We’ve all dealt with web form spam. Website owners that use forms to collect information have inevitably received some spam submissions. Comment sections get stuffed with shabby-looking reactions. Mailboxes get flooded with bad emails. Though preventing all spam is impossible, here are some helpful DIY tips to protect your web forms better.

What is web form spam?

Webform spammers usually intend to promote their websites – by adding backlinks to a comment – or use the form for malicious events like phishing. For instance, When offering a free whitepaper, the spammer can send a phishing link to your mailbox(es). As these links can harm your company, you’d like your webforms protected from these activities.

Generally speaking, there are two types of web forms of spam:

  • Manual spam
    Manual spamming mostly happens when companies hire people to fill out (all) web forms they can find on the web. They get paid to leave comments or submit contact forms containing backlinks. The goal is to increase traffic to their website, gain ad revenue, or create fake leads for a competitor’s sales team.
  • Automated spam
    Automatically filled-in forms (spambots) do the same thing, without the effort of manually looking for forms. Setting up a spambot enables a spammer to spam more in less time, supposedly making them more efficient. The thing with spambots, though, is that they are detected quickly. 

The risks of web form spam

Spam activities on your website can lead to:

  • Spoiled comment sections;
  • Forced login forms (brute force attacks);
  • Exposed vulnerabilities in your forms, allowing bots to send malware or spam to other people.

6 Do-It-Yourself Tips to prevent automated web form spam

There are some ‘tricks’ you could implement, without using tools. If your website runs on JavaScriptHTML, and CSS, there are some techniques to reduce the number of spam submissions:

  1. Set maximum lengths;
  2. Add a quiz element;
  3. Disallow links;
  4. Let web forms require cookies;
  5. Creating invisible fields;
  6. Pro tip: PHP methods to stop web form spam.

Again, human spammers are much harder to detect than spambots. You’ll always have to check the submissions or incoming emails, and judge whether they are spam or not.

(#1) Set maximum lengths

Because spambots usually carry large messages, limiting characters reduces spam risk. On the other hand, it requires your other, real-life customers to shorten their comments, which can be annoying. Be aware that some forms need to have longer input sections, and some can live with a shorter one – it’s about balance. In the example below, we’re limiting the characters in the phone number field.

Let’s say we’re creating this simple form with a first and last name field, followed by an email address and phone number.

A simplified version of the form HTML would look like this:

Now, this code only sets names and input types per form field. That means spam submissions can contain a somewhat endless amount of characters. You can limit characters like this:

The maxlength=”9″  limits the amount of characters in the phone number field to 9, but it of course depends on your situation what that number should be.

(#2) Add a quiz element

Though we’re not promoting pictures or fun details (for serious businesses), a web form can contain quiz-like fields. As spambots recognize the “email” field as the field where they can leave an email address, it’s much harder to recognize and answer a question. The thing to consider here is how hard your question should be. Sure, you don’t want spambots to solve it easily, but your visitors should understand it still.  

(#3) Disallow links 

A common practice for spammers (manually and automatically) is the spreading of links. By disabling links in your form, you’re preventing your website from malicious backlinks or phishing links. It does, however, also prevent clean links from being placed.

(#4) Let web forms require cookies

Another method used to detect and deter spambots is the infamous cookie. With cookies, website owners track their visitors across their website. Spambots, however, do not set cookies. Requiring cookies to fill in a web form thus protects it from these spambots. 

(#5) Creating invisible fields

Like the Project, you can create ‘honeypots’ yourselves. With a bit of programming, you’re able to eliminate any spambot activity. Since most spambots only read HTML, hiding an element in CSS & JavaScript ensures real people can’t see it, but bots can. Once bots fill in this element, you’re able to filter submissions and leave out the ones that have the hidden field filled in.

A simplified version of the CSS & HTML of a hidden “email address” field would look like this:


.dispnon{display: none}


<input class=”dispnon” name=”emailaddress2″ type=”text”>

(#6) Pro tip: PHP methods to stop web form spam

In addition to all the techniques already named, there are some .php-methods you can use to stop your web forms from getting spammed:

  • Record data from submissions, allowing you to block notorious IP addresses. Some spambots fire multiple submissions in a short period of time, from the same IP address. Blocking that address makes sure that won’t happen again;
  • Change the name of your comments.php. Spambots detect these as being the comment section, even if they’re not live on your website anymore. Changing the name reduces this risk.
  • Some management platforms, like Shopware, allow you to build your own Captcha in PHP, so you can use it in i.e. your webshop.

Helpful tools to detect spambots in web forms

Google’s reCaptcha

Another trusted tool to prevent web form spam is reCaptcha. After the original Captcha-project, Google rebuilt the tool to a more sophisticated technique. It automatically detects abusive traffic on your website but does not invade your user experience (like Captcha did).

For European businesses, however, reCaptcha is under review for GDPR compliance, as the tool sends your visitors’s data to the USA,

WordPress tools

On the WordPress marketplace, there are numerous tools available to capture spambots and prevent their attempt to spam your web forms. If your website runs on WordPress, you can quickly implement tools like Akismet and Project Honeypot.

  1. Akismet decides whether someone’s input to your web form is considered spam.
  2. Project Honeypot uses invisible fields (honeypots) to lure spambots. When a form submission contains filled hidden elements, you’ll know it’s a spam submission.

Stopping web form spam with DIY Tips

There are multiple ways to defend your web forms from spam, use them as you wish. However, as effective as they can be, you should always be cautious. Making your forms too difficult for your visitors will result in user churn, losing your customers. It’s always a matter of balancing between the effort spammers are willing to make versus the effort your visitors want to put in filling in your web forms.