Have you had problems in your WordPress website with a lot of spam submissions through your Contact Form 7 plugin?
Spam emails aren’t uncommon, but if you use Contact Form 7 out of the box and simply set it to forward the submitted message to you by email, your email program – Gmail, Outlook, etc – will probably do a reasonable job of filtering the spam out for you.
Many WordPress websites rely on Contact Form 7 to add a contact form feature to their website, and the plugin provides a nice interface for building simple (and even more complex) contact forms. We also add the Flamingo plugin for sites using the Contact Form 7 plugin, as this provides a safety net if the website doesn’t send you a message. Flamingo creates an archive of all messages submitted through contact forms on your website, as well as maintaining an “address book” of contacts who have contacted you.
However, Flamingo’s spam filtering isn’t particularly strong, and it’s possible to end up with a few thousand spam messages archived in your website in Flamingo. You can safely ignore these, but you may find that the sheer quantity of the messages means it’s easier to miss genuine enquiries. This is something we’ve looked in to for our own your WordPress website clients, and have provided these notes to help other WordPress users in a similar situation.
How to bulk delete spam from Flamingo / Contact Form 7 forms on your WordPress website
On sites we were asked to look at for clients, many submissions were sent from the (fake) email address “firstname.lastname@example.org”, which made it easier to filter the messages, and then delete them.
Flamingo stores the submitted contact form messages in WordPress’ post_content table in the posts table. To select all submitted contact form submissions containing this, you can use the following SQL query:
SELECT * FROM posts WHERE post_content LIKE '%email@example.com%';
- Note: this will also select other content types (blog posts) that contain the email address. If you’re not familiar with databases, it’s wise not to play around with this, and get your web developer involved – you could potentially delete your entire site’s data!
- ‘posts’ is the database table name; if you have used a database table prefix for your WordPress installation, this is likely to be something more list wp_posts
If that selects the content you want to delete, you can now DELETE the posts:
DELETE FROM posts WHERE post_content LIKE '%firstname.lastname@example.org%';
Note: this permanently deletes the content from your WordPress website’s database, so it’s wise to back your database up before running this!