WordPress Spam Pixel code for WP Forms

spam-pixel.php

<?php
/**
 * Plugin Name:     Spam Pixel
 * Description:     This simple plugin integrates Ross's spam pixel idea with WP Forms
 * Author:          Ross Wintle
 * Author URI:      https://rosswintle.uk
 * Text Domain:     spam-pixel
 * Domain Path:     /languages
 * Version:         0.1.0
 *
 * @package         Spam_Pixel
 */

// Add field and CSS
add_action('wpforms_display_submit_before', 'spx_add_field');

function spx_add_field($form_data) {
	$ajax_url = admin_url('admin-ajax.php') . '?action=spx_pixel';
	echo '<div class="spx-captcha"></div>';
	echo <<<EOT
		<style>
			.spx-captcha {
				width: 1px;
				height: 1px;
			}
			form:focus-within .spx-captcha {
				background-image: url($ajax_url);
			}
		</style>
EOT;
}

// Add admin-ajax endpoint
add_action('wp_ajax_spx_pixel', 'spx_pixel_submit');
add_action('wp_ajax_nopriv_spx_pixel', 'spx_pixel_submit');

function spx_pixel_submit() {
	$ip_address = $_SERVER['REMOTE_ADDR'];
	set_transient('spx_allow_' . $ip_address, '1', DAY_IN_SECONDS);
	wp_die();
}

// Check form submission
add_action('wpforms_process_before', 'spx_wpforms_process_before', 10, 2);

function spx_wpforms_process_before( $entry, $form_data ) {
	$ip_address = $_SERVER['REMOTE_ADDR'];
	if (false === get_transient('spx_allow_' . $ip_address)) {
		wp_die('I don\'t think so!');
	}
}

Even caching!!

What do you mean?

set_transient('spx_allow_' . $ip_address, '1', DAY_IN_SECONDS);

That allowed IP-s are cached.

Wait! They are not really cached.

1. Transients need to be checked in top of spx_add_field (or when hooking that function)
2. And maybe adding
   • HTTP body: https://png-pixel.com/
   • HTTP headers for images
   • HTTP cache headers

Oh, so when you're already on the allow-list you don't need to add the hidden field.

Hmm...I would probably keep that check in and extend the transient's expiry.

And yes, need to work on the response from the pixel! But it worked as a prototype.

Thanks - useful stuff!

You're welcome.