Fighting Form Spam in WordPress


TL;DR / TL;DW: You can fight form spam, but you can’t beat it. A few pieces of spam coming through your web forms is normal… just hit delete.

Form Spam is a Fact of Life

You can fight it, but you can’t beat it. 

For our client’s I would say one to a few pieces of form spam a day are a fact of life. However, there are a few things we can do to help fight spam:

When Form Spam is a Problem

We consider form spam to be a problem when it becomes overwhelming, i.e., you are getting more than a few per day. A nightmare scenario is thousands, and, in fact, form spam can be used a type of DDoS attack: eventually overwhelming and crashing the server.

Different Kinds of Captcha

Often referred to as “reCAPTCHA” after Google “re” built it to be more effective years ago.

There are several different kinds of Captcha. From codes to images, to images with codes and the famous “I am not a robot” checkbox that sometimes results in having to identify parts of an image. There are pros and cons to all these. Our clients typically go with the visible “I am not a robot” version provided by Google:

recaptcha form with label

Note about the “CAPTCHA” label above it. Many clients ask for this to be removed. We can do it but technically removing a form label is WCAG violation. WCAG referrers to the set of guidelines that make a site accessible.

Video Transcript:

(00:08): Intro
Let’s talk about spam and by spam. I don’t mean that absolutely delicious pink congealed piece of meat that at least I grew up on when I was a boy scout camping. I Still take it out to this day as an adult, whenever I get a chance to go hiking – nothing beats it after a long three-day hike, pulling that can of spam out of your backpack, heating it up over a propane…

(00:37): Spam not SPAM
Okay. Anyway, we’re not talking about SPAM. In fact, the company SPAM says it’s absolutely fine to call that email that we don’t want spam as long as we allow them to keep the capitalized SPAM. So, anyway, what we’re talking about today is form spam. You have a website, a contact form, various forms on the website, and you’re getting mail that you don’t want. So, the problem is that it’s probably not a human filling this out.

(01:09): Damn Robots!
No one is going to your website and picking you out of all the millions of websites and sending you, you know, Viagra ads or SEO solicitations and stuff like that. It’s just not happening. Mostly its bots and these robots or bots’ kind of climb the web and they look for forms and they fill out the little fields and then they hit submit and it goes. The bad news here is spam is a fact of life.

(01:41): Good News, We Do Have a Few Things We Can Do
The good news is that there are a few things you can do about it. Now with that said, it kind of depends on what you have available to you, what software you’re using. You know, for example, if you’re using WordPress, you might have various options based on the plugins that you’re using for your forms. If you have custom-built forms or other, other inputs that are receiving spam, you might have different options.

(02:04): Use of a Web Application Firewall
If you’re hosted with us, we do have a real time web application firewall. What this does is it blocks the known bots. It blocks rapid fire hits against a form. So that’s one of the things that we do and anyone else can do really to fight form spam. Now here’s the problem though. It’s not gonna be perfect. The bad guys are always one step ahead of us. It’s just the way it is.

We can do a couple things, you know, Gravity Forms and Contact Form 7 are popular WordPress plugins, and they allow different things.

(02:45): Honey Pots
So we can do honey pots. And what a honey pot is – basically there’s a hidden field on the form, a human can’t see it, therefore they would never fill it out. The idea is that when a bot comes to the website, it fills out the hidden field. And if that field is filled out, then the form does not go through.

(03:04): reCAPTCHA
The other thing that you might be very familiar with is reCAPTCHA. Those are those things where you have to type in the code or the most annoying thing, pick all the bicycles from the video or from the pictures grid, but does the little corner of the wheel count? I’m never sure about that, but it doesn’t matter. We can do reCAPTCHA. And the newest version of recaptures actually invisible, and basically Google has provided that technology and it does the filtering of the spam and all that kind of stuff so that you don’t, your users don’t have to type in those again, which version you use and what options are available to you will be based on the particular technologies that your website are using.

The pros of this, these kinds of systems are that they will definitely slow down the amount of spam you’re getting the cons: spam is gonna get through – spam is a fact of life.

(04:03): Just Make it Stop
In fact, it’s very common for our clients to contact us and say, hey, I got some spam, make it stop. You know, they’re a little more polite than that, but basically, they’re asking us to make it stop. And the answer is we can’t. If a client is getting bombarded with spam you know, tens per hour, hundreds per hour, God forbid thousands per day. And so on, then absolutely there’s probably stuff we can do about it. But one or two per day, maybe even three spam form submissions per day. That’s not a problem in our world. There’s really not much we can get do about it.

(04:44): We Get Spam’ed Too
On our website we get about one per day on average of spam, and honestly just hit delete it’s a pain. I know it’s a pain but beyond that until it becomes a big problem. There’s not much more we can do about it.

So again, we can put a firewall in front that, that has that option to look for spam controls. You can use honey pots if the form system allows, or if your developer can build one in, you can use reCAPTCHA systems and all these things are gonna slow the spam down.