I have been seeing more contact form spam in the past month or so from my own WordPress sites and clients are reporting the same.
I assumed this was human spam and that little could be done to prevent it using the usual automated measures against spambots.
However, while making changes on one of the sites, I noticed:
- that the form was no longer working, displaying a “There was a problem. Your email could not be sent.”, or words to that effect.
- that the reCaptcha 2 form was not being displayed below the form.
I was vaguely aware that current versions of Contact Form 7 supported reCaptcha 3. What I failed to appreciate was that these versions were not backward compatible in that they no longer supported reCaptcha 2.
That means, depending on the site, either
- visitors attempting to use your contact page were not getting their messages delivered; or
- messages sent via the form were no longer being intercepted by reCaptcha.
If you use Contact Form 7 on any of your sites, make sure that you update them to reCaptcha 3:
- go to reCAPTCHA: Easy on Humans, Hard on Bots
- scroll down to the bottom of the page listing your sites and create a new listing for your domain to use reCaptcha 3 (there does not appear to be any way to just update a version 2 listing to version 3)
- delete your old site keys under the Integration option for Contact Form 7 and replace them with the new reCaptcha 3 site keys
(Note: since these site keys apply to a domain plus any subdomains or subfolders under that domain, don’t delete your reCaptcha 2 keys until you are certain that you don’t have an application still using the old version. In particular, note that any custom HTML sites will need to be updated and most if not all forum software does not yet support reCaptcha 3.)