Digital Access Pass WordPress Membership Sites: Preventing SPAM Sign-Ups using G.A.S.P.

by Paul on November 7, 2011

Digital Access Pass, as with any membership site that has a sign-up form, will be subject to SPAM.

If you’re not doing anything to prevent SPAMmers and bots, you’re likely going to get overwhelmed quickly.

My solution was to adopt, and extend upon, the elegance of the Growmap Anti Spambot Plugin for WordPress comment spam.

This article shows you what I did for DAP, and how you can do it too with a free code download.

What is the Growmap Anti Spambot Plugin (G.A.S.P.)?

For more information, check out the WordPress plugin here.

G.A.S.P. is quite simple. It works on a couple of levels but basically uses Javascript to render a couple of input fields that it then checks after the comment (form) has been submitted.

Simple, clever, and it works.

I decided against captcha forms (because they’re annoying) and opted to learn what I could from G.A.S.P. and make my own system for Digital Access Pass membership signup forms – I’m calling it… D.A.P.A.S.S.

How the Digital Access Pass Anti Spambot System (D.A.P.A.S.S.) works

Currently D.A.P.A.S.S. works by utilizing the G.A.S.P. checkbox functionality and the hidden “honeypot” field.

My approach extends G.A.S.P. to provide for the following simple additions:

  1. You can have multiple forms on the one page. With the current G.A.S.P. implementation you’re limited to only one G.A.S.P.-enabled form per page.
  2. I’ve wrapped an HTML ‘<LABEL>’ element around the text beside the checkbox for usability.
  3. It perhaps may not make any difference, but I’ve slightly randomized the <DIV> ID’s to help reduce the likelihood that there would be a workaround based on ID names.

It is written in PHP as a self-contained function so you can easily add it to your WordPress theme (where the form is printed). Alternatively, you can add the Javascript directly in the <FORM>.

If you’re using a WordPress theme like Thesis then you’re in luck because adding PHP such as this is a breeze!

Once you make the additions to the sign-up form, you then add a line to the DAP signup_submit.php file.  All is revealed below…

Considerations for Digital Access Pass future upgrades

It would be ideal if DAP had a built-in mechanism for handling SPAM, or even supplied hooks for help developers add their own customizations, but alas, we’re stuck with what we’ve got.

To add server-side checking of the form, you must edit a file that will in all likelihood be updated in future DAP releases. This means that for each upgrade, you have to re-edit the file. This isn’t a huge problem since the changes you need to make go right at the beginning of the file, and the change is only 1 line.

It’s easy!  Anyone with a text editor and FTP can do it.

You can download the D.A.P.A.S.S. package for free from the Host Like Toast Developer Channel and it comes in 3 parts.

How to add Digital Access Pass Anti Spambot System to your site

The 3 parts of the download are as follows:

  1. dapass_form.php: a PHP file that you must include somewhere in your theme and then simply call: echo print_tac_checkbox();  This will print the necessary Javascript
  2. dapass_check.php: a PHP file that you must include at the beginning of the file signup_submit.php so as to check for SPAM submissions

Review the image below of the form HTML code provided by DAP.

Digital Access Pass Signup Form HTML Code

As outlined on the image itself, you need to create a new table row and cell and place the code within it.  Styling of the form is left up to you at this point.

Simply call the PHP code: echo print_tac_checkbox();  to create and insert the necessary Javascript code from within the table cells or wherever you’d like to place it (but be sure to keep it within the <FORM>)

If you don’t know how to easily call the PHP code within WordPress, you have a couple of options. With the Thesis Theme you can simply create your own function in custom_functions.php and hook it in the appropriate place for the correct page.

You could alternatively create a WordPress “Shortcode” which is quite straight forward to do once you’ve tried it once. I intend to give a quick how-to for this in the future, but feel free to comment below if you’d like help sooner.

The next stage is to edit the signup_submit.php file as this is critical to the whole functioning of the system.  Here is the basic outline of the steps involved:

  1. Using FTP (or otherwise) browse to your DAP installation folder and download the file: signup_submit.php
  2. Make a backup copy of this file.
  3. Open up the file you downloaded (not the backup) in a text editor.
  4. At the beginning of the file (after the <?php ) add the following line of code (as shown in the image below):
    include_once ( dirname(__FILE__).'/dapass_check.php');

    DAP signup_submit.php Additions

  5. Save the file.
  6. Upload the following files to your DAP installation folder: signup_submit.php, the backup file of signup_submit.php, and dapass_check.php. If you’re prompted to overwrite the files, say yes.

All being well, you should have a functional anti spambot facility on your sign-up form.

Of course, I’m open to suggestions on how you think this could be improved, or even simplified, but for now I hope any users of Digital Access Pass will find this a useful addition.

And to the authors of Digital Access Pass… please add the ability to hook into the DAP code in future releases. Developers would really appreciate the ability to extend the system easily without having to edit the source each time (as I did when I added the ability to use Google Apps email to send non-bulk/autoresponder emails in DAP).

Important Notice

If you sign-up to the Developer Channel remember that you are subject to the Terms and Conditions.  In summary, Host Like Toast isn’t liable for any damages incurred by implementing our suggestions and guides. Use at your own risk.

Also remember, as I mentioned already, you’ll have to redo the last stage where you edited the signup_submit.php file after you upgrade your DAP installation in the future.

Download Now…

You can download the code necessary directly from the Host Like Toast Developer Channel today. If you haven’t signed up already, you can do so using the form below.

Use the form below to join our Developer Channel

Do you need an automated CPanel web hosting backup script? There is that and more in the Developer Channel

{ 11 comments… read them below or add one }

Mike February 18, 2012 at 5:34 am

I think there is something that could improve it. It is still not impossible for a bot to just pass gasp_checkbox=1 to get through once they realize you have added this checkbox. I think there needs to be someway that javascript can randomize the name of the checkbox. You could make the sha1 or similar digest of the browser agent which would only work using js. You can do the sha1 using js or use ajax to get the sha1 and put it in a hidden field to prove that they did it using js.

There is a site I found that was interesting as well.
http://www.webdesignfromscratch.com/javascript/human-form-validation-check-trick/
This gave me an idea. What if each time the user clicked on a field you also sent an ajax request to your server to say im human and the server saves that affirmation into a session cookie or into a database or file and it has a time before its invalid. Then when they submit you check if you got pings from the user that they had clicked on a field. If not then don’t accept the email.

Also you can use a input field with class=”special” name=”notes” and then use css with display:none and the spammers fill it in every time with garbage but no real user sees it!

Reply

Paul February 18, 2012 at 9:19 am

Hey Mike,

Thanks for the comment.

Actually my implementation of the gasp checkbox includes a server-side random number added to the fields for every page load. That will help prevent what you describe.

The last point you make is similar, if I understand you right, to the “honey pot” technique. My implementation also uses honey pot to snare bots that fill in all the form fields.

As for the Ajax+cookies etc, this for me is more technically complex than I’d want. I consider captcha also, but I’m trying to strike a balance between spam reduction and simplicity. At the moment I have NO spambot signups whatsoever. It’s been a real success for me…

Thanks again for the feedback!
Cheers,
Paul.

Reply

Josh November 27, 2012 at 5:45 pm

I am trying to prevent spam on my new weight lifting forums that I just opened. Also to prevent me from paying Amazon SES email fees to these spammer email addresses. The spammers are costing me lots of money and it’s very annoying. I really do not understand spammers. Can’t stand them.

Anyway, I am using DAP without double confirmation. Wouldn’t it be easy to just add double confirmation for my free signup and leave single confirmation for the paid products? Wouldn’t the double confirmation prevent the spammers from at least getting to the forums and spamming it up as well. I know I will still have to pay to send them the welcome email.

I am hesitant to try your method above because I’m not great on website design and not sure how to get the checkbox to fit into my website design for my top header sign up form. I may try to figure it out. Not sure which method to use. Would rather keep single opt in because it’s so much easier and allows people to download instantly. But then the spammers keep that from happening. Spammers are ridiculous. Who are the people behind spam? They should be sent to prison for life or even given the death penalty. All they do is waste billions and billions of hours and billions and billions of dollars.

Reply

Paul November 27, 2012 at 10:14 pm

Josh,

I share your frustration at this… it got me at the start as well and it took me several days to develop a solution that will thwart them.

Not only that, I’ve worked in a nice solution for stopping people with throw-away email address. I don’t get them all, but I catch lots of them 😉

I don’t know how much you spend on Amazon SES dealing with spammers, but I hope you get this sorted.

If you’d like me to consult on this, take a look at your site and quote on how much it would be to install this for you, I can. Just drop me a line on our contact form. I have most of the code written, I’d just need to learn you setup, and customize it slightly. Probably a couple of hours.

Let me know. Otherwise, I hope you have luck with it and you either find an alternative solution, or you’re able to implement this.

Thanks for commenting… I’m glad my code can help other people.

Cheers,
Paul.

Reply

Josh December 1, 2012 at 12:55 pm

Paul,

Thanks very much for the help.

I just got everything setup according to the above about 30 minutes ago. I was getting about 60 spam sign ups per day. I just deleted them all from the database because I am OCD like that and can’t stand having them in the DAP database.

I thought the spammers had slowed down since I hadn’t gotten one in 30 minutes. Just got another one so not sure this is working to prevent spammers. I think it may have slowed them down but not 100% sure as it’s only been 30 minutes or so.

My sign up page is here:

http://www.weight-lifting-complete.com/free-membership-to-weight-lifting-complete/

Does it matter that I took away the link to Terms and Conditions and just replaced it with “I am a human and not a spam bot?” I wouldn’t think so but not 100% sure as there could have been something you built in.

I have been reading a lot about this because I am sick of the spammers wasting my time and money and want to stop them. I do not give up easily.

Shouldn’t we have 2 radio buttons with the default checked to say I am a spammer and the other option I am a human? Or something similar. Can’t seem to stop them with just the above post.

The spammers keep signing up with random letters for the user name and the email addresses are coming from the domain:

thewebbusinessresearch.com

Sometimes there are other random email addresses as well but most are coming from the above domain. Very annoying indeed.

Any suggestions to bulletproof the above or prevent a few more?

Reply

Josh December 1, 2012 at 1:04 pm

I also installed the “Stop Spammers” plugin for WordPress and it seems to be helping too as I can see it has stopped several of the same domain email addresses that I mentioned above. Seems like a great plugin as you can see history on all the prevented attacks by spammers.

Reply

Josh December 2, 2012 at 12:59 pm

Paul,

Been working on stopping the spammers all day. So I couldn’t figure out why I wasn’t stopping them. I had a form still up on the forums that was not using your checkbox solution as described above. So I screwed up. I think they were mainly coming through the sign up form in the forums.

Just wanted to let you know.

I also ended up fixing the spammers from signing up by adding a coupon code to the free DAP product and simply listing it below the sign up form. It has been working for 12 hours or so with no spam bot sign ups!

Reply

Paul December 5, 2012 at 9:16 pm

Hey Josh,

It looks like you’ve been making some great progress with this. The coupon idea is a good one – I guess it works kinda like a captcha. Nice job!

I’d be interested to know how this all works out in the long-term for you and if you come up with any other ideas/improvements for this system.

Good luck with it all!
Cheers,
Paul.

Reply

Josh December 7, 2012 at 11:58 pm

Well Paul, not sure how but the spam bots are getting through even with the coupon code as a requirement. Have no idea how they are doing it as I thought the coupon code was a requirement. Not as many getting through but just a few are very annoying. Was trying to just make my site single optin so I could send free members straight to the download area to get what I promised them. But I’m still not able to do so since these spam bots are getting through.

I can tell which sign ups are spam bots because there is no coupon code entered. So I guess there is some work around to the form through the coupon code.

I think I am going to put your DAPASS system back on the sign up forms and see if it finally gets rid of the rest of the spammers. Man, this is annoying. They are wasting hours and hours of my time that I don’t really have to spend on these spammers. I will keep you updated. I read about all of these spam prevention techniques like honeypots but I have no idea how to implement on an actual form.

Thanks for listening. I will beat these spam bots somehow and will let you know how I do it. I’ve beat some of them so far but new ones keep coming and getting around anything I try. Hoping the combination of the FREE coupon code and your ideas will stop all of them. Thanks again.

Reply

Serks August 16, 2013 at 2:08 am

Hey Josh,
I am developing a site with DAP at the moment and was looking at implementing this DAPASS system.
I noticed you mentioned above that you will try putting the DAPASS system back on your site but I checked your website and you currently don’t have it there.
Did it not work for you?
Did you still get spammed with the DAPASS system?

Thanks
PS. Thanks Paul for this solution.

Reply

Serks August 16, 2013 at 3:19 am

Hi Paul,

Also, where is the file dapass_check.php supposed to go?
I have tried everything but I am still able to create an account if the check box is not checked. I don’t think I have done it correctly.
Any help would be much appreciated.
Thanks

Reply

Leave a Comment

Previous post:

Next post: