To defeat your enemy, you must know your enemy. What is spam? For our purposes, spam is any unsolicited bulk electronic message. Spam these days is intended to lure unsuspecting users into visiting a (usually shady) web site where they will be asked to buy products, or have malware delivered to their computers, or both. … Read more
Since it hasn’t been explicitly stated yet, I’ll state it. No one’s using your domain to send spam. They’re using spoofed sender data to generate an email that looks like it’s from your domain. It’s about as easy as putting a fake return address on a piece of postal mail, so no, there’s really no … Read more
Assuming that your site has not been compromised, and that there are not unknown admin-level user accounts, then this could just be a case of mail spoofing. (Where a person places your email address as the ‘from’, but the email is really being sent by an external process.) I’d change all credentials (hosting, FTP, admin-level … Read more
I’ve been studying (and blocking) automated form spam for years. Most advice relates to hidden fields, CSS tricks, ‘stupid’ questions (“what is 1+3”), and others. And the reason that those tricks (and others) don’t work with automated spam bots is that they don’t ‘see’ your form, they just post to it. They scrape the form, … Read more
I don’t know of a way the default comment status can be changed, but there’s an action ‘comment_post’ that runs after comments are inserted that you could easily hook to set every new comment to have the ‘spam’ status: function set_new_comment_to_spam($commentId) { wp_set_comment_status($commentId, ‘spam’); } add_action(‘comment_post’, ‘set_new_comment_to_spam’, 10, 1); Add that to your functions.php
As I see you are using reCaptcha v3 as the examples you try and it will not appear until the user score is under the minimum you added into the configuration but it is still working and checking the user score before he submits your form. anyway if you configured the plugin correctly you may … Read more
It is prolly injected in your files. Look at the plugin files, search for eval or base64.
Update: From my hard-earned painful expereince, KeyCAPTCHA is scam by professional spammers You can create your own captchas from your own images with “Personal Captcha” of KeyCAPTCHA https://www.keycaptcha.com/whatisit/?s=pc For subscribers of such service there is online designer The basic service is free but possibility of creating your own captchas is fee-based (5 USD a months, … Read more
Do you have access to your webserver? I use a program called “fail2ban”. This program scans log files to see if certain things have been logged – such as people trying to access your email – and bans the IP address for a set amount of time. You can vary it from 1 second to … Read more
There is a known problem as described in this ticket and this blog post The problem was identified in 2.9.2 but looks to also have been identified in 3.0. From the sounds of it, the wordpress team won’t fix this bug, because they feel spam is inevitable, and that it is the responsibility of spam … Read more