Spam Donations and What to do About Them
Occasionally, your donation forms might get targeted by spam bots, or fraudsters looking to test stolen credit card numbers. GiveWP has several tools for handling spam donations. Here’s how to inform yourself on them and what to do about it.
What is Donor Spam?
Donor Spam is a reference to any donation that is fraudulent or malicious where the spammer or spambot creates many donations at the site that are either declined or for very small amounts for the purposes of testing stolen credit cards.
Note: Donor spam can become a serious issue. If your payment gateway sees a lot of spam activity from your website, it could put your account with them at risk. See Stripe’s documentation on Adverse effects for an example.
Why do Some People Spam Donation Forms?
The reason many fraudsters target donations (as opposed to other e-commerce solutions) is that there’s no cart to deal with as an additional hurdle.
With donations, there’s essentially a Credit card/Payment form on the site and so the bot/script that the fraudster creates is much simpler.
What You Can Do to Prevent Donor Spam in GiveWP
GiveWP’s Akismet Integration
GiveWP works out of the box to integrate with Akismet, the popular SPAM filter for WordPress.
Install or activate the free Akismet plugin. Then navigate to GiveWP > Settings > Advanced and ensure that the Akismet SPAM protection is enabled. Don’t forget to save the settings at the bottom of the page.
Set a higher minimum donation amount
Sometimes, simply increasing the minimum donation amount is a primary method of preventing these types of attacks. Bots tend to test forms with $1 or up to $5 amounts. If your form only accepts donations of $10 or higher, you can prevent these bots from using your site to test cards. Note that this won’t protect against humans or smarter bots that are willing to test higher amounts, but those are much less common.
Implementing a captcha
One of the most common ways to prevent all kinds of form spam is to add a captcha. There are many captcha solutions, but GiveWP recommends Cloudflare’s free captcha solution called Turnstile. To use this with your donation forms, download and install the Free Cloudflare Turnstile add-on. You can use Cloudflare’s settings to ensure the captcha is invisible and as unobtrusive as possible. This way, legitimate donors don’t have to perform annoying tasks to complete their contributions, while bots are automatically blocked.
Option-Based Editor
Some GiveWP users may still be using the older, Option-Based Editor for donation forms. These forms are not compatible with the Cloudflare Turnstile add-on and will need to add Google reCAPTCHA v2 via a snippet we provide. We do not recommend this solution because it can cause friction in the donation experience. If possible, move your forms to the Visual Donation Form Builder and use the Cloudflare Turnstile add-on instead. However, you can follow the instructions below if you need to use this solution.
Use this snippet to add Google reCAPTCHA to your Option-Based forms:
GiveWP Snippet Library: reCAPTCHA
- Read the instructions at the top of the Snippet to make it work on your specific site. This snippet is not simply a copy-paste snippet.
- Refer to this guide for adding custom PHP for help adding this snippet to your site. Note that you don’t need the opening
<?phptag if you are using the Custom PHP inserter.
Use Cloudflare or Sucuri
Sometimes, the best defense for donor SPAM is to take the fight one level higher than your web server. Cloudflare and Sucuri both do that, in different ways.
These are third-party services that help both speed up your website and provide protection against bot attacks and donor spam.
Some sites get added to bot lists and there’s nothing you can do to prevent them from just continually attacking your site, except using a strong and dedicated firewall/security service like these two.
