Skip to content

Add IP-based rate limiting for draft-creating form submissions#47

Open
dd32 wants to merge 4 commits intoproductionfrom
fix/claude/1269-session-draft-spam
Open

Add IP-based rate limiting for draft-creating form submissions#47
dd32 wants to merge 4 commits intoproductionfrom
fix/claude/1269-session-draft-spam

Conversation

@dd32
Copy link
Owner

@dd32 dd32 commented Mar 12, 2026

Summary

  • Adds rate limiting (3 submissions/hour) for non-logged-in users on all Jetpack contact forms that create draft posts (call-for-speakers, call-for-sponsors, call-for-volunteers)
  • Uses WordPress transients keyed by IP address to track submission counts
  • Logged-in users bypass the rate limit entirely
  • Returns a WP_Error via the jetpack_contact_form_is_spam filter when the limit is exceeded, with a message suggesting the user wait or log in

Context

Pentesters and bots have been spamming these forms with thousands of submissions (see montclair.wordcamp.org/2024 with 13,000+ spam entries), creating excessive draft speaker/session/sponsor/volunteer posts. This is a simple first line of defense as suggested in WordPress#1269.

Test plan

  • Submit a form 3 times as a logged-out user — 4th submission should be rejected with rate limit message
  • Verify logged-in users can submit unlimited times
  • Verify the transient expires after 1 hour, allowing new submissions

Fixes WordPress#1269

🤖 Generated with Claude Code

@dd32 @claude
Add IP-based rate limiting for form submissions
0aef75b 
Non-logged-in users are now limited to 3 form submissions per hour per
IP address. This prevents pentesters and bots from spamming call-for-speakers,
call-for-sponsors, and call-for-volunteers forms with thousands of submissions
that create excessive draft posts.

Logged-in users bypass the rate limit entirely.

Fixes WordPress#1269

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dd32
Copy link
Owner Author

dd32 commented Mar 12, 2026

There's an existing anti-spam form thing for this:

wordcamp.org/public_html/wp-content/mu-plugins/utilities/class-form-spam-prevention.php

Line 22 in a6db6e9

class Form_Spam_Prevention {

dd32 and others added 3 commits March 12, 2026 21:41
@dd32 @claude
Use existing Form_Spam_Prevention utility for rate limiting
e59a070 
Replace custom transient-based rate limiting with the existing
Form_Spam_Prevention class from mu-plugins/utilities, which already
provides IP-based throttling via transients with configurable
score thresholds and durations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dd32 @claude
Add integration tests for form submission rate limiting
60d104a 
Tests cover the rate_limit_submissions() method: logged-in user bypass,
already-spam passthrough, threshold enforcement after 4 submissions,
and transient-based reset behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dd32 @claude
Fix PHPCS lint: remove parentheses from require_once statement
2ac25a3 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dd32