Spam Protection
Freeform includes 3 choices for robust spam control features to make managing forms easier.
Javascript Honeypot
Freeform does NOT use EE's native CAPTCHA feature as it has always proven ineffective. Instead, it includes its own Javascript-based honeypot spam protection, which will be immeasurably more effective. This is enabled by default, but can be disabled in the Freeform Settings.
- Each time a form is loaded, it stores a unique honeypot per session, which has a timestamp, unique name and unique hash value.
- Both name and hash must match to successfully submit the form or advance to the next page.
- A user is allowed 100 honeypot values per user session (highly unnecessary but in case your site has a form in a common place like a footer, etc it'll help prevent unwanted blocking of legitimate users).
- Honeypots are stored in the session for 3 hours, and then are removed.
- Because this uses the session, this limit is also dependent on the server configuration for session.gc_maxlifetime() in
php.ini
. Typically the default might be1440
seconds (24 minutes), but it's possible the default has been altered to something else.
- Because this uses the session, this limit is also dependent on the server configuration for session.gc_maxlifetime() in
- When the form opens, the value is wrong by default, and then javascript swaps in the correct value.
- If the submission fails the honeypot test, the form will appear to submit successfully, but will not store the data. An error is not displayed so as not to give away the spam controls.
- To troubleshoot, you can view the list of Forms in Freeform control panel area and see if the spam column count is incrementing.
- If the submission fails the honeypot test, the form will appear to submit successfully, but will not store the data. An error is not displayed so as not to give away the spam controls.
- The honeypot is not a hidden field, but is positioned absolutely with height
0
and width0
, so the field is not visible. - This spam protection method requires javascript be enabled for the user's browser, otherwise it will fail.
If you wish to disable the Javascript part of the Honeypot for any reason (caching issues, etc), you can disable the Javascript Enhancement toggle inside the Spam Protection settings in the CP.
reCAPTCHA v2 Checkbox
If you wish to use reCAPTCHA v2 Checkbox for your forms, enable the reCAPTCHA setting, select reCAPTCHA v3 from the Type, and fill in the reCAPTCHA Site Key and Secret Key. To add reCAPTCHA to your forms, open up and edit each form and drag over the reCAPTCHA special field anywhere you like into your form layout.
reCAPTCHA v2 Checkbox fields will render automatically like the rest of your fields in your form, but if you're building a form manually, you'd call it like this (using the Hash value for reCAPTCHA field in Property Editor of Composer, e.g. MD1KzPw68
):
{field:grecaptcha_MD1KzPw68:render}
reCAPTCHA v3New in 3.1+
If you wish to use reCAPTCHA v3 for your forms, enable the reCAPTCHA setting, select reCAPTCHA v3 from the Type, and fill in the reCAPTCHA Site Key and Secret Key. reCAPTCHA v3 will automatically be added to your forms.