How to prevent website form spam and block submissions

There’s no doubt spam is annoying. No one likes spam form submissions clogging up their inbox while they’re trying to run a business. 

But, if you’ve had an influx of unwanted spam, you might be wondering if it’s a sign of something more serious. Could it mean your site has been hacked? The good news is it’s unlikely. Spam form submissions are not only common, they’re a regular part of running a website. 

What are spam form submissions?

Spam form submissions are simply automated bots, or even sometimes humans, targeting public forms on websites. Spammers will target public-facing forms to send their content out as widely as possible. 

This could be to try and get backlinks, promote shady services, or trick someone into clicking on malicious links. Spammers aim to push their content as widely as possible. Your contact form is just another one of their targets.

Are spam form submissions dangerous?

Yes, spam form submission can be dangerous, since they’re often used by criminals to deliver malware and steal personal information through phishing.

The important thing to remember is that these attacks don’t mean your website is vulnerable. As long as your team doesn’t engage with spam content (e.g. by clicking links), these submissions are harmless. 

At webdna, we have measures in place to ensure they don’t suddenly turn into actual security concerns. This includes: 

• Blocking file uploads and embedded scripts in forms
• Monitoring for unusual submission patterns
• Keeping all plugins and CMS versions up to date

Thanks to processes, our clients can be confident that spam won’t turn into a security risk. 

It's also worth noting that when it comes to Craft CMS 5, there are no known exploits that allow spammers to breach your data through form submissions. The same applies to Formie, the Craft CMS plugin we use for creating and managing forms.

How do you stop spam form submissions?

If spam is becoming more than a minor annoyance, there are a few things we can do to help reduce it:

Implement reCAPTCHA

Developed by Google, reCAPTCHA is a free form of spambot protection that uses advanced techniques to analyse behaviour and distinguish between humans and bots. 

You’ve probably encountered “I’m not a robot” checkboxes when logging on to sites or been challenged to identify images or text. These act as a proxy when the system detects suspicious activity.

The upside is that bots typically can’t bypass these puzzles, meaning less spam form submissions. However, it does add an extra step into the user journey, and it can impact your page’s Core Web Vitals if the script delivery hasn’t been optimised.

Implement Invisible CAPTCHA

Similar to reCAPTCHA, Invisible CAPTCHA is a form of spambot protection. However, it differs because it doesn’t require any interaction from the user. It analyses behaviours, such as mouse movements and typing speed, to check if a submission is human. 

The benefit of this method is that it doesn’t impact the user journey for real users on the site. On the other hand, privacy concerned users may not like that it collects personal data and tracks user behaviour to determine who is a bot.

Use Honeypot fields

Honeypot fields aim to reduce the number of spam submissions by adding hidden fields to forms that spambots will populate, yet can’t be seen by real users.

This method is often seen as the easiest way to navigate around the challenges of GDPR compliance. Unfortunately, the more sophisticated spambots don’t struggle to bypass these invisible fields. Therefore, it’s a method that isn’t recommended for larger scale websites.

Enable rate limiting and block duplicates 

Rate limiting is essentially restricting how often forms can be submitted. Alternatively, duplicate checks for duplicate submissions as a way to identify if bots are submitted multiple times. 

When considering any of the above options, it’s worth keeping user experience in mind. Some of these approaches involve a little friction for genuine users, meaning it may not be a suitable option if you run a larger site. 

Need help securing your website?

Ultimately, spam submissions are annoying, but they are normal. The key is understanding that they don’t mean your site has been breached, and there are tools available to manage and reduce their impact. As Craft CMS web development experts, we can help with that.