This one is for the developers and geeks out there reading our my blog!

It’s been a really busy couple weeks for anyone who manages multiple wordpress sites or who build’s wordpress websites. Notifications of PHP versions reaching their end of life, WordPress 5.0, and major plugin updates have been keeping everyone busy!

That being said, many of us use Contact Form 7, a plugin that has had it’s ups and downs, has some irony to using it, but overall performs quite well. There was a recent release of a new version of Contact Form 7 that fored you to move from any previous versions of Google’s Recaptcha service to version 3. With that came a headache.

WordPress websites that were updated and running Contact Form 7 suddenly saw an increase in spam. The [recaptcha] shortcode in the form was no longer doing anything (or invisible) and some mailboxes were getting hammered by spam bots and companies trying to sell their services.

The first thing to note is that you will need to go into Google’s Recaptcha and make sure you’ve set the site up with Version 3 (v3). If you are running a previous version of recaptcha, I suggest you delete the site and recreate it, then generating new secret and site ID’s.

The next time is then re-entering those keys into the Contact Form 7 plugin’s “integration” modules section.

Here’s the tricky part, and hopefully one of the Contact Form 7’s developers will update their code and release a new version soon; you will need to manually update the plugin’s PHP file to actually prevent spam from coming in. Shout out to PeterUpfold for posting the solution on the WordPress Support Forum.

He wrote:

It looks like there is a logic issue where failing to provide the g-recaptcha-response allows the submission through.

This is a _very_ unofficial change on my part, but it seems to work for me.
Edit line 114 of modules/recaptcha.php (version 5.1)
It reads:
return $spam;
Change it to:
return true;
This will change it so that any submission that does not attempt the Recaptcha V3 validation will be rejected.

So far my testing has proven that this is a trusted fix and it will correct the issue.

Depending on how your wordpress instance has been implemented, this could be a quick fix or something that requires you FTPing into your server and manually updating the file.

If you don’t have FTP access, but have full Administrator access to your wordpress site – check out the plugin “WP File Manager” which allows you to browse the files on your host and edit them on the fly.

NOTE: BE CAREFUL IF YOU ARE UPDATING THE CODE ON YOUR SITE MANUALLY, and of course we\I are not liable if you break something 🙂

 

UPDATE: The above process only reduced the spam by roughly 50% on a few sites we manage, so we quickly shifted to WPForms.