# NoMoreSpam: Magento 2 Spam Protection for Forms > Stop bots from flooding your Magento 2 contact forms, product reviews, and newsletter signups - no captcha, no code changes, zero configuration. --- ## Overview NoMoreSpam protects your Magento 2 store's frontend forms from automated bot submissions. It works silently in the background - injecting hidden honeypot fields, recording timestamps to catch submissions that arrive too fast for a human, and checking content for spam link patterns. No captcha, no extra friction for real customers. ![NoMoreSpam configuration overview](images/overview.png) This module helps you: - Block bot traffic on contact forms, product review forms, newsletter signups, user registration, login, and forgotten-password forms - Catch submissions that arrive too quickly to have been typed by a human - Detect spam links in contact name and message fields, and in review title and body - Flag product reviews submitted without a star rating - Keep a detailed spam detection log when you need to diagnose an issue --- ## When to use spam protection for your Magento 2 forms Use NoMoreSpam when you want to: - Stop automated bots from submitting your contact form and generating support inbox noise - Reduce fake product reviews or reviews stuffed with links to external sites - Prevent bot accounts from signing up via the customer registration form - Block bot newsletter signups that inflate your subscriber count without real intent - Add a lightweight spam layer without asking customers to solve a captcha --- ## Key capabilities - **Honeypot field injection** - Adds invisible hidden fields to forms; bots that fill all fields are rejected, humans never see them - **Speed detection** - Blocks submissions that arrive before a human could have typed them (under 3 seconds for most forms, under 0.2 seconds for login) - **Cryptographic hash validation** - Each form load generates a SHA-256 hash pair; submissions missing or mismatching it are dropped - **Human interaction gate** - The submit button stays disabled until mouse movement, touch, or keyboard input is detected - **Content link checks** - Flags form submissions containing URLs or link patterns in the name, message, or review fields - **Review rating check** - Marks reviews as spam when star ratings are absent and the check is enabled - **Per-form section toggles** - Protect only the forms you care about; leave others unguarded - **Optional spam log** - Records blocked submissions with IP, user agent, and form type to `var/log/moogento_nomorespam.log` --- ## Installation NoMoreSpam installs via Composer, then activates with a license key from your Moogento.com account. The whole flow takes about 5 minutes. ### Step 1: Get your Composer keys from Moogento.com 1. Sign in at **https://www.moogento.com** and open **My Plugins** in your account menu. 2. Find **NoMoreSpam** in the list of plugins you own. 3. Generate (or reveal) the Composer access keys for that plugin - a **public key** and a **private key**. 4. **Add your install domain to the key.** Each Composer key is tied to a specific domain - if you're installing on `yourstore.com`, add `yourstore.com` to the key's allowed domains. The Composer download will be rejected on any other domain. If you run staging and production on different domains, add both - separate keys per environment are fine too. ### Step 2: Install the module with Composer From your Magento 2 root directory: ``` composer require moogento/module-nomorespam ``` When Composer asks for credentials, paste the **public key** as the username and the **private key** as the password. They'll be cached in `~/.composer/auth.json` for future runs. ### Step 3: Enable the module in Magento ``` php bin/magento setup:upgrade php bin/magento setup:di:compile php bin/magento cache:clean ``` If you run `php bin/magento module:status Moogento_Nomorespam` you should see it listed as enabled. ### Step 4: Add your license key in the Moogento admin 1. Still on **https://www.moogento.com > My Plugins**, copy the **license key** for NoMoreSpam (separate from the Composer keys you used above). 2. In your Magento admin, go to **Stores > Configuration > Moogento > Licenses**. 3. Find the row for **NoMoreSpam** and paste the license key. 4. Click **Save Config**, then run `php bin/magento cache:clean` once. The license validates within a few seconds. You should see the module's status flip to active. If it stays inactive, double-check the domain on the license matches where you've installed - domain mismatch is the most common cause. --- ## Setup overview Most setup happens in: Stores > Configuration > Moogento > NoMoreSpam You'll mainly work with: - **General** - enable/disable the module and turn logging on or off - **Protect: Specific Sections** - choose which forms to guard - **Risk: Scoring** - choose which signals count toward spam detection --- ## Common setups ### Protect your contact form and product reviews The most common starting point - cover the two forms bots target most often. #### How to set it up 1. Go to: Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections ![Protect Specific Sections config](images/config-protect_sections.png) 2. Set: - **Contact form** = On - **Product reviews** = On 3. Go to: Stores > Configuration > Moogento > NoMoreSpam > Risk: Scoring ![Risk Scoring config](images/config-behaviours.png) 4. Set: - **Contact form: Links in name?** = On - **Contact form: Links in message?** = On - **Product review: Links in title?** = On - **Product review: Links in review?** = On - **Forms submitted too fast?** = On 5. Save Config, then run `php bin/magento cache:clean`. #### Notes - If real customers legitimately include URLs in their messages (e.g. a support request referencing a product page), turn off **Contact form: Links in message?** to avoid false rejections. - The speed check uses a 3-second threshold for most forms. Password managers that auto-fill and submit login forms faster than that threshold are handled separately - the login speed threshold is 0.2 seconds, so password manager submissions pass. --- ### Enable spam logging to diagnose blocked submissions Turn on the log when you need to see exactly what NoMoreSpam is blocking before adjusting your settings. #### How to set it up 1. Go to: Stores > Configuration > Moogento > NoMoreSpam > General ![General config](images/config-general.png) 2. Set: - **Enable logging** = Yes 3. Save Config. 4. Inspect the log: ``` tail -f var/log/moogento_nomorespam.log ``` Each log entry records the form type, IP address, user agent, request URI, and referer so you can tell whether a real customer was blocked or a bot was caught correctly. #### Notes - Leave logging off in production once your settings are tuned - it adds a small write to disk for every blocked request. - The **Enable logging** field is only shown when the module is enabled. --- ### Protect newsletter and account forms Add protection to newsletter subscriptions, user registration, login, and forgotten-password forms. #### How to set it up 1. Go to: Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections 2. Set: - **Newsletter** = On - **Frontend: User registration** = On - **Frontend: Login** = On - **Frontend: Forgotten password** = On 3. Save Config. #### Notes - The **Admin: Login** and **Admin: Forgotten password** toggles require NoMoreSpam Pro - they are shown in the config panel but marked as Pro-only. - All four frontend forms use the same honeypot + speed detection approach as the contact form. --- ## Features reference ### General Switches the entire module on or off. When disabled, no hidden fields are injected into any form and no spam checks run - all form submissions pass through normally. - **When to use it**: Disable temporarily if you suspect false positives are blocking real customers, while you investigate. - Config path: `moogento_nomorespam/general/enable` --- ### Protect: Specific Sections Individual on/off toggles for each protected form. Each toggle controls whether hidden fields are injected into that form and whether its submissions are checked. - **Contact form** (`moogento_nomorespam/protect_sections/contact_form`) - The standard Magento contact page. - **Product reviews** (`moogento_nomorespam/protect_sections/product_reviews`) - The review submission form on product pages. - **Newsletter** (`moogento_nomorespam/protect_sections/newsletter`) - The newsletter subscription form. - **Frontend: User registration** (`moogento_nomorespam/protect_sections/sign_up`) - The customer account creation form. - **Frontend: Login** (`moogento_nomorespam/protect_sections/login`) - The customer login form. - **Frontend: Forgotten password** (`moogento_nomorespam/protect_sections/forgotten_password`) - The password reset request form. - **Admin: Login** and **Admin: Forgotten password** - Displayed but require NoMoreSpam Pro. Turn on only the forms you need. Unnecessary protection adds a tiny overhead to every page load. --- ### Protect: Custom Forms The Custom Forms section is a Pro feature. On the free version this panel shows an upgrade prompt and is not configurable. Upgrade to [NoMoreSpam Pro](../nomorespampro) to protect third-party or custom-built forms beyond the standard Magento set. --- ### Risk: Scoring Six toggles that control which signals are used in spam detection. Each counts independently - any one failing signal is enough to block a submission. | Signal | Config path | What it catches | |---|---|---| | Contact form: Links in name? | `moogento_nomorespam/behaviours/contact_enable_link_title` | URLs/link syntax in the sender name field | | Contact form: Links in message? | `moogento_nomorespam/behaviours/contact_enable_link_content` | URLs/link syntax in the message body | | Product review: Links in title? | `moogento_nomorespam/behaviours/review_enable_link_title` | URLs/link syntax in the review headline | | Product review: Links in review? | `moogento_nomorespam/behaviours/review_enable_link_content` | URLs/link syntax in the review body | | Product review: Ratings not set? | `moogento_nomorespam/behaviours/review_enable_rating` | Reviews submitted without a star rating | | Forms submitted too fast? | `moogento_nomorespam/behaviours/check_too_fast` | Submissions arriving under the timing threshold | Spam link patterns checked: `a href`, `[url`, `http`, `://`, `[link`, `www.` --- ## Advanced configuration ### Hidden field rotation (automatic) NoMoreSpam auto-generates the names for its hidden fields on first use and stores them in `core_config_data` under `moogento_nomorespam/secret/`. You never need to set these manually. The paths are: - `moogento_nomorespam/secret/field_1` - SHA-256 hash field name - `moogento_nomorespam/secret/field_2` - Honeypot field name (must stay empty on submit) - `moogento_nomorespam/secret/nms_id` - Protection container div ID - `moogento_nomorespam/secret/nms_toofast` - Timestamp field name - `moogento_nomorespam/secret/nms_form_action` - Original form action storage #### Notes - If you ever need to force regeneration (e.g. after a suspected key leak), delete the `moogento_nomorespam/secret/*` rows from `core_config_data` and run `php bin/magento cache:clean config`. New keys are generated on next page load. - Do not manually set values in these paths - the generator always produces cryptographically secure tokens. --- ### NoMoreSpam Pro co-existence When NoMoreSpam Pro is installed alongside the free version, the free module defers entirely to Pro. The **Enable** field in General config displays a notice ("NoMoreSpam Pro is installed - this non-Pro version has been disabled") and the free module's spam checks return `false` for every submission. There is no double-processing. To revert to the free version, uninstall Pro (`composer remove moogento/module-nomorespampro`) and clear cache. --- ## Tips & best practices - Start with the contact form and product reviews enabled, plus all scoring signals on. Monitor the spam log for a week before expanding to login and registration. - Turn off **Contact form: Links in message?** if your customers regularly include support URLs or order tracking links in messages - it's the most common source of false positives. - Enable **Product review: Ratings not set?** only if your review form marks the star rating as required - otherwise genuine no-rating reviews will be blocked. - Keep logging off in production; enable it only for diagnostics and then switch it back off. Each blocked request writes to disk. - If you need to protect admin login or custom forms, upgrade to [NoMoreSpam Pro](../nomorespampro) - it adds admin panel protection, custom form selectors, IP allowlisting, and more. - After any config change, run `php bin/magento cache:clean` to ensure the updated settings are read. --- ## Troubleshooting ### Hidden fields not appearing in forms Customers submit spam despite having NoMoreSpam enabled. - **Cause:** The module is enabled in config but the hidden fields never reached the page HTML, so the spam check always fails open. - **Check:** View the source of your contact or review page and search for the hidden field container div. If it's absent, check whether NoMoreSpam Pro is also installed - Pro suppresses free-version field injection. - **Resolution:** Confirm `moogento_nomorespam/general/enable = 1` in Stores > Configuration > Moogento > NoMoreSpam > General. If Pro is installed and you want the free version to run instead, disable or uninstall Pro and clear cache. --- ### Real customers are being blocked on the contact form Legitimate contact form submissions are rejected with a generic error. - **Cause:** A scoring signal is too aggressive for your customers - most often **Links in message?** when customers paste URLs, or **Forms submitted too fast?** when the page pre-populates fields. - **Check:** Enable logging (`moogento_nomorespam/general/enable_log = Yes`) and inspect `var/log/moogento_nomorespam.log` to see which check is triggering. - **Resolution:** In Stores > Configuration > Moogento > NoMoreSpam > Risk: Scoring, switch off the offending signal. If the speed check is the cause, note that the threshold is 3 seconds and cannot be adjusted in the free version - NoMoreSpam Pro exposes a configurable threshold. --- ### Spam is getting through despite protection being on Bot submissions are still reaching your inbox or review queue. - **Cause:** The bot is slow enough to pass the speed check, is not including link patterns, and fills all fields including the honeypot - or it targets a form that isn't in the protected set. - **Check:** Enable logging and inspect `var/log/moogento_nomorespam.log` to confirm which form type is leaking through. Also inspect the page source to verify hidden fields are present on that form. - **Resolution:** Enable every available scoring signal in Risk: Scoring. For persistent evasion or to protect admin forms and custom forms, upgrade to [NoMoreSpam Pro](../nomorespampro), which adds IP blocking, custom selector support, and more detection layers. --- ### Config cache holds stale secret keys Hidden fields appear in the HTML but validation always fails. - **Cause:** The secret key values in `core_config_data` and the fields rendered on the page are out of sync after a cache flush or manual edit. - **Check:** Look for JS console errors on the form page - a JavaScript load failure would prevent field injection entirely. Also check that the `moogento_nomorespam/secret/` rows exist in `core_config_data`. - **Resolution:** Run `php bin/magento cache:clean config`. On the next page load, the helper reads the stored keys and regenerates them if missing. If the problem persists, delete the `moogento_nomorespam/secret/*` rows from `core_config_data` to force a full key regeneration. --- ## FAQs ## How do I stop bots from spamming my Magento contact form? Install NoMoreSpam, go to Stores > Configuration > Moogento > NoMoreSpam > Protect: Specific Sections, and turn on **Contact form**. Then enable the scoring signals in Risk: Scoring - especially **Links in message?** and **Forms submitted too fast?** - and save. The module injects hidden honeypot and timestamp fields automatically; no code changes are needed. ## Why are real customers getting blocked when they submit the contact form? The most common cause is the **Links in message?** signal blocking customers who paste URLs into their message, or the speed check triggering when a browser auto-fills the form faster than 3 seconds. Enable logging under Stores > Configuration > Moogento > NoMoreSpam > General to see exactly which check is firing, then switch off that signal in Risk: Scoring. ## Does NoMoreSpam work with Hyvä, Luma, and Porto themes? NoMoreSpam's hidden field injection targets standard Magento form CSS selectors (`form.form.contact`, `form.review-form`, etc.) that are present in Luma and Porto. Hyvä themes use different markup and may require NoMoreSpam Pro, which supports custom form selectors, to match the correct form elements. ## What happens if I install NoMoreSpam Pro alongside the free version? When NoMoreSpam Pro is active, the free version disables itself completely - it shows a notice in the General config panel and skips all spam checks. There is no double-processing. If you want to revert to the free module, uninstall Pro and clear cache. ## How do I protect my admin login page from bots? Admin login protection is a Pro feature. In the free version, the **Admin: Login** and **Admin: Forgotten password** toggles are visible in Protect: Specific Sections but marked as requiring an upgrade. See [NoMoreSpam Pro](../nomorespampro) for details. ## Can I protect custom or third-party forms with NoMoreSpam? The free version only protects the standard Magento forms (contact, reviews, newsletter, registration, login, forgotten password). The **Protect: Custom Forms** section is shown in config but is a Pro-only feature. Upgrade to [NoMoreSpam Pro](../nomorespampro) to add protection to any form on your store by specifying its CSS selector. ## What does "Forms submitted too fast?" actually check? It compares the timestamp embedded in the form when it loaded against the submission time. If the gap is under 3 seconds for most forms (or under 0.2 seconds for the login form), the submission is treated as a bot. Real users typing a message always take longer; fast password-manager logins are allowed because the login threshold is set much lower. ## How do I see what NoMoreSpam is blocking? Go to Stores > Configuration > Moogento > NoMoreSpam > General and set **Enable logging** to Yes, then save. Open `var/log/moogento_nomorespam.log` on your server - each blocked request is logged with the form type, IP address, user agent, and request details. Turn logging off again once you've finished diagnosing. ## What is a honeypot field? A honeypot is a hidden form field that is invisible to real users but visible to bots that parse HTML. Bots fill in every field they find; if the honeypot field contains any value on submission, NoMoreSpam rejects the request. Real users never see or fill the field, so there is no impact on the customer experience. ## How much does NoMoreSpam cost? The free version of NoMoreSpam is included with Moogento. For Pro features - admin login protection, custom form selectors, IP allowlisting - visit **https://www.moogento.com** and check the NoMoreSpam Pro listing under My Plugins. --- ## Related guides - [NoMoreSpam Pro](../nomorespampro) - Advanced spam protection with custom form support, admin login protection, IP allowlisting, and configurable thresholds --- ## Need help? - moo@moogento.com - Include: - Magento version - Module name - What you're trying to do