how to prevent spam on web forms

How to prevent spam on web forms

how to prevent spam from web forms

Before we discuss how to prevent spam on web forms, we need to understand how spammers abuse the web forms, and then I will discuss how to prevent it.

Spammers, it’s a numbers game!

Why does spam still exist?

Simply because their tactics work. Think big, no think REALLY big. Think planetary-scale big. There are millions and millions of websites and most of them have “contact forms”. Most of them are still unprotected and spammers are just trying to make money. They do this by generating traffic on a website or getting you to buy stuff. The easy way to do this is to look for a form and fill in the fields automatically. If only one out of one thousand forms accept their spam, and out of those, another 1 out of one thousand people click on the stuff they send, that equates to hundreds of thousands of people clicking on the spam every day.

How is spam sent?

 The spammers have programs that run and seek out the forms, find the fields to fill out, and insert “stuff” into those fields in the blink of an eye. It is all about speed. There are a ton of forms that need to be filled out on the internet. If a human (NOT a spammer) fills out a form, there are at least several seconds between the time a form loads on the screen and the time that human finishes filling out the form and clicks send.

Now that we understand how spammers work (and why), we can dive into the way to protect the contact form.

how to prevent spam on web forms with recaptcha

I will admit, Google has a bit of “secret sauce” running behind the scenes, and they won’t discuss their magic methods but using their product is free and it is well known how to set it up.

Let’s assume you have a form and it’s getting spammed every day.  We will perform the following actions to protect it:

  1. We will add a script at the beginning of the page so the moment the page/form is loaded, a message is sent to google asking for a “one-time code”.
  2. We will then modify the form so it has a hidden field (the spammers can’t see this field) and the field is automatically filled in before you can even see the entire form.
  3. When a person or spammer clicks on “submit”, the entire form (hidden field included, with that special code from google) is sent to the normal back-end processing.
  4. Now we jump into that “back-end code” and we wrap the entire existing code inside another program:
  5. The special program that is created will go back to google and give google that special code. Google will do some magic and they will return a result from 0 to 1. If the number returned is less than 0.5, it is assumed that a spammer filled out the form. Anything over 0.5 and it is assumed that a human filled out the form and the processing can continue like it always has.

The decisions making threshold is totally up to you but, the scores that google returns are usually 0.1 or 0.9 and they are somehow good at determining if the form has been hit by a spammer. It is rumored that one thing they do is compare the time if less than one second has gone by, it is assumed that a computer/spammer filled out the form, and the processing halts.

Before I can prevent spam on web forms on your site, you will need to set up a google ReCAPTCHA account. I cannot do this for you since this is your domain, your form, and your “everything else”. When you register, you will be asked what your domain is, so they know where you will be requesting their help from. They will ask if you want version 2 or version 3 keys. I strongly suggest using version 3. Version 2 is the older “click the pictures of a truck” pop up and nobody likes seeing those. Version 3 does not require anything from the end-user, they just see a “protected by ReCAPTCHA” icon in the bottom right of the page.

Once you have requested an account, you will be given 2 very long keys, a public key, and a private key. Keep them safe and don’t let them become exposed to the internet. That means don’t email them. In case you weren’t aware, almost all emails sent on the internet can be seen. The internet simply wasn’t built with privacy and security in mind.

How to prevent spam on web forms: the easy way

If your website is built with WordPress, you are in luck. There is a plugin called contact form 7 and if you install that (you might already be using it for your form), you click on integrations and you will see the option for ReCaptcha. Simply copy and paste the two keys into the appropriate spots and click on OK. Now go refresh your website. You will notice the ReCaptcha logo is present on every page on your site. Effortless, right? 

(now, when your friends ask YOU how you prevent spam on web forms on your site, you can be the pro! You’re welcome!)

How to prevent spam on web forms: the hard way

If your website isn’t built with a CMS like WordPress, then it will take a web developer like myself to modify the page that has your form, as well as the page that actually processes the form and sends the email. Not quite as easy but that is what I do for a living. I (actually, any developer) will need access to your server to modify the two files, and I will need the two keys given to you by Google. Remember that you should never email those keys. Keep them and I will let you know how to provide them so they are not exposed.

In the interest of safety, I would ask two things: make sure your website is backed up prior to allowing me to access your site and create a new user (or at least change the password before/after my access) so I do not have continued access after I am finished.

I'm available for hire

If you would like assistance in stopping for contact form spam, click START NOW to hire me on