Add Basic spam protection.

Author: iamdharmesh

assets/js/mailchimp.js

@@ -31,6 +31,9 @@
 		// Change our submit type from HTML (default) to JS
 		$('#mc_submit_type').val('js');
 
+		// Remove the no JS field.
+		$('.mailchimp_sf_no_js').remove();
+
 		// Attach our form submitter action
 		$('#mc_signup_form').ajaxForm({
 			url: window.mailchimpSF.ajax_url,

includes/blocks/mailchimp/markup.php

@@ -256,6 +256,9 @@ function ( $single_list ) {
 						</div><!-- /mc-indicates-required -->
 						<?php
 					}
+
+					// Add a honeypot field.
+					mailchimp_sf_honeypot_field();
 					?>
 					<div class="mc_signup_submit">
 						<input type="submit" name="mc_signup_submit" id="mc_signup_submit" value="<?php echo esc_attr( $submit_text ); ?>" class="button" />

includes/class-mailchimp-form-submission.php

@@ -82,6 +82,16 @@ public function request_handler() {
 	 * @return string|WP_Error Success message or error.
 	 */
 	public function handle_form_submission() {
+		$is_valid = $this->validate_form_submission();
+		if ( is_wp_error( $is_valid ) || ! $is_valid ) {
+			if ( is_wp_error( $is_valid ) ) {
+				return $is_valid;
+			}
+
+			// If the form submission is invalid, return an error.
+			return new WP_Error( 'mailchimp-invalid-form', esc_html__( 'Invalid form submission.', 'mailchimp' ) );
+		}
+
 		$list_id         = get_option( 'mc_list_id' );
 		$update_existing = get_option( 'mc_update_existing' );
 		$double_opt_in   = get_option( 'mc_double_optin' );
@@ -466,4 +476,37 @@ public function remove_empty_merge_fields( $merge ) {
 
 		return $merge;
 	}
+
+	/**
+	 * Validate the form submission.
+	 * Basic checks for the prevention of spam.
+	 *
+	 * @return bool|WP_Error True if valid, WP_Error if invalid.
+	 */
+	protected function validate_form_submission() {
+		$spam_message = esc_html__( "We couldn't process your submission as it was flagged as potential spam. Please try again.", 'mailchimp' );
+		// Make sure the honeypot field is set, but not filled (if it is, then it's a spam).
+		if ( ! isset( $_POST['mailchimp_sf_alt_email'] ) || ! empty( $_POST['mailchimp_sf_alt_email'] ) ) {
+			return new WP_Error( 'spam', $spam_message );
+		}
+
+		// Make sure that no-js field is not present (if it is, then it's a spam).
+		if ( isset( $_POST['mailchimp_sf_no_js'] ) ) {
+			return new WP_Error( 'spam', $spam_message );
+		}
+
+		// Make sure that user-agent is set and it has reasonable length.
+		$user_agent = isset( $_SERVER['HTTP_USER_AGENT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ) : '';
+		if ( strlen( $user_agent ) < 2 ) {
+			return new WP_Error( 'spam', $spam_message );
+		}
+
+		/**
+		 * Filter to allow for custom validation of the form submission.
+		 *
+		 * @since x.x.x
+		 * @param bool $is_valid True if valid, false if invalid, return WP_Error to provide error message.
+		 */
+		return apply_filters( 'mailchimp_sf_form_submission_validation', true );
+	}
 }

mailchimp_widget.php

@@ -266,8 +266,10 @@ function mailchimp_sf_signup_form( $args = array() ) {
 			<?php
 		}
 
-		$submit_text = get_option( 'mc_submit_text' );
+		// Add a honeypot field.
+		mailchimp_sf_honeypot_field();
 
+		$submit_text = get_option( 'mc_submit_text' );
 		?>
 
 		<div class="mc_signup_submit">
@@ -300,6 +302,21 @@ function mailchimp_sf_signup_form( $args = array() ) {
 	}
 }
 
+/**
+ * Add a hidden honeypot field
+ *
+ * @return void
+ */
+function mailchimp_sf_honeypot_field() {
+	?>
+	<div style="display: none; !important">
+		<label for="mailchimp_sf_alt_email"><?php esc_html_e( 'Alternative Email:', 'mailchimp' ); ?></label>
+		<input type="text" name="mailchimp_sf_alt_email" autocomplete="off"/>
+	</div>
+	<input type="hidden" class="mailchimp_sf_no_js" name="mailchimp_sf_no_js" value="1" />
+	<?php
+}
+
 /**
  * Generate and display markup for Interest Groups
  *