We've been getting a lot of spam submissions through a Gravity Form on our WordPress site. After digging into it, the cause was the external tracking code provided by GHL: it tracks the form submission event even when the form's reCAPTCHA check fails (it seems to fire on the submit button click rather than on a successful submission).

The result is that any bot can land on the site, fill the form with spam, and hit submit. Even though they fail reCAPTCHA verification, the tracking code still registers it as a form submission and creates a new contact with the spam data attached.

We've worked around this by disabling form submission tracking in the GHL settings and instead passing the completed form data via a webhook to create or update the contact. Ideally, though, the tracking code wouldn't fire at all if reCAPTCHA hasn't been passed.

Suggested fix: have the external tracking code only register a form submission after the form validates successfully (including reCAPTCHA), rather than on the submit click.