Contact form spam can be very frustrating and it can impact websites of all sizes. Spammers flood your inbox with irrelevant and meaningless messages.
Dealing with spam messages is a significant hassle because you can’t simply delete them in bulk. There’s always a risk that a genuine message might be mistakenly marked as spam, resulting in a lost potential lead.
Fighting contact form spam is like a game of cat and mouse, with an ever-growing range of anti-spam plugins and techniques available to combat it. However, before we delve into these solutions, it’s important to understand why spam exists and how it functions.
What is the most common form of spam?
The primary goal of spam is to send malicious messages to the widest possible audience. In some cases, spam messages may try to trick recipients into divulging their private information through links, a technique known as “phishing.” When it comes to comment forms, spam messages can contain malicious code that runs on visitors’ browsers as they browse your site. Although only a small percentage of users may fall for these tactics, spammers send out millions of automated spam messages in the hopes of tricking even a tiny fraction of users into becoming a profitable target.
Spambots: those that do the grunt work
Sending so many messages manually would be a titanic task — that’s why spammers automate the process through tools called “spambots”. These are programs whose sole purpose is to sneak malicious links in your form fields, and submit it again and again. Spammers then regularly scan the internet to find new forms to spam. That’s why no site is safe from spam.
Spammers constantly update their spambots with more advanced techniques, rendering older protection methods useless. However, there are ways to keep spam in check and get rid of it almost completely with the right combination of tools.
How to stop contact form spam, the Happyforms way
Happyforms comes with multiple features that can help you prevent form spam. Let’s walk through them.
A honeypot is a hidden field that traps spambots and helps detect and reject them. It’s meant to be left empty and is invisible to visitors, but spambots mistake it for a required field and fill it with garbage data, allowing Happyforms to identify spam submissions.
Honeypot is always active on any form you create with Happyforms.
2. Advanced spambot protection
Modern spambots can bypass honeypot fields by seeing your form exactly like a legitimate visitor would. To combat this, Happyforms has an additional protection layer that “signs” all submissions with a secret key calculated from the submitted data. Spammers would need to tailor their spambots specifically to your form and run additional code to calculate a secret key for every submission, which is not worth the effort since spammers aim to send millions of messages with the smallest possible effort.
With Happyforms, advanced spambot protection is always on.
reCAPTCHA is a familiar tool that presents a puzzle that’s easy for humans to solve, but challenging for spambots. reCAPTCHAs can distinguish between spambots and humans with a simple click or even by observing their behavior on your page. Happyforms has integrated with Google reCAPTCHA, which can provide an additional layer of protection against spam. Let’s learn how to set it up.
Head over to Forms → Integrations, and pick Anti-spam and validation in the All integrations dropdown.
Google offers 2 flavors of reCAPTCHA. reCAPTCHA V2 displays a checkbox for your users to click before submitting your form. reCAPTCHA V3 is completely invisible and doesn’t require any interaction from your users, but can sometimes block perfectly legit submissions. Select either V2 or V3.
Head over to the Google reCAPTCHA website and click the plus button to add a new site.
Fill in a Label. You can type whatever you like — this is mostly to help you identify your keys if you have multiple sites setup with reCAPTCHA.
Pick the type of reCAPTCHA you want to add to your form.
Under Domains, type your domain (without the leading https://) and hit the Enter key.
Make sure to check both Accept the reCAPTCHA Terms of Service and Send alerts to owners, then click Submit to obtain your reCAPTCHA credentials..
Before we proceed, an important reminder: site and secret keys are specific to the version of reCAPTCHA (V2 or V3) you picked earlier. If you decide to switch from V2 to V3 or vice versa, you’ll need to repeat the above steps and obtain a new set of keys.
Copy your Site key and Secret key, paste them back in your Forms → Integrations screen reCAPTCHA widget and click Save Changes.
You’re now ready to use reCAPTCHA on your forms. To do so, create a new form or edit an existing one and turn on Use reCAPTCHA in your form builder’s Setup tab.
4. WordPress disallowed comment keys
WordPress includes a simple but effective feature that can help you catch form spam: the Disallowed comment keys field in your dashboard’s Settings → Discussion screen. Any time a new comment is posted to your site, WordPress checks if it matches one or more keywords in this list. If it does, the comment is automatically trashed.
Out of the box, this feature is limited to comment forms only, but Happyforms offers a way to extend it to your form submissions, too. Just turn on Trash submission if it contains words in Disallowed Comment Keys in your form builder Setup step.
Bonus: keeping your disallowed keys list up to date
Coming up with a comprehensive list of disallowed keys can be a daunting task. New words pop up all the time, and you’d need to manually maintain your list so that it’s up to date. Luckily though, there’s a free plugin that takes care of this automatically: Block List Updater. Once you activate it, it regularly checks a global repository of spam words and automatically updates the Disallowed comment keys field with the most recent list. We found that this goes a long way in blocking spam messages.