Forms restrictions and anti spam measures - ucsf-ckm/ucsf-library-ux-and-web-documentation GitHub Wiki

• all newsletter subscribe forms are Elementor
• they have Honeypot protection added to each form
• CAPTCHA is possible, but would require rethinking our minimal design, since it adds a big section.

• all have CAPTCHA?

• WPForms own Enable anti-spam protection option should be toggled on by default
• Note that anti-spam honeypot was included for any forms created prior to the 1.6.2 release. However, newer forms will only have the anti-spam protection option.
• As of May 2022, enabled WPForms spam protection on all forms and turned off the obsolete honeypot setting on older forms.

1. First, generate a reCAPTCHA key in Google. See plugin documentation for all details.
2. Then go back to the WordPress dashboard > WPForms > Settings > reCAPTCHA and enter the key.
3. Once reCAPTCHA is activated (previous step) it must be toggled on for each form. Go to Settings > General and check Enable anti-spam and Invisible reCAPTCHA v2.

We've added CSS to the Simple CSS stylesheet to hide the reCAPTCHA badge:

/* Hide reCAPTCHA badge. Ref: https://developers.google.com/recaptcha/docs/faq#id-like-to-hide-the-recaptcha-badge.-what-is-allowed */
div.wpforms-container-full .wpforms-form .grecaptcha-badge,
div.wpforms-container-full .wpforms-form .grecaptcha-badge * {
    visibility: hidden;
}
.grecaptcha-fineprint {
    font-size: small;
}

According to Google's documentation, this is permissible if you add text to the form, which we have done below each form:

<span class="grecaptcha-fineprint">This site is protected by reCAPTCHA and the Google
    <a href="https://policies.google.com/privacy">Privacy Policy</a> and
    <a href="https://policies.google.com/terms">Terms of Service</a> apply.</span>

Need to limit submissions for DPH ILL requests to users with an email address @sfdph

WPForms provides options to limit or block email address form fields.

1. Get a snippet from WPForms support and customize to include the desired domain and the specific form ID

/*
 * Whitelist email domains from your WPForms.
 *
 * @link https://wpforms.com/developers/how-to-restrict-email-domains/
 *
*/
function wpf_whitelist_domains( $field_id, $field_submit, $form_data ) {
    $domain          = substr( strrchr( $field_submit, "@" ), 1 );
    $whitelist       = array( 'sfdph.org' );
    if( ! in_array( $domain, $whitelist ) && $form_data[ 'id' ] == 15647 ) {
        wpforms()->process->errors[ $form_data['id'] ][ $field_id ] = esc_html__( 'Email domain must be @sfdph.org', 'wpforms' );
        return;
    }
}
add_action('wpforms_process_validate_email', 'wpf_whitelist_domains', 10, 3 );

2. Add the edited code via the plugin Code Snippets