ActiveLayer Anti-Spam
Anti-Spam Protection Without CAPTCHAs ActiveLayer is an intelligent anti-spam solution that stops contact form spam, comment spam, and registration spam without CAPTCHAs, puzzles, or extra steps for your visitors. Your forms stay fast and frictionless while unwanted messages get caught automatically. Your time and attention are expensive — stop spending them on spam. ActiveLayer protects popular form builders like WPForms, Contact Form 7, Gravity Forms, Elementor Forms, Fluent Forms, WS Form, and FunnelKit Funnel Builder, plus native WordPress comments, WooCommerce (product reviews and customer registration), Easy Digital Downloads (store reviews and customer registration), AffiliateWP, MemberPress, and BuddyPress / BuddyBoss signup forms, all from a single plugin. With 18 integrations, you manage all your spam protection from one settings page. Create a free account and get started Zero Friction Spam Filtering Most anti-spam tools either show visitors a CAPTCHA or make every form wait while the check runs. ActiveLayer takes a different approach. Async integrations complete immediately while background checks run through Action Scheduler; registration and inline-blocking integrations can run a synchronous check when spam must be stopped before an account, entry, or affiliate record is created. This keeps normal form workflows fast while still allowing high-risk signup flows to block spam inline. If a submission is clean, notifications are sent as normal. If it is flagged, notifications are suppressed or the signup is blocked depending on the integration. Intelligent Spam Detection ActiveLayer analyzes submission patterns, content reputation, behavioral signals, and environment data to catch both automated bots and human bad actors with high accuracy. Unlike simple honeypot or keyword-blocklist approaches, ActiveLayer uses multiple signals to make smarter decisions about every submission. Optional behavioral tracking monitors how users interact with your forms — keystrokes, mouse movements, touch events, and scroll patterns. Environment detection identifies headless browsers and automated tools. These client-side signals are sent alongside form data for deeper analysis. Per-Form Control and Sync Mode You decide exactly which forms to protect. ActiveLayer protects all supported forms and WooCommerce surfaces by default after your API key is connected — you can disable protection per form if needed. This gives you granular control over every contact form, registration form, or comment section on your site. Sync Mode lets supported integrations wait for the API verdict before the submission completes, so spam can be blocked inline. By default, ActiveLayer runs checks asynchronously for maximum speed. Turn Sync Mode on when you prefer inline blocking and can tolerate a small added latency on submissions. Fail-Safe by Design If the ActiveLayer API is temporarily unavailable, your forms keep working. ActiveLayer is designed to fail open — it restores provider defaults, preserves every submission, and retries background checks automatically when connectivity returns. No lost submissions, no blocked emails, no broken forms. Automatic retries handle transient failures. A built-in watchdog checks queue health every 15 minutes and shows admin notices when pending items build up or Action Scheduler is unavailable. You always know the status of your protection. Full Visibility Dashboard See exactly what is happening with your form protection at a glance. The ActiveLayer dashboard shows submission totals, spam caught, accuracy rates, queue health, and integration status — all in one place. Filter submissions by status or provider, and use bulk actions to recheck, mark as clean or junk, or trash items you no longer need. Every submission is logged in a custom database table. You can review verdicts, recheck past submissions with a fresh API call, and override any decision. Debug logging (opt-in, PII-redacted) gives you even deeper insight when troubleshooting. Who Is ActiveLayer For? Small Business Websites Protect your contact forms and inquiry forms without adding friction for potential customers. Async form submissions from real visitors go through instantly while junk gets caught behind the scenes. Bloggers and Publishers Stop comment spam on your posts without requiring readers to solve CAPTCHAs or prove they are human. ActiveLayer checks comments in the background and can auto-approve clean ones or auto-mark detected spam. Agencies Managing Multiple Sites One plugin covers WPForms, Contact Form 7, Gravity Forms, Elementor Forms, Fluent Forms, Formidable Forms, WooCommerce, and more — every integration managed from one settings page. No need to configure separate anti-spam tools for each form builder or WooCommerce surface your clients use. E-commerce and Service Businesses Keep inquiry and support forms clean while maintaining a fast, professional user experience. Async checks keep contact forms moving quickly, while registration gates can block spam accounts inline. WooCommerce stores get dedicated protection for product reviews and My Account customer registration — and the checkout itself is never gated, so spam protection can’t get in the way of a sale. Membership Sites and Online Communities Running a community on BuddyPress or BuddyBoss Platform? ActiveLayer hooks the public signup form and blocks spam registrations before they create fake accounts — no extra CAPTCHA in front of your real members, no manual moderation queue to babysit. The integration covers both free BuddyPress and BuddyBoss Platform with a dedicated admin toggle for each. Full ActiveLayer Feature List Async processing – Background queue via Action Scheduler for supported async integrations No CAPTCHA required – Invisible protection with zero friction for visitors WPForms integration – Per-form enable, async checks with email replay, optional sync-save strategy Contact Form 7 integration – Synchronous checks, field mapping via activelayer:* tags, per-form control Gravity Forms integration – Entry-based spam detection with per-form control and notification management Elementor Forms integration – Protect Elementor Pro form widgets with per-form spam filtering Fluent Forms integration – Per-form spam detection with email notification handling Formidable Forms integration – Notification interception and replay, sync fallback option Forminator integration – Form submission interception with per-form toggles and notification management Ninja Forms integration – Email action capture, clean verdict replay, spam suppression SureForms integration – Spam protection for SureForms with per-form control WS Form integration – Synchronous spam blocking before WS Form saves entries or runs actions, with per-form control WordPress Comments protection – Auto-approve clean comments, auto-spam detected ones, fail-open restore WooCommerce Reviews protection – Score every product review on submission, with optional verified-owner bypass, logged-in-user bypass, and high-confidence auto-delete WooCommerce Registration protection – Block bot signups on the My Account registration form before the account is created (the checkout flow is never gated, so it can’t block a purchase) BuddyPress signup protection – Block spam registrations on the public /register/ page; sync check fires after BuddyPress’s own validation and writes the block message next to the username field BuddyBoss Platform signup protection – Same sync gate against the BuddyBoss Platform signup form, with automatic xprofile-name fallback because BuddyBoss auto-generates the username from the email AffiliateWP registration protection – Block bot affiliate signups before the affiliate and WordPress user are created; sync check fires after AffiliateWP’s own validation MemberPress registration protection – Block bot membership signups before the account is created; free, free-trial, and fully-discounted signups are gated by default, while paid checkouts are never blocked (opt in to gate those too) FunnelKit Funnel Builder integration – Synchronous spam blocking for opt-in forms before FunnelKit runs email, CRM contact, and webhook actions, with per-form control Easy Digital Downloads integration – Spam protection for product reviews and the standalone customer registration form; the EDD checkout is never gated, so it can’t block a purchase Silent discard for high-confidence spam – Optional hard-delete of comments and WooCommerce reviews that exceed a configurable spam score threshold (default 95), skipping spam-folder storage entirely Per-form toggles – Protection enabled by default per form; disable on individual forms as needed Sync Mode – Optional synchronous spam checks for inline blocking on supported integrations Dashboard analytics – Submission totals, spam caught, accuracy rates, queue health at a glance Submissions management – Filter by status and provider, bulk recheck, mark clean or spam, trash Fail-open architecture – Forms keep working if the API is temporarily unavailable Automatic retries – Failed submissions are re-queued and retried automatically Queue watchdog – 15-minute health checks with admin notices for stalled queues Behavioral signal collection – Keystroke, mouse, touch, and scroll tracking for deeper analysis Environment detection – Identifies headless browsers and automated submission tools Debug logging – Opt-in ring buffer (last 200 entries), PII-redacted, view and clear in admin Bulk recheck – Re-queue past submissions for fresh API verdicts anytime Default protection – Forms protected by default after API connection; disable per form if needed. Sanitized logging, masked secrets, hashed emails Integrations WPForms (Lite and Pro) Contact Form 7 Gravity Forms Elementor Forms (Pro) Fluent Forms Formidable Forms Forminator Ninja Forms SureForms WS Form WordPress Comments (built-in) WooCommerce (product reviews and customer registration) BuddyPress (public signup form) BuddyBoss Platform (public signup form) AffiliateWP (affiliate registration form) MemberPress (membership registration form) FunnelKit Funnel Builder (opt-in forms) Easy Digital Downloads (product reviews and customer registration) External services This plugin connects to the ActiveLayer API to analyze form submissions and comments for spam. It is the core service that powers all spam detection — without it, the plugin cannot classify submissions. ActiveLayer API What it does: Provides spam detection verdicts (clean or spam) for form submissions and comments. When data is sent: Each time a protected form submission, comment, review, or registration is checked, the submission data is sent to the API for analysis. Depending on the integration, this can happen through the background queue or during a synchronous inline-blocking check. What data is sent: * Submission content (name, email, message, URL if provided) * IP address and user agent of the submitter * Form metadata (form ID, form name, provider name) * Site URL and WordPress locale * Behavioral and environment signals (if enabled in settings) Service provider: ActiveLayer (activelayer.com) * Terms of Service * Privacy Policy
Top keywords
- form37×2.37%
- spam34×2.18%
- forms33×2.11%
- activelayer19×1.22%
- protection19×1.22%
- integration17×1.09%
- registration17×1.09%
- submission14×0.90%
- per-form11×0.70%
- submissions11×0.70%
- api10×0.64%
- checks10×0.64%
AntiSpam for Contact Form 7
Are you unsatisfied with your current antispam solution for Contact Form 7? It might be using an ineffective method to combat the specific type of bot attacks you’re facing. Fortunately, I have a solution for you! Antispam for Contact Form 7 is a simple yet highly effective plugin that protects your mailbox from bot flooding. Say goodbye to tedious configurations and captchas, which often lead to reduced conversions and inconvenience for genuine users. Our plugin utilizes a combination of on-page and off-page bot traps, along with an auto-learning mechanism powered by a statistical “Bayesian” spam filter called B8. CF7-AntiSpam seamlessly integrates with Flamingo and enhances its functionality. When both plugins are installed, Flamingo gains additional controls, and an extra dashboard widget is enabled. SETUP Basic – Install and go! No configuration, keys, or registrations are required to activate the antispam protection. In this case, some protections, such as fingerprinting, language checks, and honeypots, will be enabled. Advanced – For CF7A to properly analyze the email content using its dictionary, it needs to parse the input message field of your form. To notify the antispam to check this field, you’ll need to add a “marker” to each contact form on your website. Simply add ‘flamingo_message: “[your-message]”‘ in the additional settings panel of each contact form you want to secure. This process follows the same method used with Flamingo. While this step may seem tedious, it is required for advanced text statistical analysis. Without it, the B8 filter cannot be enabled. GeoIP – (Optional) If you need to restrict which countries or languages can email you, you can enable this functionality. To enable GeoIP, you’ll need to agree to the GeoLite2 End User License Agreement and sign up for GeoLite2 Downloadable Databases. This will provide you with the required key to download the database. For detailed instructions, please refer to the dedicated section in the cf7-antispam plugin settings. Antispam Available Tests ✅ Browser Fingerprinting ✅ Language checks (Geo-ip, http headers and browser) ✅ Honeypot ️✅ Honeyform* ✅ Domain Name System Blackhole List (DNSBL) ✅ Blocklists (with automatic ban after N failed attempts, user defined ip exclusion list) ✅ Hidden fields with encrypted unique hash ✅ Time elapsed (with min/max values) ✅ Prohibited words in message/email and user agent ✅ B8 statistical “Bayesian” spam filter ✅ High Entropy / Gibberish checks ✅ Identity protection ✅ Webmail protection Extends Flamingo and turns it into a spam manager! With this plugin, you can now review emails and train B8 to identify spam and legitimate messages. This feature proves useful, especially during the initial stages when some spam emails may slip through. Already using Flamingo? Even better! Just remember to add ‘flamingo_message: “[your-message]”‘ to the advanced settings (similar to other Flamingo labels) before activating the plugin. Alternatively, you can explore the advanced options and select “rebuild dictionary.” Upon activating CF7A, all previously collected emails will be parsed, and B8 will learn and develop its vocabulary. This pre-trained algorithm gives you a head start. How cool is that? Additional Notes: – A new column has been added to the right side of the Flamingo inbound page, displaying the level of spaminess for each email. – If you unban an email on the Flamingo “inbound” page, the corresponding IP will be removed from the blocklist. However, marking an email as spam will not blocklist the IP again. – Before activating this plugin, please make sure to mark all spam emails as spam in the Flamingo inbound section. This auto-training process will help the B8 algorithm. – If you receive a spam message, please avoid deleting it from the “ham” section. Instead, place it in the spam section to teach B8 how to differentiate between spam and legitimate messages. B8 statistical “Bayesian” Filter Originally created by Gary Robinson b8 is a statistical “Bayesian” spam filter implemented in PHP. The B8 filter is a foundational example of Machine Learning (ML) for text classification, representing an early, yet powerful, statistical approach in Natural Language Processing (NLP). This approach precedes feature-weighting methods like TF-IDF, which in turn paved the way for modern deep learning architectures, such as Transformers and GPT. The filter tells you whether a text is spam or not, using statistical text analysis. What it does is: you give b8 a text and it returns a value between 0 and 1, saying it’s ham when it’s near 0 and saying it’s spam when it’s near 1. See How does it work? for details about this. To be able to distinguish spam and ham (non-spam), b8 first has to learn some spam and some ham texts. If it makes mistakes when classifying unknown texts or the result is not distinct enough, b8 can be told what the text actually is, getting better with each learned text. This takes place on your own server without relying on third-party services. More info: nasauber.de Identity protection To fully protect the forms, it may be necessary to enable a couple of additional controls, because bots use the public data of the website to spam on it. – The first is user related and denies those who are not logged in the possibility of asking (sensitive) information about the user via wp-api and the protection for the xmlrpc exploit wordpress. – The second one is the WordPress protection that will obfuscate sensitive WordPress and server data, adding some headers in order to enhance security against xss and so on. Will be hidden the WordPress and WooCommerce version (wp_generator, woo_version), pingback (X-Pingback), server (nginx|apache|…) and php version (X-Powered-By), enabled xss protection headers (X-XSS-Protection), removes rest api link from header (but it will only continue to work if the link is not made public). Mailbox Protection (Multiple Send) Enhance email security by enabling the “Multiple Send” feature, which prevents consecutive email submissions to the user’s mailbox. This measure is effective in thwarting automated spam attempts and ensures a secure communication environment. Security & Privacy: A Local-First Approach AntiSpam for Contact Form 7 is built with your security and privacy as the top priority. Unlike many modern anti-spam solutions that rely on external cloud services or third-party subscriptions, our plugin is designed to run entirely on your own WordPress installation. 100% Local Processing: All anti-spam logic, checks, and data processing are performed directly on your server. No data is ever sent to, or stored by, any external third-party service (including ours). Not a Software as a Service (SaaS): This plugin is a standalone, self-contained software solution, not an interface to a paid or subscription-based external service. Once installed, it works autonomously. Enhanced Security: Since there is no central server or external API endpoint to communicate with, your website is immune to potential risks associated with centralized services, such as Single Point of Failure or data breach risks. You retain complete control and ownership over the security of your Contact Form 7 submissions. Privacy Notices AntiSpam for Contact Form 7 only processes the IP but doesn’t store any personal data directly from the user input. However, it creates a dictionary of spam and ham (non-spam) words in the WordPress database. This dictionary is built from words found in the submitted messages, meaning it may contain words that were part of the user’s e-mail message or personal data. This data is “degenerated,” which means the words might be normalized or altered before being stored. The sole purpose of this word collecting is to build a dictionary used for local, decentralized spam detection. Support Community support: via the support forums on wordpress.org Bug reporting (preferred): file an issue on GitHub Contribute We love your input! We want to make contributing to this project as easy and transparent as possible, whether it’s: Reporting a bug Testing the plugin with different user agent and report fingerprinting failures Discussing the current state, features, improvements Submitting a fix or a new feature We use GitHub to host code, to track issues and feature requests, as well as accept pull requests. By contributing, you agree that your contributions will be licensed under its GPLv2 License. My goal is to create an antispam that protects cf7 definitively without relying on external services. And free for everyone. if you want to help me, GitHub is the right place 😉 copyright AntiSpam for Contact Form 7, Copyright 2021 Codekraft Studio AntiSpam for Contact Form 7 is distributed under the terms of the GNU GPL This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the LICENSE file for more details. Resources Contact Form 7 and Flamingo © 2021 Takayuki Miyoshi,LGPLv3 or later B8 https://nasauber.de/opensource/b8/, © 2021 Tobias Leupold, LGPLv3 or later GeoLite2 license GeoIP2 PHP API GeoIP2-php chart.js https://www.chartjs.org/, © 2021 Chart.js contributors, MIT Sudden Shower in the Summer, Public domain, Wikimedia Commons https://commons.wikimedia.org/wiki/File:Sudden_Shower_in_the_Summer_(5759500422).jpg Contibutions Mirek Długosz – #30 fixes a crash that occurred when analysing flamingo metadata MeliEve – #42 Fix “internal_server_error” when message is empty MeliEve – #61 Handle deferrer script loading Zodiac1978 – #67 Remove warning for unsafe email configuration w/o protection JohnHooks – #66 Readme + plugin env sdellenb – #66 Fix $reason parameter for calling cf7a_ban_by_ip Special thanks This project is tested with BrowserStack. Browserstack MaxMind GeoIP2 This plugin on demand can enable GeoLite2 created by MaxMind, available from https://www.maxmind.com While enabled you may have to mention it in the privacy policy of your site, depending on the law regulating privacy in your state! * GeoIP2 databases GeoLite2 Country DNSBL servers privacy policies dnsbl-1.uceprotect.net www.uceprotect.net license dnsbl-2.uceprotect.net www.uceprotect.net license dnsbl-3.uceprotect.net www.uceprotect.net license dnsbl.sorbs.net sorbs.net license zen.spamhaus.org spamhaus.org license bl.spamcop.net spamcop.net license b.barracudacentral.org barracudacentral.org privacy-policy dnsbl.dronebl.org dronebl.org all.spamrats.com spamrats.com tos bl.ipv6.spameatingmonkey.net spameatingmonkey.net Inspirations, links Nikolai Tschacher incolumitas.com Antoine Vastel fp-scanner/fp-collect Niespodd niespodd Thomas Breuss tbreuss Domain Name System-based blackhole list wiki dnsbl list wiki