Found it, I think....

Have you tried using a spider program to go through your site? I use Integrity on my Mac.

Look for pages with url's that indicate they may have a form on them like /consultation-form/

This can be time consuming, but you should be able to review all of your website pages.

Thanks buddy, I'll try that.

You could always visit the Charter [webmasterworld.com] for this forum and from there go to the WP vulnerability site to verify that your contact form plugin is not flagged as compromised. Several of them are listed there.

The spam does not need to come from the contact form page, there are spammer scripts in use that bypass the visit and just use spambots scripted for that purpose. Recently, even common form plugins don't work with the captcha plugin they worked with last month. Dang evolution.

A spammer is using a contact form on my website to send relentless spam.

If there are a lot of spam messages going through, it will appear very evidently in your raw server logs.

The spam does not need to come from the contact form page,

This is true, but the spam does need to be submitted to an endpoint somewhere on your server. The raw logs should tell you what that endpoint is.

I checked that Charter link out but it just took me to a WPScan security plugin page...I already use Wordfence - do I need this aswell?

I've added an output from the contact form to identify which page it is on, if this appears in the next piece of spam I will have found the rogue form. If not,I will have to delve deeper as you have said.

[edited by: alistairgd at 10:19 pm (utc) on Nov 9, 2020]

> If there are a lot of spam messages going through, it will appear very evidently in your raw server logs.

Thanks for the tip I will take a look - can you give me a hint what I should be looking for?

You should be looking for an unusually large number of hits to one specific page.

I checked that Charter link out but it just took me to a WPScan security plugin page...I already use Wordfence - do I need this aswell?

That is not a plugin page or a plugin. It is a searchable list of every vulnerable plugin, theme or WP version that has been compromised.

Thanks for all the tips above - very helpful, thank you.

I have found the form that is being used to send spam and will add a google v3 invisible recaptcha to it in the form settings. Google recaptcha is giving a warning/error for my site though so I'm not sure it will work properly.

"We detected that your site is not verifying reCAPTCHA tokens."

What you are describing is a common mistake in the implementation of ReCaptcha.

The captcha works in two parts, and most often the issue is that the second part is never implemented.

First part:
On the client side you display the form (image picker widget) to the user so that the user can prove that it is not a robot. This, using javascript, prevents your contact form from being submitted until the Captcha is correctly submitted. This is the simple part. But this is not sufficient, because the user can skip the form completely and make a submission directly to the server endpoint. In other words, when one clicks submit on a form it sends some data to a url as a Post request. You don't need the form to make that Post request. In fact most bots, skip the form and will simply send a post request directly to the url (server endpoint). In doing so the bot skips the captcha entirely, rendering it useless.

The second part:
To prevent this when a user submits the ReCaptcha it sends a request to the ReCaptcha server with a unique identifying key. Assuming the captcha was correctly submitted that key is also sent to your server as part of the submission form. Once you receive the key, your server must make a request to the ReCaptcha server with that key (and your secret key) at which point the ReCaptcha server will confirm with a response that the key is valid and that the captcha was in fact correctly submitted by the user. You should be sure to verify that when any and all submissions are made, that the key is present and that the key is sent to the ReCaptcha server for validation. As such, when a bot submits a Post request without going through your form it will not have the key (in most cases), and if it does present a key, the key wont be valid and the request can be stopped then and there.

Implementing the ReCaptcha will eliminate all the mass spam submission. Unfortunately, it doesn't eliminate all spam as there are humans that will still go through the trouble of filling out Captchas to send you emails about mail order Russian brides.

As to the correct implementation on Worst Press, I have no idea, I assume that there must be plugins to do this, but whether those plugins do it correctly and how much coding it requires is something I know nothing about.

I regret that I have but one "Like" to give to your post NickMNS. It is a common failure of WP plugins to skip over the details that users need to know before their services will/can work as expected. "Works with Google's v3 Invisible recaptcha" is as far as they go.

Users would need to first have a key set - fairly easy and free from the OpenPGP project, but not clearly explained in the WP plugins area.

Nick and not2

Thanks. I am using Google recaptcha v3 invisible, so no image picker widget required with this variation. I am also using a contact form module (from Divi) that stores the keys, contacts the google server, connects to the account, and does the authentication you are describing. Except in this case Google server is responding with an issue regarding "verifying reCAPTCHA tokens."

I'll probably need to take this to the divi support team to resolve.

It is best that you take this up with the divi support team.

Except in this case Google server is responding with an issue regarding "verifying reCAPTCHA tokens."

This exactly the issue I describe in my "second part", I used the word "key" instead of "token" but it is the same thing in this case. My guess is that your server is not making the request to verify the key/token. Hopefully the divi people can help you solve the problem.

I understand, thanks Nick.

You have to use those plugins that help fight spam comments. A lot of people still use the captcha plugin for comments.