How to stop receiving SPAM in your WordPress forms

If you have a publicly accessible contact form on your website, chances are that you will have to deal with a lot of junk mail (SPAM) in your inbox. In this blog post, we explain why spam emails keep filling your inbox and how to stop them?

Why is spam so common?

Spam is so widespread because it is a very easy way for spammers to set up automated scripts that will scan websites seeking forms in which they can post unwanted content. These automated scripts, known as ” bots ” (short for “robot”), are used to publish undesirable comments on a website.

What’s in it for the spammers?

Their aim can be, for instance, to get “backlinks”, links that would refer visitors to the spammer’s site and then artificially increase the visibility of their own site. You should know that Google increases the ranking of a site that links to several other sites. This is known as “link building” The more your site is considered an authority on a given subject, the more it will be targeted by spammers.

Your website is a target…

We’re all in hackers’ crosshairs. Get your free analysis of your current situation in less than 5 minutes.

Therefore, some unethical people take advantage of this strategy by creating robots (bots) that spam forms with links to their own site. When these links end up on your site, the organic ranking of the spammer’s site increases in the search engine rankings. This marketing method is not as effective as it used to be, but still, it only requires the execution of a script to achieve it The effort level is very minimal for its potential payoff.

Which consequences can it have?

Some spammer may set up an email address that is associated with a group of users they add in the email field of the form. They add a text with some links in the message field. If an automatic reply has been set on your form, submitting the form will automatically send an unwanted email to an email list. These email displaying your address as the sender

In the worst case, some bots may manage to inject malicious code into your website. This code may harm site pages or even the database, collect sensitive information about your site’s users, or completely disable a website.

How can we control spam?

Needless to say, it is extremely important to implement an anti-spam strategy on all your forms, even the WordPress login form (usually accessible via the root of your site at /wp-admin). Keep in mind that your site is, on average, attacked more than 90 times a day! Several strategies can be implemented to prevent unwanted comments from being received and automatically published.

Our recommendations to limit SPAM

Add a CAPTCHA or ReCaptcha

Wait, what is a CAPTCHA?

Essentially it is a test that, in theory, can only be passed by a human being.

It can be an image with several distorted letters and numbers to identify, a selection of images containing a certain type of object to choose from or simply a checkbox.

These technologies prevent a bot from sending you unwanted comments. Because these automated scripts are unable to read the content of an image, for example.

ReCAPTCHA is a short version of one of these tests, designed by Google. The beauty of this feature is that it involves a minimum of effort on the user’s part. Instead of answering a complex question, users just have to click an I’m not a robot button to identify as human.

Use a Double Opt-In

If you are getting a lot of unwanted feedback through your web forms, you can benefit from a double confirmation mechanism, also known as Double Opt-In. This will have the extra benefit of not interfering with your analytics data or spending money unnecessarily on your Google Ads and Facebook Ads campaigns.

How does double Opt-in help you prevent spam?

  1. Users must submit their email address via your form
  2. Then, they must check their mailbox and then click on the verification link in an email you sent them.

The second step is essential for the process to be completed. So robots will not complete the second step. Spammersuse fake email addresses, so there is no way to reach them and therefore no way for them to confirm their registration.

By selecting your marketing tool (e.g. Mailchimp, CyberImpact, Drip, ConvertKit, ActiveCampaign, etc.), make sure it includes a double opt-in feature. If you are collecting form entries via a standard form on your site, WordPress’s Gravity Forms plugin allows you to set up this double validation process.

Include a logical question

A logical question is a question that any user should be able to answer.

There is no need to add a very complex question, the point is simply to prevent a robot from solving it. A robot will only submit the form, it is not programmed to understand anything other than filling out Name, Email, Phone and Message fields.

Here are some examples of logical questions:

  • A simple calculation (e.g.: 2 + two = ___ )
  • Colors present on a certain type of animal or object (e.g., a bee is yellow and ___)
  • A quantity that does not change and is assigned to an animal or object (e.g., a chair has ___ legs)

We assume that a user who is unable to answer any of these questions is most likely to be a robot. Most of WordPress form plugins offer such possibilities. Why not benefit from using it!

Add a honeypot field

A honeypot is a way to display a field that only bots will be able to see, since it will be hidden from the visitor on your website. As the user does not see it, his answer to the field is always empty when he submits the form. On the other hand, the robot will try to fill the field! This is where it will be flagged and the form will be rejected.

The solution is not flawless though, the malicious user could have an autofill feature that fills in the form fields for them. This would invalidate an, in fact, valid form submission.

If you don’t use a solution like Gravity Forms on your WordPress site, just make sure your field is hidden in front-end and don’t set it as a required type field.

Add Akismet extension

The Akismet WordPress plugin verifies comments submitted to a form, in real time, and compares them to a global database of known spammers . If Akismet flags a submission as a potential spam comment, the service will filter the comment to allow you to review it or may simply trash it so you never see it.

Much of the filtering work is done for you. Akismet automatically monitors every submission and comment.

Hide your form page

When your forms are flooded with unwanted comments, it becomes tempting to make it more difficult for people to access them.

If you think your form is targeted, you can choose to change the URL of the page containing the form. This will make the spammer have to manually search for the URL where your form is located.

You can also consider removing your form pages from the index. If you believe that your form is too easy to find through search engines and causes spammers to send you unwanted comments, you can simply hide this page from Google, Microsoft crawlers and other search engines. Google, for example, allows you to hide pages via Google Search Console or through the robots file.txt (sometimes managed by extensions like Yoast SEO, SEOPress, Rank Math, The SEO Framework, etc.).

Add a conditional view of the submit button

Since the goal of spammers is to insert craps links on your site, the best way to prevent them from doing so is by not accepting links in a form response If you only want to receive text content, it is possible, for example in Gravity Forms, to enable conditional logic. By enabling this feature, the form submission button will be hidden if the user enters a link in the message box or any other field in your form.

Besides, it can happen that a spammer uses your domain name as an e-mail address to authenticate themselves. For example, if you use email addresses that end with, the spammer will submit the form with the address [email protected]

If a user uses your domain name to submit your form, you may decide that there is a bad intention in submitting the form. As a result, you can simply disable the send button if the email used by the respondent uses your domain name!

Capture visitors’ IP address

In Gravity Forms‘ form settings, there is an option to track the IP addresses of the visitors who submit a form.

Why should you capture users’ IP addresses? Because, even if you block visitors who submit your form using your domain name, it may not be sufficient to stop them. If you tried everything to block unwanted comments and the same bot continues to submit them to you, blocking its IP address could be the only solution.

Setup a security extension like SecuPress

The SecuPress extension is known for its effectiveness in preventing hacking, security breaches and malware infections on your site. This plugin is therefore very effective to protect a WordPress login form.

As it is recommended to protect all the forms on your website, to protect the login form is equally, perhaps even more important. We wouldn’t want anyone with bad intentions to be able to access your WordPress dashboard.

Several interesting features can be activated to secure your login form with SecuPress,

  1. Block a user who tries to log in with the username “admin”
  2. Block a user after a number of failed login attempts
  3. Automatically or manually block an IP address (blacklist) (if you know the IP address)

In conclusion

Spam has been around for a long time and is not likely to stop. The number of spammers and malicious attempts to attack you with undesirable comments is increasing every day. Protecting your website remains the best way to reduce malicious entries to your forms.

The previously mentioned tips can have a real impact on the SEO, security and performance of your website. Consider asking an expert like SatelliteWP for advice before implementing any of these strategies.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *