Title: Plugin allows spamming bots Last modified: August 30, 2016 --- # Plugin allows spamming bots * Resolved [Joe B](https://wordpress.org/support/users/joelogic/) * (@joelogic) * [10 years, 11 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/) * This plugin allows spam bots, tried to contact the plugin creators, (twice), but no answer. I have switched to a different plugin which works well and is mobile friendly. * [https://wordpress.org/plugins/visualcaptcha/](https://wordpress.org/plugins/visualcaptcha/) Viewing 4 replies - 1 through 4 (of 4 total) * [bjoerne](https://wordpress.org/support/users/bjoerne/) * (@bjoerne) * [10 years, 11 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/#post-6240921) * I noticed the same. What I found out is that if a user or bot has not requested the full WordPress page before, a comment can be posted without any barrier. This is caused by the condition * ``` if ( $frontendData ) { ... } ``` * in the validation logic in file visualcaptcha.php, line 52. $frontendData is taken from the user session and is null if the page hasn’t been requested before and therefore no validation is performed. * My question: Why can’t the plugin ‘die’ in the else clause? I guess this would solve the bot problem. * Plugin Author [BrunoBernardino](https://wordpress.org/support/users/brunobernardino/) * (@brunobernardino) * [10 years, 10 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/#post-6240934) * I’m sorry you missed our replies, joelogic. * In any case, if we die without the frontendData, forms that don’t support visualCaptcha won’t be able to submit. * This is a limitation within WordPress, but we’re open to solutions. * Thread Starter [Joe B](https://wordpress.org/support/users/joelogic/) * (@joelogic) * [10 years, 10 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/#post-6240937) * Hello * Thanks very much for both of your replies, it seems to be a bit of a catch 22( or is that captcha 22?), I have used a different captcha for the moment anyway, it is a shame that it had this issue. Also, I have blocked all the IPs of the spambots via htaccess which has permanently stopped it. * Also the bots were accessing the post-new.php file directly (which is in the wp-admin folder), and they were able to post as any of the active admins, must be another loophole somewhere in my old version of WordPress (3.5.1), which I can’t update due to plugin issues. I will be rebuilding the site in a while…. * [bjoerne](https://wordpress.org/support/users/bjoerne/) * (@bjoerne) * [10 years, 10 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/#post-6240938) * I switched to [Google Captcha (reCAPTCHA) by BestWebSoft](https://wordpress.org/plugins/google-captcha/) which don’t allow spam bots to comments without captcha data. I also tried [Cookies for Comments](https://wordpress.org/plugins/cookies-for-comments/) which works fine with **visualCaptcha**. I only stopped using visualCaptcha because of the missing ability to show localized instructions, but that’s out of scope here. Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Plugin allows spamming bots’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/visualcaptcha.svg) * [visualCaptcha](https://wordpress.org/plugins/visualcaptcha/) * [Support Threads](https://wordpress.org/support/plugin/visualcaptcha/) * [Active Topics](https://wordpress.org/support/plugin/visualcaptcha/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/visualcaptcha/unresolved/) * [Reviews](https://wordpress.org/support/plugin/visualcaptcha/reviews/) * 4 replies * 3 participants * Last reply from: [bjoerne](https://wordpress.org/support/users/bjoerne/) * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/plugin-allows-spamming-bots/#post-6240938) * Status: resolved