I’ve been looking into this a bit more. I don’t have any forms on the page apart from what is generated by the
acf_front_form so no GET’s etc of my own.
First and foremost I noticed a hole in my code – I have the edit forms set to
display:none; by default, if the user logs in and goes to their profile then little icons appear allowing them to unhide the front end form and thus edit their profile. The bit of code that was wrapped around the icons to check if they’re logged in wasn’t wrapped around the front end form as well. This meant that the form was there but hidden regardless of whether you were logged in or not.
So I’ve now wrapped the code around the form as well so that was more than likely the way the spammers were hitting the form all the time.
So the fact they have to create an account before they can spam the fields may deter them but it doesn’t really solve the real problem.
I’m not really sure what the solution is but if you take out all the checks to see if someone is logged in or not then the front end form can be hit with spam.
This then points to the usual ways to stop form spam such as Captcha’s, honeypots etc etc. I know those are not ideal but at the moment the front end forms are wide open to spam.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!