How to prevent form spam bots from burying your inbox in mountains of fake submissions.

Spam has been the bane of the Internet since its inception. In fact, it would be hard to imagine how to exist online without email spam filters to spare us from all the unsolicited requests for financial assistance from impoverished princes the world over. However, while spam filters on email have proven successful, they have been less effective in preventing form spam.

Part of what makes form spam so hard to prevent is that not all of it comes from bots. While bots comprise the largest and most irritating kind of spam, they are also easier to identify and prevent. On the other hand, a person who is willing to spam your forms manually will be harder to fool. The best you can do is to slow them down.

Unfortunately, almost everything you do to make it harder for people to spam you will also hinder a smooth user experience. The good news is, there are some relatively painless ways you can cut down on spam form submissions without making your site difficult for visitors to access. Here are six solutions you can implement to prevent form spam right away.


Back in the day, one of the most reliable ways of preventing bot spam was through CAPTCHAs—those squiggly blocks of text that were nearly impossible to interpret correctly on the first try. If you’re sick of these, you’re not alone. In fact, almost the entire Internet is on your side. CAPTCHA, as they existed even a few years ago. Not only did they add burdensome gateways to content, they were often impossible roadblocks for many people with disabilities.

Fortunately, Google officially killed CAPTCHA not so long ago, and introduced ReCAPTCHA in its place. Don’t let the name mislead you: ReCAPTCHA is nothing like its predecessor. You know those handy little boxes to check to confirm you’re not a robot? That’s what ReCAPTCHA are. While they’re still not perfect, they’re miles better than previous options, and they do a good job of filtering out a lot of spam.

2. Employ a honeypot.

Honeypots are traps designed to lure in and then eliminate bots, viruses, or other bad actors that you may encounter online. When it comes to form spam, a honeypot is a secret, hidden field that bots will automatically fill out when they try to submit a form. Because that form field is hidden from human visitors, your users won’t even know its there. But when the bot fills it out, that form submission will go straight to the trash. Clever, no?

3. Create session cookies.

Most spam bots go directly to your form page without spending any time on the rest of your site. They’re crawling the Internet trying to find URLs that look like “,” and probably won’t stop on your home page at all. Human visitors, on the other hand, usually spend more time on your site, and are more likely to wander through several pages before they reach your contact form. A session cookie will track this behavior to identify which users are legitimate. If a user’s session seems suspicious, it can flag that form as possible spam.

4. Install a form spam prevention plugin.

Many form plugins include settings to make it harder for spam bots to get through. For instance, Gravity Forms includes options to include a simple honeypot form field, as well as a ReCAPTCHA check box. If you’re more concerned about possible spam comments that could reach the front end of your site, you can also install plugins such as Akismet that are designed to filter out this type of spam.

5. Use a double opt-in form.

This is a longer process, so it’s not worth it for a simple form to download a PDF, for instance. But if your form is for something more important, such as to create a new user account, a double opt-in can weed out fake users. Double opt-ins require users to include some piece of personally-identifiable information, such as an email or telephone number. The system then automatically contacts that account and provides it with a special link or a new sign-in code to ensure there is an authentic person on the other end ready to sign in.

6. Ask a test question.

Finally, you can create your own simple CAPTCHA yourself by asking a simple question at the bottom of your form (“What is 2 + 3?”). Make the question simple enough so anyone could answer, and then only let through forms with the correct answer. This is something like a reverse honeypot: instead of tricking bots into betraying themselves, you’re giving away a free passcode to your forms that only humans can understand.

Just be sure the question really is dead easy, and translate it into other languages for international visitors.

CAPTCHA is dead, long live CAPTCHA?

In many ways, the more you try to eliminate spam entirely, the more likely you are to filter out legitimate users. That said, you do have an advantage over manual spammers: because they need to operate at high volume to be effective, even a minor slowdown may be enough of a deterrent to convince them to move on.

A truly determined spammer will still be able to get through your safeguards. However, these will necessarily be fewer in number than a legion of spam bots, and that will make them easier for you to moderate on your end. So, while your website may feel like its under assault by bots, there is a light at the end of the tunnel. You can cut down on fake form submissions without turning away your users.

Published 12/03/19 by Laura Lynch