Protect your web forms from spam

Techniques to prevent the misuse of your web forms

We all know spam, and most of us have to deal with it. Website owners that have web forms to collect information are inevitably receiving spam submissions. Comment sections get stuffed with shabby-looking reactions. Mailboxes get flooded with malicious emails. It's impossible to rule out every single spammer, but there are some helpful tools and tricks to prevent your web forms from getting spammed.

What is web form spam?

Web form spammers usually intend to promote their own websites - by adding backlinks to a comment - or use the form for malicious events like phishing. When you're offering a free whitepaper, for instance, the spammer gets the opportunity to send a phishing link to your mailbox(es). As these links can be harmful to your company, you'd like your webforms protected from these activities.

These types of spamming activities are either done manually or automatically. Manual spamming mostly happens when companies hire people to fill out (all) web forms they can find on the web. They get paid to leave comments or submit contact forms containing backlinks. The goal is to increase traffic to their website, gain ad revenue, or create fake leads for a competitor's sales team. These activities lead to a spoiled comment section, resulting in user churn and bad ROI's.

Automatically filled in forms (spambots) do the same thing, without the effort of manually looking for forms. Setting up a spambot enables a spammer to spam more in less time, supposedly making them more efficient. The thing with spambots, though, is that they are detected quickly. 

Helpful tools to detect spambots in web forms

There are numerous tools available to capture spambots and prevent their attempt to spam your web forms. Most of them are WordPress-plugins. If your website runs on WordPress, you can quickly implement tools like Akismet and Project Honeypot, actively battling web form spam. Akismet decides whether someone's input to your web form is considered spam. Project Honeypot uses invisible fields (honeypots) to lure spambots. When a submission contains these hidden elements, you'll know it's a spam submission.

Google's reCaptcha

Another trusted tool to prevent web form spam is reCaptcha. After the flopped Captcha-project, Google rebuilt the tool to a more sophisticated technique. It automatically detects abusive traffic on your website but does not invade your user experience (like Captcha did). 

Anti-Spam DIY

There are some 'tricks' you could implement, without using tools. If your website runs on JavaScript, HTML, and CSS, there are some techniques to reduce the number of spam submissions. Again, human spammers are much harder to detect within the form. You'll always have to check the submissions or incoming emails - judging whether they are spam or not. 

Set maximum lengths

As spambots usually carry large messages, setting a maximum amount of characters reduces spam risk. Most forms allow maxlength:(num) to define this maximum length. It requires your other, real-life customers to shorten their comments, which can be annoying. Be aware that some forms need to have longer input sections, and some can live with a shorter one - it's about balance. 

Add a quiz element

Though we're not promoting pictures or fun details (for serious businesses), a web form can contain quiz-like fields. As spambots recognize the "email" field as the field where they can leave an email address, it's much harder to recognize and answer a question. The thing to consider here is how hard your question should be. Sure, you don't want spambots to solve it easily, but your visitors should understand it still.  

Disallow links 

A common practice for spammers (manually and automatically) is the spreading of links. By disabling links in your form, you're preventing your website from malicious backlinks or phishing links. It does, however, also prevent clean links from being placed.

Let web forms require cookies

Another method used to detect and deter spambots is the infamous cookie. With cookies, website owners track their visitors across their website. Spambots, however, do not set cookies. Requiring cookies to fill in a web form thus protects it from these spambots. 

Creating invisible fields

Like the Project, you can create 'honeypots' yourselves. With a bit of programming, you're able to eliminate any spambot activity. Since spambots only read HTML, hiding an element in CSS & JavaScript ensures real people can't see it, but bots can. Once bots fill in this element, you're able to filter submissions and leave out the ones that have the hidden field filled in. 

PHP methods to stop web form spam

In addition to all the techniques already named, there are some .php-methods you can use to stop your web forms from getting spammed:

  • Record data from submissions, allowing you to block notorious IP addresses. Some spambots fire multiple submissions in a short period of time, from the same IP address. Blocking that address makes sure that won't happen again;
  • Change the name of your comments.php. Spambots detect these as being the comment section, even if they're not live on your website anymore. Changing the name reduces this risk.


There are multiple ways to defend your web forms from spam. As effective as they can be, you should always be cautious. Making your forms too difficult for your visitors will result in user churn, losing your customers. It's always a matter of balancing between the effort spammers are willing to make versus the effort your visitors want to put in filling in your web forms.