@bkbk Thanks! I really appreciate your thoughtful response! I think we can do most of this relatively easily.

👍

Wow, great list. Thanks, I'll look at some of these too. Makes me wish this slack was a discourse forum instead and it wouldn't be gone in 90 days lol. HCaptcha is another decent captcha I've found. Cloudflare's basic protection of sites also includes some anti-bot and malware stuff to help drive it down. I believe their paid version offers more help as well. In addition to the great list above, assuming all web browser input (typing and clicks) is default hostile helps me to remember to look around at browser-adjacent uses. Some can be pretty effective, and as outlined above, having a lot of small thin walls can often be a formidable defence than a single one alone (such as cloudflare) • Wordpress has a lot of problems in this world - learning what people are generally doing there (it is html/js/css at the end of the day too) can give ideas that might fit your setup • Limiting text inputs to only accept certain characters for writing a language can help too compared to code. both on the web facing form, and also on the server side. • I have seen a tarpit approach - where if something is deemed to be a bot - to just accept it anyways and do nothing. Erroring out could give different results that are beneficial too. • If bots can be reliably detected, you could also throttle their connection speed experience. Literally trickle the page out to them one at a time and let their resources not be as efficient. • Having people sign up - there are tools like fingerprint.js or others that can help verify the confidence whether it is a human or not. It might also help. If someone's visited a few times, and they haven't signed up yet, it can be a helpful signal. They have a free version that's still pretty decent that can be self hosted. • There are some ESPs (email service providers) that can help with validation of the email addresses, etc. I'm trying to remember the one where you submit the whole form to them via email and only deal with what comes out. • I have seen some people force people to fill out the same contact form in a chatbot style. tools like tars.io, or others can help with this and can be pretty interesting to see at work. • I implemented messagebird (bird.com) for a project and it has since gone the route of adding some AI supports to get more requests in and communicating. Something like this, again, could be helpful to have it appear in a more human form that regular bots don't get. • There is a world around web scraping that might interest you puppeteer or headless-chrome for browser automation and not getting detected as a bot, there's a super long list of tweaks people do to their browsers to not be detected as automated.