How to Stop Contact Form Spam on WordPress

Are you getting useless contact form emails in your inbox? Contact form spam is a problem every website owner deals with at some point. Spambots target websites of all sizes, regardless of the amount of traffic you get. 

Sifting through hundreds of messages to separate spam from genuine inquiries is time-consuming and frustrating. Luckily, there are some easy and effective ways to protect your WordPress site from spam and take advantage of the benefits of contact forms. Let’s discuss! 

What is contact form spam? 

Before solving this common issue, you’ll need to understand what contact form spam is and how it affects your website and business. 

Contact form spam is exactly what it sounds like: unwanted messages that are submitted through the contact forms on your site. Since these forms have blank fields, an individual spammer (or bot) can fill these out however they’d like. 

You might just get one or two occasional messages with irrelevant promotional material or even offensive language and links. Or, you’ll sometimes receive hundreds or even thousands of form submissions to your inbox. You’re left sifting through the spam so that you don’t miss real messages from interested followers or potential customers. Worse yet, all of these submissions can hog server resources, resulting in a slower site or errors when you try to make changes. 

Spammers target contact forms in one of two ways:

1. Manual spammers

Manual spammers are humans who navigate to your website, fill out your forms, and submit them personally. They typically use false information, often copying and pasting to spam your site quickly. In most cases, these spammers are trying to promote specific websites. But they can also spread malware and funnel traffic to malicious sites. Manual contact form spam is more difficult to overcome because spammers can get past many anti-spam solutions like CAPTCHAs. 

2. Spambots

Spambots are the most common sender of form spam and often the most dangerous. These programs automatically search the internet for forms and, depending on how spammers program the bots, they leave junk text and phishing links that appear in your inbox. 

Spambots threaten the integrity of your website when programmed to perform more malicious activities like taking personal information, spreading malware, or taking control of your website. These automated programs can leave a larger number of form submissions at once. But they’re easier to stop because they can’t combat specific anti-spam solutions. 

Why do bots and human spammers target contact forms? 

With all the advances in technology and increased security options, it’s hard to think that this type of spam still exists. But bots and human spammers still target contact forms because they can, and it works. 

Here are several reasons spammers look for loopholes and vulnerabilities in your website forms: 

  1. They want to send you spam. Most spam includes links to phishing sites or revenue-generating ad sites.
  2. They want to exploit your contact form to spam others. Spammers use your contact forms to relay email spam messages to others. When these emails land in people’s inboxes, they typically look like an email you sent. Unaware that it is spam, users open these emails and click links that lead them to another website. This increases website traffic and engagement to that site, rewarding the spammer. 
  3. They’re searching for vulnerabilities to access the backend of your website or server. This is typically where malicious intent comes into play. When spammers target your contact forms to look for vulnerabilities in your website, they often want to attack it. Spammers can install malware that leaves your website and visitors at risk. They can also steal personal information, a significant risk for eCommerce sites with sensitive customer data. 

How to identify contact form submission spam

Keeping a close eye on your contact form submissions makes it easy to identify spam. Watch out for the following signs that indicate spammers are targeting your website:

  • Phishing links. Spammers use phishing URLs to obtain sensitive information for malicious use. This includes usernames, passwords, or banking details. Phishing links appear to direct to a legitimate site, but it’s really a fake one meant to steal this valuable data. 
  • Irrelevant messages. Another typical indication of spam is unsolicited or irrelevant messages. Spammers send these messages out in large numbers for advertising, phishing, or spreading malware. 
  • Submissions with no real name. If you get submissions with no real name or a fake name, you’ll want to look into blocking form spam. 
  • Grammatical errors or typos. Most spammers don’t take the time to proofread their submissions or check for grammatical errors. Instead, they work hard to send as much spam as possible in the shortest amount of time. Therefore, if you notice messages or comments with a significant amount of typos or grammatical errors, your website is likely under attack. 
  • An offer that’s too good to be true. Like everything in life, an offer too good to be true also indicates a problem. Don’t fall for this easy trap. 

Once you notice a spam issue, it’s vital to find a fast and effective solution. While it’s both annoying and potentially dangerous, spam can also damage your brand reputation. Let’s explore some ways to prevent contact form spam on your website. 

How to stop spam on WordPress contact forms

1. Install the right WordPress anti-spam plugin

The easiest and fastest way to combat contact form spam is to install the best anti-spam plugin for WordPress. Anti-spam plugins work independently from your forms by comparing submissions to blocklists of words, names, IP addresses, and email addresses. They use both global and local learning to identify spam. Some also give you the ability to manually mark items as spam (or not spam), so it learns what you like and don’t like on your site. 

With several options available, it’s critical to pick the right anti-spam plugin. Akismet is an excellent option used by millions of websites to filter out hundreds of millions of spam comments and form submissions. It will check all comments and form submissions for spam and filter out any that look suspicious. You can review all filtered submissions directly in the WordPress dashboard. 

An option like this frees up your time to focus on the more critical parts of your website. It also gives you the peace of mind that your site, visitors, and reputation are safe. While there aren’t many disadvantages to this method, you’ll need to make sure you update the plugin as recommended to avoid any security issues in the future. 

How to set up an anti-spam plugin:

Installing a WordPress plugin is easy. In your WordPress dashboard, go to Plugins → Add New. Search for the one you’d like to add, then click Install → Activate. Then, follow any specific instructions for the tool that you chose. For example, Akismet provides a great how to activate tutorial with easy-to-follow instructions and visual cues. 

Akismet Anti-Spam installation image

2. Add a custom CAPTCHA

Custom CAPTCHAs are another way to target and resolve spam problems. You can add a custom, word-based code or random math question to your website that visitors must answer to submit forms successfully. When users attempt to add a comment or submit a form, they’ll need to answer the question or type what they see above the submit button to proceed. You can add several custom word-based questions that users cycle through randomly. 

While CAPTCHAs are a great way to combat spambots, they aren’t effective with human spammers. They can also be frustrating and time-consuming for legitimate site visitors who struggle to answer the questions or answer them incorrectly. If you choose to add a CAPTCHA to combat spam, you’ll also need to think about users with limited sight or other challenges. 

How to implement a CAPTCHA:

To add CAPTCHA to your WordPress site, you’ll need to choose a service provider. Google is the most popular CAPTCHA service, with essential functions offered at no cost to website owners. You can find your options in the Products part of the Google Developers page. Make sure to sign in to your Google account. Next, you’ll read through a short overview before clicking on Sign up for an API key pair. You’ll need to fill in your website information and follow the prompts to complete the process. 

3. Use Google reCAPTCHA

Google’s reCAPTCHA is a more advanced option than custom CAPTCHAs. Initially introduced to overcome the user frustrations of custom CAPTCHAs, reCAPTCHAs require users to answer more straightforward questions to submit forms. reCAPTCHAs also work by detecting user behavior while visitors navigate your site and assigning each user a “spam score” based on what the tool considers suspicious activity. 

The most common form of reCAPTCHAs is the picture puzzle you’ve seen on many websites. Instead of typing a word or answering a math question, users answer an image-based question. Visitors must select all the squares in the picture with a specific object like a car or a traffic light. Once all images have been selected, the button switches to allow the user to submit their form response. 

Here are some other types of reCAPTCHAs:

  • Checkbox reCAPTCHA v2 is a simple box that users must check to submit a form. It’s the popular option you see on many websites accompanied by the “I am not a robot” text.  
  • Invisible reCAPTCHA v2 does not display any visible fields to human users. Instead, it monitors user behavior for suspicious activity to identify potential spammers. Invisible reCAPTCHA also adds an extra field into the code of your form. Since most spambots use code to submit responses, these spammers automatically fill in the fake fields before being flagged. Human users never even notice the spam control as they submit answers directly on the form. 
  • reCAPTCHA v3 is an advanced option that uses JavaScript to detect human visitors. It is the most advanced form of reCAPTCHA, so you should only use it if you’re a WordPress expert. 

reCAPTCHAs can still prevent genuine visitors from submitting forms, but they’ve improved from the earlier custom CAPTCHA options. Most come with the ability to add an audio option for those with visual impairments. The visible option they offer is also a solution for the hearing impaired. 

types of reCAPTCHA from Google
Photo © Google

How to implement Google reCAPTCHAs:

You’ll add reCAPTCHAs to your website following the same steps listed above for CAPTCHAs. Google reCAPTCHA is also a free service for basic functionality, but you can purchase the Enterprise solution for more advanced options. You’ll need to sign up for an API key pair for your site and follow the prompts to proceed.

4. Use an IP access list

If you notice a lot of spambot action on your website coming from specific sources, you can use an IP access list to block spam. With this method, you add IP addresses to a list that restricts access to your website from that location. You’ll do this by adding IPs to the Comment Blacklist section of the Discussion settings page in the WordPress admin. 

Using an IP access list is an excellent option for blocking specific people. But it takes a lot of work to block a more significant number of spammers and requires constant maintenance. You can also accidentally block legitimate form submissions from the IP addresses you list, so make sure you’re confident before using this method. 

comment moderation section in WordPress

How to implement an IP access list: 

If you want to block an IP address, navigate to Settings → Discussion → Comment Moderation in your WordPress dashboard. Then, simply add any IP addresses you want to block and save your settings.

5. Take advantage of the honeypot method

If you’re not a fan of CAPTCHAs, try the honeypot method. Honeypots are little bits of code used to catch spambots. The code creates a hidden field in your form that’s invisible to human visitors but visible to spambots who are usually looking at the code of your form. Spambots automatically fill out the hidden field and submit the forms. The additional information flags these submissions and rejects them, saving you time and effort. 

One advantage of honeypots is that they stay hidden from human visitors. Your visitors don’t need to deal with the inconvenience of CAPTCHAs. Some WordPress form plugins even allow you to add the honeypot method in their settings. 

How to implement honeypot:

Some plugins allow you to quickly check the option to add honeypot to your forms. But if they don’t, you’ll need to add a hidden field to your form manually. Once you add the form to your site, use the CSS style “display: none !important;” to make the field hidden and tabindex=”-1″ autocomplete=”false;” to ensure the field is empty by default. 

Protect your WordPress contact forms

Contact forms are a great tool to connect with your audience and enhance your website’s user experience. But they can also be a problem when spammers attack. Don’t be the target of human spammers and spambots that reduce the effectiveness of your website forms. Use the six steps listed above to successfully stop spam from your WordPress site so you can focus your time and effort on more essential tasks.