Skip to content

Add Honeypot and No-JS Field for Spam Prevention #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vikrampm1 merged 7 commits into from
May 8, 2025
Merged

Add Honeypot and No-JS Field for Spam Prevention #139

vikrampm1 merged 7 commits into from
May 8, 2025

Conversation

@iamdharmesh
Copy link
Collaborator

@iamdharmesh iamdharmesh commented Apr 4, 2025
edited
Loading

Description of the Change

This PR adds a honeypot field and a no-JS field to the form to help detect and prevent potential spam bots. Additionally, it moves the form submission handling code into the form submission class to unify the form handling logic for block forms and shortcode/widget forms. This refactor improves the overall codebase and simplifies future enhancements.
(Note: As we already have an open PR for validation function improvements, those functions were not modified here to avoid potential conflicts.)

PR also adds the needed filter hook to allow adding support for the "WP Armour – Honeypot Anti Spam" plugin as requested in #127

Closes #120
Closes #138
Closes #127

How to test the Change

Follow these steps for testing the form block, shortcode form, and widget form:

  1. Visit the form page on the website.
  2. Open the browser console and run:
    jQuery('input[name="mailchimp_sf_alt_email"]').val("123");
  3. Click the "Subscribe" button and verify that a spam detection error is triggered.
  4. Disable JavaScript in the browser. (For Chrome, refer to the official guide)
  5. Click the "Subscribe" button and verify that a spam detection error is triggered.

Changelog Entry

Added – Honeypot and no-JS field for spam prevention.

Credits

Props @jeffpaul @dkotter @iamdharmesh

Checklist:

  • I agree to follow this project's Code of Conduct.
  • I have updated the documentation accordingly.
  • I have added tests to cover my change.
  • All new and existing tests pass.

@iamdharmesh iamdharmesh self-assigned this Apr 4, 2025
@iamdharmesh iamdharmesh added this to the 1.8.0 milestone Apr 4, 2025
@iamdharmesh iamdharmesh requested a review from dkotter April 4, 2025 12:23
@iamdharmesh iamdharmesh marked this pull request as ready for review April 4, 2025 12:23
This was linked to issues Apr 4, 2025
Increased spam signups via embedded forms #120
Closed
[Block Updates] Handle form submissions using a common class for all forms. #138
Closed
@dkotter
Copy link
Collaborator

dkotter commented Apr 4, 2025

@iamdharmesh I see this PR is opened against enhancement/82. Is there any reason this needs to be based off that branch? We're likely to get a new release out early next week and not sure this will make it in so would be ideal if this could be based off of develop instead

@github-actions github-actions bot added the needs:refresh This requires a refreshed PR to resolve. label Apr 7, 2025
@iamdharmesh iamdharmesh changed the base branch from enhancement/82 to develop April 8, 2025 08:56
@github-actions github-actions bot added needs:code-review This requires code review. and removed needs:refresh This requires a refreshed PR to resolve. labels Apr 8, 2025
@iamdharmesh
Copy link
Collaborator Author

iamdharmesh commented Apr 8, 2025

@iamdharmesh I see this PR is opened against enhancement/82. Is there any reason this needs to be based off that branch? We're likely to get a new release out early next week and not sure this will make it in so would be ideal if this could be based off of develop instead

Yes, @dkotter. I had used enhancement/82 as the base branch to include the block updates in these changes and kept it as the base here as well, so that only the actual diff/changes for this PR are shown. If I had opened it against develop, it would also display the changes made in enhancement/82. So, I temporarily set it to that branch. It's updated now. Thanks!

@github-actions github-actions bot added the needs:refresh This requires a refreshed PR to resolve. label Apr 8, 2025
@github-actions github-actions bot removed the needs:refresh This requires a refreshed PR to resolve. label Apr 9, 2025
@iamdharmesh iamdharmesh mentioned this pull request Apr 9, 2025
Closed
dkotter
dkotter approved these changes Apr 9, 2025
View reviewed changes
Copy link
Collaborator

@dkotter dkotter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple minor things but marking this as approved so it can move to QA

includes/class-mailchimp-form-submission.php
* Initialize the class.
*/
public function init() {
// TODO: Update this to use ajax handler hook instead of init.
Copy link
Collaborator

@dkotter dkotter Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this TODO still valid?

Copy link
Collaborator Author

@iamdharmesh iamdharmesh Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have kept this to replace this init action with specific ajax action. This was on init to handle form submission via HTML and JS both. However, with #126 we enabled the form submission with JS only, So, we are good to replace this to listen specific ajax action only. Maybe better to handle this with validation improvements PR, to keep this PR moving.

includes/class-mailchimp-form-submission.php
if ( ! headers_sent() ) { // just in case...
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT', true, 200 );
}
// TODO: Refactor this to use JSON response instead of setting a global message.
Copy link
Collaborator

@dkotter dkotter Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question here

Copy link
Collaborator Author

@iamdharmesh iamdharmesh Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think we should work on this along with validation improvements.

@qasumitbagthariya
Copy link
Collaborator

qasumitbagthariya commented Apr 29, 2025

QA Update ✅

I have verified this PR in the eenhancement/120 branch, which has been fixed and is functioning as intended.

I tested the following on this branch:

  • Spam Prevention with shortcode form, block, widget
image image image

Testing Environment

  • WordPress: 6.8
  • Theme: Twenty Twenty-Four 1.3
  • PHP: 8.0.30
  • Web Server: Nginx 1.20.2
  • Browser: Chrome
  • OS: macOS 15.2
  • Branch: enhancement/120

Steps to Test- As mentioned in the PR description.
Test Results - It is working as expected.
Functional Demo / Screencast -
Special Notes - Ready for code review (Woo)
Testing Document status:
Cases related to this Issue/PR are added to the Critical Flow Wiki pages:

  • Yes
  • Not Required/Applicable for this PR

@qasumitbagthariya
Copy link
Collaborator

qasumitbagthariya commented May 8, 2025

Regression / Smoke Test Report ✅

Tested with the smoke-testing branch, it works as expected, similar to the fix-specific branch.

Testing Environment

  • WordPress: 6.8
  • Theme: Twenty Twenty-Four 1.3
  • WooCommerce - 9.8.2
  • PHP: 8.0.30
  • Web Server: Nginx 1.20.2
  • Browser: Chrome
  • OS: macOS 15.2
  • Branch: smoke-testing

Next Step- Ready to Merge 🚀

@vikrampm1 vikrampm1 merged commit 62c1c19 into develop May 8, 2025
12 checks passed
@vikrampm1 vikrampm1 mentioned this pull request May 8, 2025
Closed
22 tasks
@dkotter dkotter deleted the enhancement/120 branch May 8, 2025 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkotter dkotter dkotter approved these changes

@qasumitbagthariya qasumitbagthariya qasumitbagthariya approved these changes

Assignees

@iamdharmesh iamdharmesh

Labels

needs:code-review This requires code review.

Projects

None yet

Milestone

1.8.0

5 participants

@iamdharmesh @dkotter @qasumitbagthariya @vikrampm1