Bot Protection

5 min read Documentation

Real Estate 7 includes built-in, automatic bot and spam protection for all theme contact forms, AJAX endpoints, and when CT IDX Pro+ is active its listing inquiry, share, and affordability calculator forms as well. Protection is active out of the box with no configuration required. The settings panel lets you tune the defaults if needed.

For advanced firewall rules, country blocking, or brute-force login protection beyond what is covered here, we recommend a dedicated security plugin such as Wordfence.

How It Works

Every public form submission passes through up to five sequential protection layers before any data is processed. A request is rejected the moment it fails any layer, subsequent layers are not evaluated.

  1. Honeypot Fields — A hidden input field and a page-load timestamp are automatically injected into every form via JavaScript. Legitimate users never see or interact with these fields. Bots that fill in the hidden field, or that submit faster than the configured minimum time, are silently rejected.
  2. Submit Timing — Works in tandem with the honeypot. Submissions that arrive before the minimum time threshold (default: 2 seconds) are treated as automated and rejected.
  3. User-Agent Filtering — Requests from known headless browsers, command-line tools, and scraping libraries (such as curl, python-requests, Go-http-client, Scrapy, and others) are blocked automatically. Empty user-agent strings are also rejected.
  4. IP Rate Limiting — Limits how many form submissions a single IP address can make within a rolling time window. Uses WordPress transients — no extra database tables are created. Search and map requests use a separate, more generous limit so normal browsing is never interrupted.
  5. Google reCAPTCHA v3 Score — When reCAPTCHA is enabled under Real Estate 7 Options Integrations > Google reCAPTCHA, this layer verifies the token server-side (completing the backend half of the reCAPTCHA flow) and rejects submissions that score below the configured threshold.

CT IDX Pro+ coverage: When CT IDX Pro+ is active, its listing inquiry, share listing, affordability calculator email, and login/register forms are automatically protected.

Settings

Navigate to Real Estate 7 Options > Security > Bot Protection to access the following settings.

Enable Bot Protection

Master on/off switch for all protection layers. Enabled by default. All other settings below are hidden when this is turned off.

Honeypot & Timing

  • Enable Honeypot Fields — Toggles layers 1 and 2. Enabled by default. Disable only if you are using a third-party form plugin that injects its own honeypot protection and you are seeing conflicts.
  • Minimum Submit Time (seconds) — The shortest time (in seconds) allowed between a page loading and a form submission being accepted. The default is 2 seconds. Increase this if you are still seeing fast automated submissions; decrease it only if legitimate users on very fast connections are being incorrectly blocked.

Rate Limiting

  • Enable Rate Limiting — Toggles IP-based rate limiting for form submissions. Enabled by default.
  • Max Submissions per Window — The maximum number of form submissions a single IP address may make within the time window. Default: 5. For high-traffic lead capture pages you may want to increase this slightly; for additional security on low-traffic sites you can reduce it.
  • Time Window (seconds) — The rolling window used to measure the submission count. Default: 60 (one minute). Increasing this makes the limit stricter; decreasing it makes it more lenient.

reCAPTCHA v3 Score

  • Minimum Score Threshold — Google reCAPTCHA v3 assigns every request a score between 0.0 (likely a bot) and 1.0 (likely a human). Submissions scoring below this value are rejected. Default: 0.5. Raise the threshold (e.g. 0.7) for stricter filtering; lower it (e.g. 0.3) if legitimate users on mobile or slow connections are occasionally being blocked. This setting only applies when reCAPTCHA is enabled under Integrations > Google reCAPTCHA.

IP Whitelist

  • Whitelisted IP Addresses — Enter one IP address per line. Any IP on this list bypasses all bot protection checks entirely. This is useful for your own office IP address, a staging server, a trusted integration, or your own testing. Leave blank if not needed.

Frequently Asked Questions

Will bot protection affect my legitimate visitors?

No. The default settings are intentionally conservative to ensure real visitors are never blocked. The honeypot field is invisible, the 2-second timing threshold is far below any human interaction speed, and the rate limit of 5 submissions per minute is well above what a single visitor would ever reach on a contact form. The user-agent blocklist only targets known automation tools, not any browser used by real users.

A trusted person or integration is being blocked, what do I do?

Add their IP address to the IP Whitelist field under Real Estate 7 Options > Security > Bot Protection. Whitelisted IPs skip all checks. If the blocked party does not have a fixed IP, consider increasing the rate limit window or temporarily disabling the specific layer causing the block.

I use Contact Form 7 for my listing contact forms, is it covered?

Contact Form 7 has its own spam prevention. RE7’s bot protection covers the theme’s built-in forms and AJAX endpoints. If you have switched listing contact to CF7 via the theme options, CF7’s own handling takes over for those specific forms and RE7’s layers do not apply to them.

I want more advanced protection — country blocking, firewall rules, login page hardening.

RE7’s built-in protection handles the most common bot and spam vectors with zero configuration. For deeper firewall control we recommend Wordfence it layers on top of RE7’s protection cleanly and does not interfere with theme functionality.

Does bot protection work with CT IDX Pro+?

Yes, automatically. When CT IDX Pro+ is active, its public-facing form submissions (listing inquiry, share listing, affordability email, and login/register) are covered by rate limiting, user-agent filtering, and reCAPTCHA verification without any configuration.

Does this replace Google reCAPTCHA?

No, it completes it. The existing reCAPTCHA setup in RE7 (Real Estate 7 Options > Integrations > Google reCAPTCHA) loads the reCAPTCHA v3 script and attaches a token to form submissions. Bot Protection adds the missing server-side verification step: it calls the Google siteverify API and checks the score. Both pieces must be in place for reCAPTCHA to reject bots.