My website’s contact form is getting spam submissions
I’m going to preface this by saying that having forms on your website is a great idea. Just know that by doing so you will get some spam emails come in, just as you do legitimate ones.
Types of spam
The most common types of spam you’ll get from your form are ones promoting their services – which are almost always a terrible idea to follow up on. Get to the top of Google, or Fix your Love Life, or Cheap Web Design Today – all emails you’ll probably want to trash.
I’m getting ALOT of spam from my contact form
Now, if you are receiving a lot of spam from your form it’s likely because your form is wide open to abuse. Bots can be programmed to auto-fill and auto-submit forms on your website, and a particularly persistent one can do so faster and more regularly that a human can, resulting in a huge flood of spam emails.
To stop the deluge you have several options
Add a hidden form field
Create a form field that appears only for the bot – and not for humans. Since bots read the HTML of a website, you can use some styling tricks to hide the field from human view. Then, if that field is filled out in the submission, your form processing script will know if was filled out by a bot.
Add a captcha
Add a captcha – a form of skill testing question – designed to be easy for humans and hard for bots. This does have the knock-on effect of annoying your legitimate users, but a small price to pay for those who suffer from a lot of contact form spam. Google’s reCaptcha is a good option, but you can always do something a little simpler – how about a skill testing question?
Use sessions or cookies
I like to set what’s called a ‘nonce’, or a number used only once which is tied to the current website guest. Because only guests will have this nonce, you can test for it on your form processing script.
The popular WordPress contact forms all offer some spam mitigation options. I recommend most users go with Gravity Forms, and their captcha option is pretty solid. Plus, Gravity Forms allows you to build some pretty complex forms, and it will log all of your submissions – something that’s critical for Request a Quote, Request for Information, and other form submissions that you definitely DO want a record of.