What Is Form Spam and How Can You Stop It?

There’s nothing worse than to find that your contact form (or any form for that matter) has been blown up with spam submissions. This is a huge waste of time and unfortunately, something all website owners have to deal with at some point.

Sifting through form spam not only wastes your time. It also wreaks havoc on your resources, especially if you have a limited number of form submissions per your free or paid plan.

Not to mention, it takes your time & effort away from qualified leads and those that genuinely need to get in touch with you.

And if you don’t take the time to clean up spam submissions (and ultimately stop them) you run the risk of hurting your brand’s reputation if these spammy messages end up on the frontend of your website for site visitors to see.

That’s why I’m here to help. Being a website owner myself, I understand how frustrating and stressful dealing with form spam can be.

Luckily, there are ways to combat it and make your life a little easier. After all, we all have things we’d rather be doing than sorting out a form spam situation gone bad.

So, let’s get started! 🚀

What is form spam?

In technical terms, form spam happens when malicious entities or back actors submit unwanted information through online forms to phish or send abusive messages.

In simpler terms, form spam is when unwanted messages make their way through your website’s forms (and sometimes onto the frontend of your site) – oftentimes without you even noticing.

Why Does Form Spam Exist?

You might be thinking to yourself that form spam shouldn’t be an issue these days. After all, traditional email spam is for the most part under control thanks to advanced spam filters designed to block spam messages.

But web forms just aren’t quite there yet and spam continues to plague them in the form of junk messages and irrelevant links.

Adding to that, form spam continues to happen because it works.

For example, spammers look for vulnerabilities in your site’s forms so they can hijack them and use them to relay email spam messages to others.

These emails arrive in people’s inboxes looking like emails you might send. Then, people unknowingly open and even click through to what they believe will be your website, only to find themselves on an entirely different site. The spammer now reaps the rewards thanks to the increase in site traffic and increased site engagement.

In addition, spammers look to take advantage of any web forms on your website that may publish their messages, complete with hyperlinks to other websites and products, so they can gain the link equity and boost in SEO.

A great example of where this commonly occurs is when a website owner allows automatic comment publishing on their site.

How Does Form Spam Work?

Okay, so you know form spam is a problem that you need to get under control. But I think understanding how form spam works will help you better understand how to go about stopping it.

Form spam is performed in two ways:

1. Manual Spamming

manual-spamming

Manual spamming happens when people hired by companies manually fill out web forms found all across the web with information linking back to companies that need link juice.

This type of form spam is the most difficult to beat because human spammers can get through most (if not all) anti-spam measures that you can put in place.

That being said, it’s also a time-consuming process, so there’s a chance your site may never fall victim to manual form spam unless it is extremely popular (in which case, congrats to you! 🎉)

2. Spambots

Spambot spamming happens when programs are built to seek out web forms on the internet and fill them out, mainly with the hope that the message will appear somewhere on the website.

For example, a commenting or testimonial form that allows messages to publish automatically on your site without approval can have this type of spam, complete with junk text and hyperlinks leading back to other websites.

This type of form spam is easier to combat because spam bots are not humans and have a tough time getting past some of the more advanced anti-spam measures. That said, this does not make them any less harmful. In fact, some spambots will even try to inject scripts into your site so they can hijack your site or leave invisible links and gain the SEO advantage.

Plus, spammers running spambots don’t care if you can stop them. Spambots are so powerful they can access millions of websites a day. At one point, they will find a vulnerability, take advantage of it, and get their reward.

So, how do you stop form spam you ask? Well, I just happen to have an entire arsenal of tips and tricks you can start using today.

6 Ways to Stop Form Spam

If you want to combat form spam, you’re going to need to do everything in your power to make it difficult, if not impossible, for automated bots to fill out your forms.

But at the same time, you have to find the balance and make your website’s forms as easy as possible for real website visitors to fill out.

1. Use Contact Forms (Not Email Addresses)

contact-forms-vs-email-addresses

Listen, I get it. Your online business contact information probably has an email address alongside the physical address/office, telephone number, and social icons. And your customers probably love this because it gives them a direct way to get in touch with you or your team.

But if eliminating as much spam as possible is on your list of things to do, your first task should be getting rid of that email address on your site.

The reason is, spambots trolling websites looking for web forms to submit also seek out email addresses they can harvest and use as a way to spam others. Of course, you can always fight spambots using a WordPress plugin like Email Address Encoder to protect your email addresses and mailto links.

email-address-encoder-plugin

That said, this isn’t likely to be a forever solution.

Because of this, we recommend using a reliable WordPress contact form plugin like Kali Forms and getting rid of your email address. This freemium contact form solution is not only easy to use and has all the features you need like payment fields, file uploads, and conditional logic, it has built-in reCAPTCHA technology to help you fight form spam every step of the way.

KaliForms

Not to mention, it accomplishes the same thing an email does; it gives people a direct line of communication to you or your team. The only difference is, you won’t have to waste any time sorting through the spam submissions.

2. Use Google reCAPTCHA

You may not know this, but a few years back, Google officially killed CAPTCHA.

Don’t know what CAPTCHA is? Lucky you.

For those that do remember, seeing an image like this one…

captcha-example

likely makes you cringe.

The concept behind CAPTCHA was genius. These programs were designed to protect websites against spambots by generating tests for users to answer before being able to submit an online form and was a surefire way to prevent form spam.

For a while at least.

But soon enough, the famous Google CAPTCHA began to have problems like:

  • Annoying site visitors who struggled to answer the question or input the right text
  • Spambots learning how to bypass the CAPTCHA and submit form spam
  • Decreasing form conversions by as much as 3%
  • Becoming increasing difficult to see or hear, especially for those with hearing impairments, limited sight, or other challenges

Adding to this, according to a study carried out by Stanford University, the following was found:

  • Visual CAPTCHAs take 9.8 seconds to complete
  • Hearing CAPTCHAs take 28.4 seconds to complete
  • 50% of people using audio CAPTCHAs give up
  • Only 71% of the time 3 users agree on the translation of a CAPTCHA
  • Only 31.2% of the time 3 users will agree on the translation of an audio CAPTCHA

Talk about ruining the user experience.

In response to the increasing difficulties CAPTCHAs were creating, a new solution was developed by Google called reCAPTCHA.

What is Google reCAPTCHA?

Google introduced reCAPTCHA in an effort to replace the dying CAPTCHA programs and continue to serve up a reliable anti-spambot alternative.

Now, instead of having to input text or answer a question, site visitors only have to click a button to identify themselves as a human so they can submit their form.

recaptcha

In terms of the user experience, this was a much better way to prevent form spam. And while some spambots can still crack the reCAPTCHA code and get through, it offers website owners a pretty consistent way of preventing form spam on their site.

Already using KaliForms on your website? Nice work! 😄

Kali Forms comes with a built-in Google reCAPTCHA form field that you can easily add to any web form on your website. Just add the field to your form and start combatting form spam right away.

kali-forms-recaptcha-form-field
Inserting Google reCAPTCHA with Kali Forms

So, what’s the takeaway here? You shouldn’t use Google CAPTCHA, but Google reCAPTCHA is a great alternative.

3. Use the Honeypot Method

spam-honeypot

If you’re not a fan of CATPCHAs or reCAPTCHAs, you can always opt to use the honeypot method instead.

Honeypots are little bits of code that are used to catch spambots by presenting a hidden form field to spambots only. These bits of code do two things:

  1. Trick Spambots: Honeypots display a fake form field for spambots to fill out. Since spambots are not human, they simply fill in all the form fields and click ‘Submit.” When this happens, the submission is automatically flagged as spam and rejected, so you never have to deal with it.
  2. Stay Hidden for Humans: Honeypots stay hidden from human users so they never know there’s a fake form field. This means that users are never disrupted during the process of filling out your forms and form conversions skyrocket.

If this sounds like something you want to use on your website’s forms, stick with Kali Forms. Not only does it come with Google’s powerful reCAPTCHA for form spam prevention, but it also has a built-in honeypot system so you never have to waste your time with unwanted form submissions again.

4. Ask a Question

Another technique you can use to deter form spam is to create a form field that asks site visitors a question that they have to answer correctly. You might present a text question or a math question for people to fill in before they can submit their form.

question-and-answer-anti-spam-example

Here are some examples of questions you could use:

  • What comes first, C or Y?
  • What is 5+3?
  • The first letter in the word ”dog” is…

The only thing that matters when you use this anti-spam strategy is that you make the question easy enough for people to actually answer. And make sure, if you have a global audience, translate your forms into other languages to help encourage form submissions.

Want one of the simplest solutions to help stop a lot of form spam?

Stop allowing links on blog comments and in forms. Though this won’t eliminate all form spam, it will definitely help, especially when it comes to manual spammers trying to enter links into messages and submit them on your website.

A great way to do this in your WordPress comments section is by using the Perfmatters WordPress plugin – which is a plugin we even use here on the website you’re currently on.

6. Install the Akismet WordPress Anti-Spam Plugin

I don’t suggest using just an anti-spam WordPress plugin on your website to fight intelligent spambots trying to submit forms on your site.

That said, a high-quality anti-spam solution like Akismet does a great job complementing any of the above-mentioned form spam prevention strategies. This is especially true if you notice your website is full of comment spam, which is often submitted through the comment forms on your blog posts.

Here’s a quick rundown of some of Akismet’s top features:

  • Automated checks of all comment and contact form submissions for spam
  • Filtering of all submissions that look spammy
  • An easy-to-view dashboard of all filtered submissions
  • ‘Unspam’ feature for mistaken spam flagging

To use Akismet (which is completely free if all you need is basic spam protection), go to Plugins > Add New in your WordPress dashboard. Then, search for ‘Akismet.’

When you find it, click Install Now and then Activate.

Akismet is pretty much an out-of-the-box anti-spam solution that will help clear your site of unwanted form spam and free up time for you to focus on other more important things like growing your following or online business.

7. Don’t allow users to publish information directly to your site

An online form collects information from visitors that is intended to appear on the site. So, if you want to prevent spam on your website, I advise you to create a testimonial request form and ask customers for feedback. This way, you won’t find comments on wrong places on your site (like blog posts) about your customers complaining about your services.

It is recommended to check and moderate the information received from the visitors before being published on the site. Moderating feedback is critical to ensuring that only appropriate material is shared.

Final Thoughts: The Right Way to Handle Form Spam

In the end, there is no perfect solution that will allow you to entirely prevent form spam on your website but that certainly doesn’t mean you just have to give in and deal with it.

Take a look at the ways you can stop form spam, whether manual or automated and be proactive when it comes to protecting your website from spam as well as the user experience. And whatever you do, don’t fully rely on any single strategy to stop all the spam on your website. Keep a close eye on things to make sure nothing is slipping by and threatening the UX or your reputation as a well-established website owner in your industry.

Wonder what people think & how they feel about your website or product? Take a look at our complete guide to creating a Likert scale to ensure the perception of your brand is positive and make improvements where needed.

Which form spam prevention methods do you use on your WordPress website?

We’d love to hear all about in the comments below! 💬

Lindsay Liedke
Lindsay Liedke

Lindsay Liedke is a freelance writer that loves WordPress – when she isn't writing, she can be found spending time with her son.