Markdown Content - The Evolution of WordPress Spam: How Headless Botnets Bypass Defenses (and How to Stop Them)

---
# The Evolution of WordPress Spam: How Headless Botnets Bypass Defenses (and How to Stop Them)

**URL:** https://modul-r.codekraft.it/2026/04/the-evolution-of-wordpress-spam-when-headless-browsers-bypass-basic-defenses/
Date: 2026-04-27
Author: Erik
Post Type: post
Summary: If you manage a WordPress site or an e-commerce store, you know the drill: your inbox gets periodically flooded with messages from fake “SEO experts,” suspicious links, or pure gibberish sent through Contact Form 7 (CF7). For a long time, the solution seemed simple. “Dumb” bots were making direct POST requests without ever rendering the […]
Categories: Blog
Featured Image: https://modul-r.codekraft.it/wp-content/uploads/2026/04/Gemini_Generated_Image_9dhqbv9dhqbv9dhq-scaled.png
---

If you manage a WordPress site or an e-commerce store, you know the drill: your inbox gets periodically flooded with messages from fake "SEO experts," suspicious links, or pure gibberish sent through Contact Form 7 (CF7). For a long time, the solution seemed simple. "Dumb" bots were making direct `POST` requests without ever rendering the visual website, so slightly obfuscating the form was enough to stop them.

**But the spam machinery has evolved.** By carefully analyzing server access logs from recent attacks, I discovered that spammers have shifted their strategy. They are now utilizing distributed networks and "headless" browsers (automated browsers capable of executing JavaScript) to bypass traditional defenses.

Here is exactly how the new generation of WordPress spam operates—and, more importantly, how to permanently neutralize it.

### **1. The Evidence in the Logs: The Distributed Attack**

When examining the footprints left on my server, I noticed a clinical detail that changes everything. Look at this exact sequence of requests:

Plaintext

```
2.58.56.43 - GET .../get-timestamp (Security token generation)
2.58.56.43 - GET .../schema (Reading CF7 form fields)
185.220.101.144 - POST .../feedback (Spam submission)
185.220.101.159 - POST .../feedback (Spam submission)

```

Notice the discrepancy in the IP addresses? The IP that loads the page and reads the security checks (`2.58.56.43`) **is not the same** as the IPs actually sending the spam messages (`185.220.101.x`). This is the classic behavior of a **distributed botnet** (or the heavy use of rotating proxies).

Modern bots divide the labor to evade firewalls and blocklists:

- **The Scout:** It visits the page exactly once using a headless browser (like Puppeteer or Selenium). It executes the JavaScript, and its sole purpose is to download the HTML, find the secret REST API endpoint, grab a valid security timestamp, and map the input fields. *It does not submit anything to avoid getting banned.*

- **The Workers:** They receive the "instruction packet" from the Scout (endpoint, payload, valid timestamp) and begin bombarding the server with `POST` requests. By changing their IP address with almost every request, they render single-IP bans completely useless.

### **2. The Failure of Static Obfuscation**

Many antispam plugins try to protect CF7 by hiding or renaming the URL where the form sends its data (endpoint obfuscation). But for a real human user to submit a form, this secret URL must be printed somewhere in the code (for example: `wpcf7.api.namespace = 'cf7-antispam/v1/secret-code';`).

Because the Scout bot is capable of executing JavaScript and reading the page just like a real browser, **it will find that secret URL and hand it over to the Workers.** They win: your server-side protection is bypassed before the actual attack even begins.

### **3. Why I Built "Antispam for CF7"**

This continuous arms race between defenses and botnets is exactly why I developed and continuously update my own plugin, **Antispam for CF7**.

Standard solutions, which rely on simple hidden fields or frustrating visual CAPTCHAs (which punish real users), are no longer enough against modern botnets. I designed the plugin to implement this exact layered, interaction-based defense logic:

- **Dynamic Fingerprinting:** It detects the presence of a real user (mouse movements, keyboard interactions) to trigger the *Bait and Switch* logic, effectively blocking headless Scouts.

- **Server-Side Honeypots:** It acts as a ruthless trap for Workers shooting blindly at decoy endpoints.

- **Bayesian Filtering (B8):** A machine-learning algorithm that analyzes the text to block the high-entropy (nonsense/gibberish) messages that somehow manage to slip through.

- **Temporal Analysis:** It automatically blocks submissions that happen in inhuman timeframes (e.g., less than 3 seconds).

### **The Final Verdict**

Defenses based solely on IP blocking or basic obfuscation are effectively dead against distributed attacks. To protect your forms without frustrating your actual customers, the only path forward is a system that merges behavioral analysis (JavaScript fingerprinting) with ruthless server-side traps. And that is exactly the gap that Antispam for CF7 aims to fill.

---

## Categories

- Blog

---

## Navigation

- [Codekraft Modul R](https://modul-r.codekraft.it/)

---

## Footer Links

- [WordPress](https://wordpress.org/)