Hi,
We’ve had a WordPress site running ACF for a while – 4.2.2 for ACF and 3.5.1 for WP. We’ve got a front end form on the site that allows users to edit various fields.
We noticed that a particular field was being spammed in that the spam usually received via comments was now input on the site via the front end form.
The field was a textarea and the spamming seemed a bit random across some but not all custom posts. It hasn’t affected any of the other fields we have.
Is there any known issues with this? Or on those versions of ACF and WP?
We’ve now updated all plugins and WP so we’ll see over the next couple of days if it happens again.
It does seem like the way in was through the ACF textarea field on a front end form though as that was the only field affected.
It’s a serious issue as we run a site where users have their own “profiles”… we’ve managed to restore everything but a lot of people have had spurious comments plastered all over their profile.
Hi @robteamworks
Thanks for the bug report. It looks like the front end form needs to contain some kind of ‘honey pot’ or captcha for spam entries.
Becuase the front end form is quite new to ACF, the plugin does not yet contain these features, but I’mm sure we can add them in.
Version 5 is well underway and contains PHP validation which can prevent the data from being saved. It would be quite easy to add in a hidden cutom field (honey pot) and then use the PHP validation hook to return false and stop the post from saving.
For now, I think you could do something similar using the pre_save_post action.
Give this a go:
In the acf_form args, add a hidden custom field in the ‘html_before_fields’. Perhaps also read up on the honey pot tactics online
Then in the pre_save_post action, check the $_POST data and simply die if the form contains data in that field.
Hope that helps.
Thanks
E
Hi,
I purchased ACF Pro. How exactly can I create a Honeypot field? A hidden field to prevent spam on my front-end form?
Best regards,
Rosa
Hi @tsmulugeta in acf_form add this arguments line:
'html_after_fields' => '<input type="text" id="honeypot" name="honeypot" autocomplete="off">',
in file functions.php, this code:
// CHECK PRE SAVE POST ACF
function honeypot( $post_id ) {
if($_POST['honeypot'] != ''){
die("You spammer!");
}
}
add_filter('acf/pre_save_post' , 'honeypot', 10, 1 );
in your css style:
#honeypot {display:none;}
@sododesign your code (when the honeypot is empty) causes the form to pass and be submitted but with empty values.
It’s as if this code empties the POST from all it’s values.
Why is beyond my comprehension. Do you know why?
It’s even more incomprehensible: the script dies, but the form still get submitted, empty, when the honey pot is not empty.
Ok I had to return post_id for it to be saved.
Still, I don’t get why with this code, when the honeypot ‘surname3’ is not empty, the form still get saved, altough completely empty.
Isn’t die supposed to terminate the whole process?
function my_honey_pot( $post_id ) {
if(! empty($_POST['surname3'])){
die("");
} else {
return $post_id;
}
}
add_action('acf/pre_save_post' , 'my_honey_pot' );
