is that bots figure them out in time. It’s probably trivial to program a bot to just not fill in fields that are set to display:none; or visibility:hidden;, for example. This would sidestep probably 90%+ of honeypots. The honeypot technique worked great in the beginning, but, while bots have become smarter, honeypots have largely remained the same.
That’s a good question @ozfiddler and one I did look into. Seeing as the spam stopped as soon as I replaced the maths question with RSC, it appeared to be bot related. The system logs also seemed to confirm that.
Both systems obviously work on the same principle of needing basic human input, whether numbers or letters so on that basis it shouldn’t have made any difference. However, RSC is an image but, in this particular case, the maths questions were pure text making it easier for a bot to read.
In any case, I stopped using maths questions because, although the questions were simple, according to feedback from clients, people felt “challenged” by them and embarrassed if they got it wrong. And although it’s not exactly “torture”, it does relate to the comments made by @LinasSimonis.
I’d agree with that. There was a time when honeypots in hidden fields were all I used and they were very simple and effective but slowly the bots caught on. It was sweet while it lasted.
The Cerber spam detection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser and is it a real form has been submitted by clicking a submit button.
and
You can enable reCAPTCHA and Cerber anti-spam protection at the same time
I am surprised this still works. I have never written a spam bot, but I have written other kinds of web scrapers and automation tools. I almost always do this by automating a real browser.
Also, lightweight is a requirement for a reason: I am going to review the code for this plugin before installing it. Around 200 lines of code for Really Simple Captcha, and around 20,000 for WP Cerber…
Another preference that I should have mentioned up-front is free.
So that leaves Really Simple Captcha, a Recaptcha integration (could be the v3 invisible one), and of course Akismet.
Why not change the forms plugin instead? Pick the right one and then you can use WPBruiser for free. Or write your own forms, and use the free HTML Forms plugin to connect to WPBruiser.
Before Cerber I used Antispam Bee, it worked on CF7 well, but omitted some comment spam (not many). In general, I was happy, but then found Cerber and switched.
Almost 3000 lines of code. Almost abandoned, supported only by volunteers.
Update: Sorry, checked, I used it only for comments. Mark to myself: check facts before writing!
Update: I went with the Really Simple CAPTCHA – WordPress plugin | WordPress.org recommendation from above. It is self-hosted, very simple, and free. Even though it is a captcha it is really not very annoying for humans. Overall, a good starting point.
