Cutting Down on Form Spam: What to Do

by Jason Unger, Founder

Insights / Website Development / Cutting Down on Form Spam: What to Do

We’ve all been there.

You open up your inbox, see a notification that someone filled out your website’s contact form, click through, and … it’s spam.

Again.

Spam form submissions are annoying. And given how good technology has gotten, shouldn’t it have been fixed by now?

The battle against form spam suffers from the same problem as website security – it’s an arms race. As I’ve written about before:

When I talk to clients about website security, I’m brutally honest about the reality that if someone really wants to hack your site, they can find a way.

It’s not that safeguards can’t be set – they can. But hackers are always working to find new ways to break through encryption and security, and you need to be steadfast in implementing best practices to make it as difficult as possible for them to break in.

It’s the same thing for your website forms. The approach to stopping form spam it is to implement best practices and making it difficult enough for spammers that they’ll move on to another site.

Here’s what you should be doing.

Step 1: Use a Honeypot

Whenever you create a form – whether it’s in WordPress or not – you should include a Honeypot field.

Simply put, a honeypot is a field that’s invisible to regular users, but something that bots will see as a regular field.

When a bot sees this field, it fills it out (thinking it’s a regular field), and when the field is filled out, the form can’t be submitted. Since regular users don’t see the invisible field, they’ll never fill it out and always be able to submit the form.

This is a low-tech, but straight-forward way to differentiate between bots and real people.

Step 2: Add reCaptcha

reCaptcha is annoying. Sometimes that’s a good thing – when you’re trying to keep the bad guys and bots out – and sometimes it’s a bad thing – when your real community members are trying to send you a message.

Google has a few versions of reCaptcha, from the newest version (v3) that learns about user behavior on your site to determine who’s a real person and who’s not, to an older version (v2) that allows you to select from the classic “checkbox” view to an invisible option that works behind-the-scenes to identify bots.

This should be your first step in combatting form spam. Sign up for a reCaptcha account with Google, and then integrate it with your forms. If you’re using Gravity Forms, there’s an extension that makes it easy to do.

Step 3: Use Spam and Security Plugins

Depending on your platform, there’s likely a third-party plugin meant for fighting spam that can be integrated.

On WordPress, the Akismet plugin works to cut down on spam comments, users, and form submissions, and can be integrated with Gravity Forms, Jetpack Forms, Contact Form 7, and other form plugins. While Akismet is the most popular spam prevention plugin for WordPress, other options – like Zero Spam for WordPress and Antispam Bee – also do the job.

If you’re using a security plugin, and you can clearly identify the IP address of a consistent spammer, ban them. This could backfire, however, if their IP address is shared with real people – so be sure that you’re being very targeted (ie, use the whole IP address).

Step 4: Add Conditional Logic to Submit

If you find that these steps aren’t helping to cut down on your form spam – or if you’re dealing with a real person who’s manually spamming your forms – it’s time to add some more logic to your process.

There’s two scenarios here:

• If you know that you’re getting spam submissions from one specific person, email, or IP address, then add conditional logic to hide the “submit” button on your form if any of the fields match your spammer’s information
• If there are multiple spammers abusing your form, then add a logic question that needs to be answered in order to show the “submit” button. Ask a math question, or ask a very specific question only a real person could answer (ie, what’s the second letter of our organization’s name?)

This is slightly annoying but relatively easy for real people to deal with.

Cutting down on form spam is a constant battle, and it’s something we will likely always have to deal with. Be sure you have alternate ways for your community to contact you (email, phone, social media) and test your forms regularly. Need help? Reach out and we’re here for you.