Spam Donations and What to do About Them
Occasionally, your donation forms might get targeted by spam bots, or fraudsters looking to test stolen credit card numbers. GiveWP has several tools for handling spam donations. Here’s how to inform yourself on them and what to do about it.
What is Donor Spam?
Donor Spam is a reference to any donation that is fraudulent or malicious where the spammer or spambot creates many donations at the site that are either declined or for very small amounts for the purposes of testing stolen credit cards.
Note: Donor spam can become a serious issue. If your payment gateway sees a lot of spam activity from your website, it could put your account with them at-risk. See Stripe’s documentation on “Adverse effects” for example.
Why do Some People Spam Donation Forms?
The reason many fraudsters target donations (as opposed to other e-commerce solutions) is that there’s no cart to deal with as an additional hurdle.
With donations, there’s essentially a Credit card/Payment form on the site and so the bot/script that the fraudster creates is much simpler.
What You Can Do to Prevent Donor Spam in GiveWP
GiveWP’s Akismet Integration
GiveWP works out of the box to integrate with Akismet, the popular SPAM filter for WordPress.
Install or activate the free Akismet plugin. Then navigate to “Donations > Settings > Advanced” and ensure that the Akismet SPAM protection is enabled. Don’t forget to save the settings at the bottom of the page.
Set a higher minimum donation amount
Sometimes, simply increasing the minimum donation amount is a huge method of preventing these types of attacks. Bots tend to test forms with $1 or up to $5 amounts. If your form only accepts donations of $10 or higher you can prevent these low-hanging easy bots.
The Zero Spam plugin
The Zero Spam Plugin claims to work with GiveWP, and it’s always a great idea to handle spam with a solution that’s different from the Donations Plugin itself. This also gives you another support team (who are experts in spam, specifically) to go to for help!
Implementing a reCAPTCHA
If at all possible, avoid the reCAPTCHA option because it slows down the donation experience and looks unsightly. It can harm your donations sometimes more than benefit them. But sometimes it’s really your last line of defense.
This snippet allows for adding a reCAPTCHA to your forms:
GiveWP Snippet Library: reCAPTCHA
Make sure to note the instructions at the top of the Snippet for making it work on your specific site. This snippet is not simply a copy-paste snippet.
Refer to this guide for adding custom PHP for help adding this snippet to your site. Note that you don’t need the opening <?php tag if you are using the Custom PHP inserter.
Use Cloudflare or Sucuri
Sometimes, the best defense for donor SPAM is to take the fight one level higher than your web server. Cloudflare and Sucuri both do that, in different ways.
These are third-party services that help both speed up your website and provide protection against bot attacks and donor spam.
Some sites get added to bot lists and there’s nothing you can do to prevent them from just continually attacking your site, except using a strong and dedicated firewall/security service like these two.
