Reduce Gravity Forms spam using common spammy terms via the comment blacklist

Stop Gravity Forms Spam Entries Using the Comment Blacklist

To be honest, I hate captchas. Always have, always will.

I invariably get them wrong, even the simple maths questions sometimes (don’t ask).

And if you want to reduce spam submissions from your Gravity Forms forms, sometimes this is the best suggestion you’ll get, which frankly, just isn’t good enough in my opinion.

Of course, there are also lots of other ways to reduce spam from Gravity Forms, which are partially successful, but I haven’t seen this specific solution anywhere else yet, and it complements the other approaches really well.

I actually borrowed this idea from my solution for reducing WPForms spam form submissions, and just adapted it to suit the way that Gravity Forms work instead.

To reduce manual Gravity Forms spam submissions, you maintain a list of spammy words in your Disallowed Comment Keys field and check all form entries against this list, using the custom code provided in your theme’s functions.php file.

Note: I don’t mean to imply in any way at all that these spam submissions are the fault of Gravity Forms. Far from it. Gravity Forms is an excellent forms plugin, and the issue lies entirely with the people (the spammers) submitting junk via the forms on our websites.

Let’s take a look at how I addressed the Gravity Forms spam issue in more detail.

1. How to reduce manual spam submissions

There’s lots of automated solutions to reduce bot spam form submissions, like honeypots and hidden fields, and they work pretty well.

That’s because automated spam bots are dumb – like all computers really – and can’t think their way around the simplest of problems sometimes.

And many of the published solutions for stopping spam are based around these techniques, using things like captchas or simple maths questions.

Great, so now we’re not getting much automated spam.

But what about the manual spam? You know, people actually coming to your website and filling out your form with junk?

How do you stop them?

Sadly, being flesh and blood humans, they generally know how to tick the “I’m not a robot” box or add up three plus 11, so it’s much harder to stop them with the existing tricks.

And that’s why I love this solution so much.

2. Using the comment blacklist to identify spam entries

I give you fair warning up front – this solution is not a fully hands-off one. But then neither are your spam submissions.

It actually requires you to create your own unique list of spammy terms, and add new terms to it regularly.

So if you’re looking for a fully automated solution, then this is not that – you might need to go find yourself a paid solution, or resign yourself to the never-ending stream of sales pitches for services you don’t want or need.

(And frankly, even if you did, why would you EVER use someone who treated your business like that? It’s really just a complete waste of everyone’s time and energy.)

But this is a low-cost solution, that takes less than 10 minutes a week to maintain.

So let’s change the rules and let them waste their time all they like, but reduce the time we have to spend on this problem to an absolute minimum.

All that you have to do is:

  1. Maintain a list of spammy phrases collected from your past spam (ongoing)
  2. Implement the code below in your theme’s functions.php file (once)

What this means is that you will still get some unwanted promotional messages through your contact form, but as your list of terms grows, based on your unique experience of the spam you get on your website, you will get less and less of it.

3. How to create your list of spam terms for filtering form submissions

Start by using all of the previous spammy emails you’ve received over the last six months or so.

Pick out unique phrases from each email that will identify the content as spam (ie one ore more “trigger phrases”).

You need to strike a careful balance here between:

  • Terms that are too general (e.g. “customers”) that MIGHT trap genuine enquiries
  • Terms that are too specific (e.g. “chat about sending you more customers”) that will probably only ever match once i.e. the original message

If in doubt you’re better to be too specific than too general, because otherwise you may block legitimate enquiries, and that’s definitely not acceptable here.

Keep in mind that some terms are highly likely to indicate unsolicited sales or junk messages as a single word (e.g. bitcoin) while other terms need more context to be sure (e.g. “article” vs “write an article”).

If you don’t have any old messages to work from, just start from today with a completely blank list.

Either way, from this point forward, every time you get a new spam form submission, pick out a term that identifies the message as spam, and that might also appear in future spam submissions, and add it to your list.

I don’t recommend going and finding someone else’s list of spam terms because:

  1. Your list of terms will be completely unique to your site
  2. Spam evolves over time so you need a list that reflects current activity, not what spam looked like 2 years ago
  3. You don’t want your list to be any longer than necessary, in order to make it fast to process form submissions
  4. You don’t want your spammers to know what’s on your list of spam terms, otherwise, they’ll just work around them

4. Using the WordPress comment blacklist field

And where do you put these spammy words and phrases you collect?

Happily, WordPress provides a convenient location in the form of the comment blacklist, which you’ll find in the WordPress admin area under Settings > Discussion Settings > Disallowed Comment Keys.

Terms in this field are usually used to stop spammy comments on your site, so you may already have some dodgy terms collected there.

As a bonus, if you are using comments on your website, adding your form submission spam terms to this list will also help to keep your spam comments to a minimum (and vice versa).

5. What happens behind the scenes when a submission is identified as spam

So, once you have your list of terms, the code I share below will run through any submission from a Gravity Forms form, looking for a match with your list of terms.

If a term is matched, the Gravity Forms entry status will be updated to “Spam”, and a couple of things happen:

  • The entry is not recorded in your list of entries for that form (i.e. it’s completely and invisibly dropped)
  • A generic message is provided to the person submitting the form

By default, Gravity Forms returns a standard generic message for submissions identified as spam (“Thanks for contacting us! We will get in touch with you shortly.”) but you can change this using a filter on the ‘gform_confirmation’ action if you want.

We want to do it this way because:

  1. We don’t want our spammer to know that their submission was not successful, otherwise they’ll just try again
  2. If we have our Gravity Forms submissions triggering other actions when they’re recorded (e.g. sending emails, going into a CRM, etc), we don’t want to fill up our systems with junk

If you want to know when you receive a spam submission, then this is not the right approach for you.

After all, the whole point of this solution is to minimise the time we waste dealing with junk leads, right?

So let’s just send them to “dev null” (ie the rubbish bin) and move on, OK?

6. The custom PHP code to identify spam form submissions

This code needs to be placed in your theme’s functions.php file.

If you ever change your theme, you’ll need to remember to transfer this code across to the new theme to make sure your spam filtering continues working.

Alternatively, you can write a custom plugin to do it, but that’s probably more overhead than you need and you need to know what you’re doing.

Really, REALLY Important: The fields used in this example reflect the specific structure of the forms on my example website.

You will need to update the criteria inside the foreach statement to reflect the structure of the forms on your website.

Your website forms are unique to you, so I can’t provide specific recommendations on what your code should say.

Just know that if your code isn’t working, then this is probably where your issue is.

If need be, uncomment the print_r statement temporarily so you can see the structure of the form you’re working on. Just remember to comment it back out again once you’re done.

/**  Filter out spam messages on Gravity Forms using the Comment Blacklist
* @author Nikki Stokes
* @link
* Usage: Add spammy terms to Settings > Discussion > Disallowed Comment Keys to block form submissions
* @param string $is_spam, true if entry contains spam
* @param array $form
* @param array $entry
function nhs_gforms_content_blacklist( $is_spam, $form, $entry ) {

	//DEBUG: Spit out entire structure of form object
	//print_r( $form );
	// Get comment blacklist values (and only perform checks if there are terms in list)
	$mod_keys = trim( get_option( 'blacklist_keys' ) );
	if ( '' !== $mod_keys ) {
		$words = explode( "\n", $mod_keys );
		// Assign field content to variables
		foreach( $form['fields'] as $field ) {
			$id = $field['id'];
			if( $field['type'] == 'email' ){
				$email = rgar( $entry, $id );
			if( $field['type'] == 'name' && $field['nameFormat'] != 'simple' ){
				$first_name = rgar( $entry, $id . '.3' );
				$last_name = rgar( $entry, $id . '.6' );
				$name = $first_name . " " . $last_name ;
			if( $field['type'] == 'text' ){
				if( $field['label'] == 'First Name' ){
					$first_name = rgar( $entry, $id );
				if( $field['label'] == 'Last Name' ){
					$last_name = rgar( $entry, $id );
				if ( $first_name || $last_name ){
					$name = $first_name . " " . $last_name ;
				if( $field['label'] == 'Phone' ){
					$phone = rgar( $entry, $id );
				if( $field['label'] == 'Company' ){
					$company = rgar( $entry, $id );
				if( $field['label'] != 'First Name' && $field['label'] != 'Last Name' && $field['label'] != 'Phone' && $field['label'] != 'Company' ){
					$text = rgar( $entry, $id);
			if( $field['type'] == 'textarea' ){
				$message = rgar( $entry, $id);
				$message_without_html = wp_strip_all_tags( $message );
		//DEBUG: Display values of fields for testing
		//echo "Email: $email<br>Name: $name<br>Phone: $phone<br>Company: $company<br>Text: $text<br>Message: $message<br>Clean Message: $message_without_html";

		// Step through spam terms in turn
		foreach ( (array) $words as $word ) {
			$word = trim( $word );

			// Skip empty lines
			if ( empty( $word ) ) {
			continue; }

			// Escape terms so that '#' chars in the spam words don't break things
			$word = preg_quote( $word, '#' );

			// Match form fields to spam terms
			$pattern = "#$word#i";
			if ( preg_match( $pattern, $name )
				|| preg_match( $pattern, $email )
				|| preg_match( $pattern, $phone )
				|| preg_match( $pattern, $company )
				|| preg_match( $pattern, $text )
				|| preg_match( $pattern, $message )
				|| preg_match( $pattern, $message_without_html )
				) {
				$is_spam = true;

	return $is_spam;
add_filter( 'gform_entry_is_spam', 'nhs_gforms_content_blacklist', 10, 3 );

If you’re not confident editing your theme’s functions.php file, then I recommend you hand this over to your website developer to implement for you.

After that, all you have to do is add spam keywords to your Disallowed Comment Keys list, which is easy to do using the WordPress back end.

And if at some point you suddenly start getting lots more spam submissions, then Gravity Forms might have changed something in the way that their forms work, or your theme might have changed, so you’ll need to review recent changes to your site to figure out the cause.

Note: Thanks to Mark for his suggestions on my WPForms version of this solution to improve the efficiency of the code execution.

Time to reduce Gravity Forms spam submissions?

So there you have it. Another way to combat spam messages from your website forms and get less rubbish piling up in your inbox.

I don’t know about you, but I’m thoroughly sick of the messages that say things like:

“I guarantee that my SEO service will get you increased visitors”


“I would love to share some ideas on how I could bring in regular new business for you”


Granted, this solution is not entirely effortless and automated, but speaking from experience it is quite effective.

My workflow is now:

  1. Every time I receive a spammy form submission, I quickly add any trigger phrases to a running list I keep in a text editor file, and promptly delete the email notification of the spam entry.
  2. And then once a week or so, I go into my sites and add all of my recently collected new junky terms to my master list of spammy words.

It’s not a perfect solution, but since implementing this approach on my sites, the spam I receive has diminished greatly, which frees me up to deal with genuine enquiries and other more important work.

It also means that my conversion data in Google Analytics is more accurate, so the decisions I make around what’s working are based on more meaningful data now too.

If you give this a go, I’d love to hear how it goes for you.

And as always, please leave any questions or suggestions in the comments below.

Note: I am not available to provide individual support with implementing this code. Making it work for your site is up to you.

Please share this content

About the author 

I’ve had a love affair with systems, technology and data for as long as I can remember. I’ve been building websites for over 20 years, running online businesses for more than 15, and teaching myself how to use gazillions of software programs since the very first moment I got my hands on a computer. I’m a geek and proud of it!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}