Hey @blacklp
First, thanks for trying Formality on your website.
The description of the plugin says “Prevent spam with built-in token authentication” but I can find nothing in the UI dealing with this.
Is it automatically enabled?
Yes, It’s a custom authentication method, automatically enabled on all Formality forms
And how does it block spam?
Basically, a common Spambot must identify a URL to attack and try to send random data to it, with a single request.
Formality works with WP REST API and it expects 2 distinct requests for every form submit:
- The first request must be a simple “ping” to the server (with no data).
- The server sends down a token (that expires in 5 seconds) in the response body, and expect that Formality client script includes that token for the subsequent request it makes to the server.
- If the second request satisfy this condition (and includes all form data to store), Formality will consider it as “valid”.
Obviously, this is not a 100% secure anti-spam method:
- An advanced spambot can replicate user actions and send data directly with the Formality frontend script (like a human),
- Or (in the future) a spam bot can implement the same authentication method (it’s an open-source project… no secrets)
I think that this method provides enough level of security, but I know that is not perfect and I have planned to add Recaptcha as an option in the future
Let me know if it’s clear.. (sorry, my English sucks)
And let me know if you receive some spam, maybe I will change my roadmap and I will increase the priority of Recaptcha integration ??
Cheers,
Michele
