NoMoreSpam: Magento 2 Spam Protection for Forms

#Overview

NoMoreSpam protects your Magento 2 store's frontend forms from automated bot submissions. It works silently in the background - injecting hidden honeypot fields, recording timestamps to catch submissions that arrive too fast for a human, and checking content for spam link patterns. No captcha, no extra friction for real customers.

This module helps you:

• Block bot traffic on contact forms, product review forms, newsletter signups, user registration, login, and forgotten-password forms
• Catch submissions that arrive too quickly to have been typed by a human
• Detect spam links in contact name and message fields, and in review title and body
• Flag product reviews submitted without a star rating
• Keep a detailed spam detection log when you need to diagnose an issue

#When to use spam protection for your Magento 2 forms

Use NoMoreSpam when you want to:

• Stop automated bots from submitting your contact form and generating support inbox noise
• Reduce fake product reviews or reviews stuffed with links to external sites
• Prevent bot accounts from signing up via the customer registration form
• Block bot newsletter signups that inflate your subscriber count without real intent
• Add a lightweight spam layer without asking customers to solve a captcha

#Key capabilities

• Honeypot field injection - Adds invisible hidden fields to forms; bots that fill all fields are rejected, humans never see them
• Speed detection - Blocks submissions that arrive before a human could have typed them (under 3 seconds for most forms, under 0.2 seconds for login)
• Cryptographic hash validation - Each form load generates a SHA-256 hash pair; submissions missing or mismatching it are dropped
• Human interaction gate - The submit button stays disabled until mouse movement, touch, or keyboard input is detected
• Content link checks - Flags form submissions containing URLs or link patterns in the name, message, or review fields
• Review rating check - Marks reviews as spam when star ratings are absent and the check is enabled
• Per-form section toggles - Protect only the forms you care about; leave others unguarded
• Optional spam log - Records blocked submissions with IP, user agent, and form type to var/log/moogento_nomorespam.log

#Installation

NoMoreSpam installs via Composer, then activates with a license key from your Moogento.com account. The whole flow takes about 5 minutes.

#Step 1: Get your Composer keys from Moogento.com

1. Sign in at https://www.moogento.com and open My Plugins in your account menu.
2. Find NoMoreSpam in the list of plugins you own.
3. Generate (or reveal) the Composer access keys for that plugin - a public key and a private key.
4. Add your install domain to the key. Each Composer key is tied to a specific domain - if you're installing on yourstore.com, add yourstore.com to the key's allowed domains. The Composer download will be rejected on any other domain.

If you run staging and production on different domains, add both - separate keys per environment are fine too.

#Step 2: Install the module with Composer

From your Magento 2 root directory:

composer require moogento/module-nomorespam

When Composer asks for credentials, paste the public key as the username and the private key as the password. They'll be cached in ~/.composer/auth.json for future runs.

#Step 3: Enable the module in Magento

php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento cache:clean

If you run php bin/magento module:status Moogento_Nomorespam you should see it listed as enabled.

#Step 4: Add your license key in the Moogento admin

1. Still on https://www.moogento.com > My Plugins, copy the license key for NoMoreSpam (separate from the Composer keys you used above).
2. In your Magento admin, go to Stores > Configuration > Moogento > Licenses.
3. Find the row for NoMoreSpam and paste the license key.
4. Click Save Config, then run php bin/magento cache:clean once.

The license validates within a few seconds. You should see the module's status flip to active. If it stays inactive, double-check the domain on the license matches where you've installed - domain mismatch is the most common cause.

#Setup overview

Most setup happens in:

Stores > Configuration > Moogento > NoMoreSpam

You'll mainly work with:

• General - enable/disable the module and turn logging on or off
• Protect: Specific Sections - choose which forms to guard
• Risk: Scoring - choose which signals count toward spam detection

#Common setups

#Protect your contact form and product reviews

The most common starting point - cover the two forms bots target most often.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections

   

2. Set:

   • Contact form = On
   • Product reviews = On

3. Go to: Stores > Configuration > Moogento > NoMoreSpam > Risk: Scoring

   

4. Set:

   • Contact form: Links in name? = On
   • Contact form: Links in message? = On
   • Product review: Links in title? = On
   • Product review: Links in review? = On
   • Forms submitted too fast? = On

5. Save Config, then run php bin/magento cache:clean.

#Notes

• If real customers legitimately include URLs in their messages (e.g. a support request referencing a product page), turn off Contact form: Links in message? to avoid false rejections.
• The speed check uses a 3-second threshold for most forms. Password managers that auto-fill and submit login forms faster than that threshold are handled separately - the login speed threshold is 0.2 seconds, so password manager submissions pass.

#Enable spam logging to diagnose blocked submissions

Turn on the log when you need to see exactly what NoMoreSpam is blocking before adjusting your settings.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam > General

   

2. Set:

   • Enable logging = Yes

3. Save Config.

4. Inspect the log:

   tail -f var/log/moogento_nomorespam.log
   

Each log entry records the form type, IP address, user agent, request URI, and referer so you can tell whether a real customer was blocked or a bot was caught correctly.

#Notes

• Leave logging off in production once your settings are tuned - it adds a small write to disk for every blocked request.
• The Enable logging field is only shown when the module is enabled.

#Protect newsletter and account forms

Add protection to newsletter subscriptions, user registration, login, and forgotten-password forms.

#How to set it up

1. Go to: Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections

2. Set:

   • Newsletter = On
   • Frontend: User registration = On
   • Frontend: Login = On
   • Frontend: Forgotten password = On

3. Save Config.

#Notes

• The Admin: Login and Admin: Forgotten password toggles require NoMoreSpam Pro - they are shown in the config panel but marked as Pro-only.
• All four frontend forms use the same honeypot + speed detection approach as the contact form.

#Features reference

#General

Switches the entire module on or off. When disabled, no hidden fields are injected into any form and no spam checks run - all form submissions pass through normally.

• When to use it: Disable temporarily if you suspect false positives are blocking real customers, while you investigate.
• Config path: moogento_nomorespam/general/enable

#Protect: Specific Sections

Individual on/off toggles for each protected form. Each toggle controls whether hidden fields are injected into that form and whether its submissions are checked.

• Contact form (moogento_nomorespam/protect_sections/contact_form) - The standard Magento contact page.
• Product reviews (moogento_nomorespam/protect_sections/product_reviews) - The review submission form on product pages.
• Newsletter (moogento_nomorespam/protect_sections/newsletter) - The newsletter subscription form.
• Frontend: User registration (moogento_nomorespam/protect_sections/sign_up) - The customer account creation form.
• Frontend: Login (moogento_nomorespam/protect_sections/login) - The customer login form.
• Frontend: Forgotten password (moogento_nomorespam/protect_sections/forgotten_password) - The password reset request form.
• Admin: Login and Admin: Forgotten password - Displayed but require NoMoreSpam Pro.

Turn on only the forms you need. Unnecessary protection adds a tiny overhead to every page load.

#Protect: Custom Forms

The Custom Forms section is a Pro feature. On the free version this panel shows an upgrade prompt and is not configurable. Upgrade to NoMoreSpam Pro to protect third-party or custom-built forms beyond the standard Magento set.

#Risk: Scoring

Six toggles that control which signals are used in spam detection. Each counts independently - any one failing signal is enough to block a submission.

Spam link patterns checked: a href, [url, http, ://, [link, www.

#Advanced configuration

#Hidden field rotation (automatic)

NoMoreSpam auto-generates the names for its hidden fields on first use and stores them in core_config_data under moogento_nomorespam/secret/. You never need to set these manually. The paths are:

• moogento_nomorespam/secret/field_1 - SHA-256 hash field name
• moogento_nomorespam/secret/field_2 - Honeypot field name (must stay empty on submit)
• moogento_nomorespam/secret/nms_id - Protection container div ID
• moogento_nomorespam/secret/nms_toofast - Timestamp field name
• moogento_nomorespam/secret/nms_form_action - Original form action storage

#Notes

• If you ever need to force regeneration (e.g. after a suspected key leak), delete the moogento_nomorespam/secret/* rows from core_config_data and run php bin/magento cache:clean config. New keys are generated on next page load.
• Do not manually set values in these paths - the generator always produces cryptographically secure tokens.

#NoMoreSpam Pro co-existence

When NoMoreSpam Pro is installed alongside the free version, the free module defers entirely to Pro. The Enable field in General config displays a notice ("NoMoreSpam Pro is installed - this non-Pro version has been disabled") and the free module's spam checks return false for every submission. There is no double-processing.

To revert to the free version, uninstall Pro (composer remove moogento/module-nomorespampro) and clear cache.

#Tips & best practices

• Start with the contact form and product reviews enabled, plus all scoring signals on. Monitor the spam log for a week before expanding to login and registration.
• Turn off Contact form: Links in message? if your customers regularly include support URLs or order tracking links in messages - it's the most common source of false positives.
• Enable Product review: Ratings not set? only if your review form marks the star rating as required - otherwise genuine no-rating reviews will be blocked.
• Keep logging off in production; enable it only for diagnostics and then switch it back off. Each blocked request writes to disk.
• If you need to protect admin login or custom forms, upgrade to NoMoreSpam Pro - it adds admin panel protection, custom form selectors, IP allowlisting, and more.
• After any config change, run php bin/magento cache:clean to ensure the updated settings are read.

#Troubleshooting

#Hidden fields not appearing in forms

Customers submit spam despite having NoMoreSpam enabled.

• Cause: The module is enabled in config but the hidden fields never reached the page HTML, so the spam check always fails open.
• Check: View the source of your contact or review page and search for the hidden field container div. If it's absent, check whether NoMoreSpam Pro is also installed - Pro suppresses free-version field injection.
• Resolution: Confirm moogento_nomorespam/general/enable = 1 in Stores > Configuration > Moogento > NoMoreSpam > General. If Pro is installed and you want the free version to run instead, disable or uninstall Pro and clear cache.

#Real customers are being blocked on the contact form

Legitimate contact form submissions are rejected with a generic error.

• Cause: A scoring signal is too aggressive for your customers - most often Links in message? when customers paste URLs, or Forms submitted too fast? when the page pre-populates fields.
• Check: Enable logging (moogento_nomorespam/general/enable_log = Yes) and inspect var/log/moogento_nomorespam.log to see which check is triggering.
• Resolution: In Stores > Configuration > Moogento > NoMoreSpam > Risk: Scoring, switch off the offending signal. If the speed check is the cause, note that the threshold is 3 seconds and cannot be adjusted in the free version - NoMoreSpam Pro exposes a configurable threshold.

#Spam is getting through despite protection being on

Bot submissions are still reaching your inbox or review queue.

• Cause: The bot is slow enough to pass the speed check, is not including link patterns, and fills all fields including the honeypot - or it targets a form that isn't in the protected set.
• Check: Enable logging and inspect var/log/moogento_nomorespam.log to confirm which form type is leaking through. Also inspect the page source to verify hidden fields are present on that form.
• Resolution: Enable every available scoring signal in Risk: Scoring. For persistent evasion or to protect admin forms and custom forms, upgrade to NoMoreSpam Pro, which adds IP blocking, custom selector support, and more detection layers.

#Config cache holds stale secret keys

Hidden fields appear in the HTML but validation always fails.

• Cause: The secret key values in core_config_data and the fields rendered on the page are out of sync after a cache flush or manual edit.
• Check: Look for JS console errors on the form page - a JavaScript load failure would prevent field injection entirely. Also check that the moogento_nomorespam/secret/ rows exist in core_config_data.
• Resolution: Run php bin/magento cache:clean config. On the next page load, the helper reads the stored keys and regenerates them if missing. If the problem persists, delete the moogento_nomorespam/secret/* rows from core_config_data to force a full key regeneration.

#FAQs

#How do I stop bots from spamming my Magento contact form?

Install NoMoreSpam, go to Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections, and turn on Contact form. Then enable the scoring signals in Risk: Scoring - especially Links in message? and Forms submitted too fast? - and save. The module injects hidden honeypot and timestamp fields automatically; no code changes are needed.

#Why are real customers getting blocked when they submit the contact form?

The most common cause is the Links in message? signal blocking customers who paste URLs into their message, or the speed check triggering when a browser auto-fills the form faster than 3 seconds. Enable logging under Stores > Configuration > Moogento > NoMoreSpam > General to see exactly which check is firing, then switch off that signal in Risk: Scoring.

#Does NoMoreSpam work with Hyvä, Luma, and Porto themes?

NoMoreSpam's hidden field injection targets standard Magento form CSS selectors (form.form.contact, form.review-form, etc.) that are present in Luma and Porto. Hyvä themes use different markup and may require NoMoreSpam Pro, which supports custom form selectors, to match the correct form elements.

#What happens if I install NoMoreSpam Pro alongside the free version?

When NoMoreSpam Pro is active, the free version disables itself completely - it shows a notice in the General config panel and skips all spam checks. There is no double-processing. If you want to revert to the free module, uninstall Pro and clear cache.

#How do I protect my admin login page from bots?

Admin login protection is a Pro feature. In the free version, the Admin: Login and Admin: Forgotten password toggles are visible in Protect: Specific Sections but marked as requiring an upgrade. See NoMoreSpam Pro for details.

#Can I protect custom or third-party forms with NoMoreSpam?

The free version only protects the standard Magento forms (contact, reviews, newsletter, registration, login, forgotten password). The Protect: Custom Forms section is shown in config but is a Pro-only feature. Upgrade to NoMoreSpam Pro to add protection to any form on your store by specifying its CSS selector.

#What does "Forms submitted too fast?" actually check?

It compares the timestamp embedded in the form when it loaded against the submission time. If the gap is under 3 seconds for most forms (or under 0.2 seconds for the login form), the submission is treated as a bot. Real users typing a message always take longer; fast password-manager logins are allowed because the login threshold is set much lower.

#How do I see what NoMoreSpam is blocking?

Go to Stores > Configuration > Moogento > NoMoreSpam > General and set Enable logging to Yes, then save. Open var/log/moogento_nomorespam.log on your server - each blocked request is logged with the form type, IP address, user agent, and request details. Turn logging off again once you've finished diagnosing.

#What is a honeypot field?

A honeypot is a hidden form field that is invisible to real users but visible to bots that parse HTML. Bots fill in every field they find; if the honeypot field contains any value on submission, NoMoreSpam rejects the request. Real users never see or fill the field, so there is no impact on the customer experience.

#How much does NoMoreSpam cost?

The free version of NoMoreSpam is included with Moogento. For Pro features - admin login protection, custom form selectors, IP allowlisting - visit https://www.moogento.com and check the NoMoreSpam Pro listing under My Plugins.

#Related guides

• NoMoreSpam Pro - Advanced spam protection with custom form support, admin login protection, IP allowlisting, and configurable thresholds

#Need help?

• moo@moogento.com
• Include:
  • Magento version
  • Module name
  • What you're trying to do