You have a shiny, gorgeous website, sparkling away to the universe, and with a juicy contact form temptingly enticing potential clients or customers to get in touch.
While having a great contact form does attract some fantastic potential clients, it also acts as a bright light on your porch at night – it attracts every spammer, scammer and SEO snake-oil merchant in a million-mile radius.
Before you know it, your email inbox is filled with offers to visit sites where people don’t wear very much, and all seem to have breathing difficulties; places to buy cheap sunglasses; and people trying to tell you that you are missing out on customers and if you only let them do their SEO hocus-pocus you will be top of some vaguely defined heap.
You may also find your site becomes unstable as it goes up and down as the spambots hit your site with thousands of responses that overwhelm your hosting account.
In this post, we will take a look at different sorts of website contact form spam, before looking at a few ways you can stop, or at least significantly reduce, the flood of spam in your in-box.
Why Do Spammers Spam?
Short answer: Money. Spammers spam because either they are paid to spam, they are driving traffic to a site that generates money for them, or they want to use you as an unpaid spam assistant.
Spammers know that email filters now filter out many spam emails, so they had to find another way to get to you.
Want to know more about spam emails? Here’s an article to help you work out if your emails are classed as spam under Australian laws.
Emails from contact forms usually get through the spam filters and are read by the business owner in case they are a valid lead. So, spammers use this strategy as a way to get their message in front of you.
One key thing to remember: Always assume if you click on any link in a contact form response that it will fill your site with malware. Treat every link as if you are trying to kiss a cobra – with high suspicion and a whole lot of nope.
Contact form spam messages may be one of a few different types:
Sending you to adult sites. If you click on a link, you may be presented with a captcha image before you view. What you may not know is that the image may be pulled from a different site the scammers are trying to access, so you have become unpaid assistant to the spammer.
Sending you to product sites. These promote a range of products from fake designer handbags through to products that seem vaguely related to your business, such as business cards or office furniture. Remember that no reputable company would stoop to contact form spam, so treat their offer with extreme caution.
SEO/Web design/Marketing services. SEO companies that try to make you think you are missing out on traffic, or have things broken on your site that only they can fix, are a scourge on society and are emails you can instantly delete without a second thought or response.
An easy to remember rule is if the SEO company has any skills at all, they will not use contact form spam; they would be ranking in Google when you searched them. If they spam you – bin them.
The same with all the four billion web design companies offering to fix things at really cheap rates. Treat them with the same amount of caution as getting a backyard doctor who only charges $5 to give you a boob job. If a web designer uses your contact form to tout for your business, then you can happily ignore them and look for more reputable web designers.
We are also seeing an increase in contact form spammers using contact forms to try and tout for business. Can I get a “Hell No!”
Junk. You may get contact form contents that make no sense at all. The words (if you call them that) are all jumbled, and there are no apparent links. What gives?
In this case, they are hoping that your contact form emails them back with confirmation of what they submitted. Why? So they can get your email address, which they can then use in their spamming campaigns.
This isn’t just a matter of domain name hijacking, where they pretend the email is from you, they may also be probing your form for vulnerabilities that they then exploit to use your website server to send out their spam emails to thousands of people, leaving you with the blame and blacklisted site.
Here’s some ways to help protect your website from hackers.
Different Types of Contact Form Spammers
Just as your favourite tin of spiced ham now comes in different flavours (Spam classic for you purists, Spam Lite, Spam Ham with REAL bacon etc.), contact form spammers also have different types.
These are the most common causes of contact form spam and are machine-driven bots that crawl the internet looking for unsuspecting contact forms to ravish. When they pounce on a contact form, the bot quickly fills in the requisite fields, usually with a false email address, and drops their message payload into your comment field.
But don’t feel special in your ravishment. Spambots can ravish millions of websites in a day, so you are just a number to them.
These bots are often driven by artificial intelligence, so they learn what works and doesn’t work with different types of forms, and then adjust their approach accordingly.
That’s why spambots can now get around many of the strategies we used in the past to minimise spam – they have learned the tricks of the trade.
Most of my clients have seen a dramatic increase in spam attacks in the past six months, as the bots have found their way around even the most robust strategies we had in place. Keeping spammers at bay is a constant war.
Then there are the human spam spiders, often in third-world countries or third-world Australian businesses, who search the internet and then copy and paste their poison into your contact forms. Because these spammers are human, they can get around most of the tech solutions that stop the bots.
These blights on society will generally always get through to annoy you, and short of hiring a hit-man to take them out, they are one of the crappy parts of doing business.
Ways To Stop Spam From Your Contact Forms
To reduce spam from your contact forms, we recommend starting with some of the free options and then if spam persists, adding in a paid strategy.
1. Disable contact form autoresponders
Turn off all autoresponders that send people a confirmation email about what they submitted. Either take the person to a thank you page on your website, or display a thank you message, but never use an autoresponder.
2. Rename your fields
Bots are programmed to look for fields such as name, email, comment. You can try renaming your fields to something more obscure to try and trick the bots. Just be sure to test that you still get the full information from your form if you try this strategy.
3. Add a unique quiz/comment field
Create a mandatory field to have people answer a random question. This works well for reducing bots but won’t stop human spammers.
e.g. Which is bigger – 2 or 7? Only allow responses with the number 7 to be sent through.
What is your favourite word? We use that one on our website contact form and is a fun way to continue your branding throughout all parts of your site.
4. Add reCAPTCHA 3
Google hates spam as much as you do, so it has a free product called reCAPTCHA. You need to add in some code that you generate through this product to your website.
First, a quick CAPTCHA history. Early attempts to stop spammers with CAPTCHA had you trying to decipher random words that appeared in a wavy format. Unless the person was high or drunk, most people took several goes to work out what the words were.
We then moved onto picking images from a series of photos from Google street view: Click on the mountains, or bicycles. Again, it could be tricky (and super annoying) and after a few rounds of spot the stoplight I usually wanted to shove the said stop lights up the web designer’s unmentionables.
You could also have people complete a maths quiz – which worked well if you had a calculator, but now the bots can do that faster than a human, which sort of defeats the purpose.
We then moved into the era of ticking the “I am not a robot” box in reCAPTCHA2. It worked … for a time, but spammers are now merrily getting past that one as well.
In reCAPTCHA3, the “thing” is invisible to humans, but tricks bots.
What we have found is that adding reCAPTCHA3 has slowed the contact form spam on the sites we have added it to, and It works well except for human spammers and really advanced bots. For those sites that continue to be pestered, we needed a stronger solution.
We also found that not all plugins play nicely with reCAPTCHA3.
For example, some of our critical plugins from Easy Digital Downloads that we use to run our sister company, the Employee Manual website, don’t allow reCAPTCHA3 – only version 2. And they don’t have any current plans to change it. Can we say – migration to WooCommerceAffiliate link: Which means if you purchase anything I will receive a small commission. Thanks for your support. time?
One thing to know before trying to add reCAPTCHA3 is that Google REALLY sucks at giving information on how to use its products, so use one of the below tutorials that walk you through how to get your API keys with Google, and then where to put them in your contact form plugins.
How to add reCAPTCHA v3 to your contact form
There are loads of different contact form types on the market, but we will talk about three of the main ones: Divi, Contact Form 7 and Gravity Forms.
Don’t use these forms? There are many plugins in the WordPress repository that can help. With all plugins before you install one, look to see the number of installations, that it has been updated in the past six months and that it is compatible with the latest version of WordPress.
5. Add a Honeypot
Think of a certain bear named Pooh and honeypots and you get the idea of what we are talking about.
A honeypot is a fancy bit of code that is invisible to humans but bots are drawn to and can’t help themselves trying out. Which then triggers the “No Spammers Welcome Here” sign and slams shut all bits to your contact form.
Not all forms offer a honeypot built into their code, but they are worth adding if you can.
6. Add a paid Spam Screening plugin
If the slime bucket human and advanced bot spammers are getting out of hand, and are still getting around reCAPTCHA3 option, you need to go with a paid scanning option.
CleanTalkAffiliate link: Which means if you purchase anything I will receive a small commission. Thanks for your support. has a plugin that you can add to stop spam on your contact form, comments, registrations, orders, bookings and subscriptions. They offer a free seven-day trial and then it only costs $8US per year to continue to use it.
When someone fills in a form on your site, their details are compared to Cleantalk’s database and then marked as OK or are blocked.
There are no quizzes or boxes to tick. Your visitors see nothing.
We found Cleantalk easy to set up and configure, but it has a few quirks:
- Remove or disable any other reCAPTCHA plugins/settings before activating Cleantalk.
- Remove or disable any other anti-spam plugins you have running. We use Antispam Bee to stop spam comments on many of our sites. It works well for comments but not for contact forms.
- When you use the email they recommend to test that your form is working, expect pages on your site to suddenly disappear from your view. What happens is that one of their defensive strategies is to make page contents disappear from suspected spammers. As I was adding and testing the form on several sites, my IP address was recorded as a suspected spammer and my world suddenly went blank. It caused a very nervous half an hour until I figured out what happened.
How to Install CleanTalk
CleanTalk try to make it as easy as adding in and activating a plugin.
Start by logging into your website and then go to Plugins – Add New. Type Cleantalk in the box that says Search plugins.
Next, Click on Install Now and then Activate the CleanTalk Plugin.
Then choose whether you want your CleanTalk account to be set up with one click, with the email being the email admin account for your website they show. If so, then click the Get Access Key Automatically button.
If you want to set up your account under a different email address, click the plugin HomePage link on the righthand side, and follow the instructions to get your access key.
Click save – and that’s it!
Remember to check your CleanTalk dashboard regularly to make sure there have been no false positives (where contact form entries have been marked as spam, but they were valid). So far, we have had no false positives from CleanTalk.
Akismet is the granddaddy of all spam plugins and comes pre-installed on all WordPress sites. Many many moons ago it used to be a free service. Now if your website is a business site, then you are up for $7AU per month. The free option is only for personal websites – if you sell/promote anything, then you have to stump up the $ to get Akismet.
While it is a useful plugin, we have found signing up for plans (especially if you have several websites) cumbersome, and a bit tricky at times. We have also found that it can quickly fill up your database with stuff, and often has false positives. Cleantalk is cheaper and works just as well in our experience.
Contact form spammers don’t have morals or consciences: They are merely following the money, and while there is money to be made finding ways to spam you, they will do so. This means they are always investing in new ways to get around any spam blocks on your contact forms that you put in place.
For now, in 2020, your best options are reCAPTCHA3 and one of the paid spam screening services. Next year may be a totally different spammy ballgame.