Many advertising leaflets are hanging from an overloaded letterbox

How to prevent SPAM in your website Contact Form

SPAM in your Contact Form

If you have a contact form on your website, you’ve most likely had some emails from Eric Jones. Our friend Eric is becoming infamous for flooding contact forms with his compliments and kind offers of help.

For many years, website owners have been looking for ways of blocking unwanted traffic from contact forms and comment boxes on their websites.

The first thing to realise is that Eric Jones isn’t a real, living, breathing human being who has actually personally visited your website. Eric (and all of his mates) are simply bots scouring the internet for places to leave their unwanted messages.

Their purpose is to have you respond by clicking a link to visit a page. After that, they have your attention and no good thing can result from any further action on your part.

Hacker hacking data information
Maybe this is Eric Jones?? No, Eric is actually just a bot.

“Hello, my name’s Eric and I just ran across your website at [ … ].com…

I found it after a quick search, so your SEO’s working out…

Content looks pretty good…

One thing’s missing though…

A QUICK, EASY way to connect with you NOW.

Because studies show that a web lead like me will only hang out a few seconds – 7 out of 10 disappear almost instantly, Surf Surf Surf… then gone forever.”

Methods to prevent spam

Honeypot is a technique for enticing bots to fill in a hidden field, thus identifying the source as invalid traffic

There are four main ways to prevent spam in contact forms and comment boxes.

  • Honeypot fields
  • Akismet
  • Google reCaptcha
  • CleanTalk

I’ll give a quick summary of each of four and explain why I am currently installing the CleanTalk service on most websites.

Some of these techniques still work well, but the use of artificial intelligence in the development of bots has made it very much harder to totally block them from your site.

Honeypot form fields

The whole idea behind the use of honeypot fields is that an extra field is inserted in the form. It is a field that is hidden from users of the form and therefore cannot be filled in by living, breathing, human visitors to the site.

However, bots can’t determine the “hidden” state of the field and will generally record information in the field. The submitted form is easily detected as invalid traffic if any data exists in the honeypot field.

The method of protecting forms has become increasingly ineffective as bots have got smarter.


Akismet is a service offered by Automattic (the company that administers the WordPress platform). It is a free service for personal blogs, but needs a subscription for any website run for any commercial purpose, ie owned by a business.

Akismet can be quite effective in blocking spam comments in the comment box under posts and pages, but is more limited in it’s ability to intervene in the spamming of contact forms.

There are effective solutions for some form-building plugins, but my feeling is that the service is quite limited in its ability to protect WordPress websites from SPAM.

reCaptcha gif

Google reCaptcha

The most widely-used method of blocking spam in WordPress websites is the Google reCaptcha service. WordPress plugins have been developed by many developers to enable this service to be used for protection of Contact forms, comments, log-ins, e-commerce checkouts, etc.

There are two versions of reCaptcha. The older version2 service is visible and requires input from the visitor. Tasks are set to identify the visitor as human. These are the “click the squares containing traffic lights” ….., etc. The newer version 3 reCaptcha is invisible – except for an icon which appears at the foot of the page to identify that the page is protected.

The service requires a web developer to have a Google account and to register each site. Part of the registration process is the provision of two “keys” – a public key and a secret key.

Any site to be protected by reCaptcha needs to be able to integrate the service. Themes and page builders offer plugins or customisations to enable this – some free, some only available with pro (paid) versions, and some only available as paid plugins.

In the end, most website visitors will view reCaptcha as an extra imposition – a nuisance. On top of that it really isn’t entirely effective either. Modern bots are now able to effectively bypass reCAPTCHA.

While reCAPTCHA v2 and v3 can help block some bot traffic, they come with many problems. They degrade the user experience, can be bypassed with Captcha farms or AI, have no real feedback mechanisms, can lead to false positives and negatives, and don’t detect advanced bots. Neither version of reCAPTCHA should therefore be considered as a proper bot management solution.

CleanTalk anti-spam service

After having tried all of the above methods of controlling spam to the many websites I have built, I now use and recommend the CleanTalk anti-spam service.

This is a cloud service that can be easily installed in almost every website platform – including WordPress. It is a paid service, but the subscription is only USD 8.oo per year. Truly great value!!

The service works on a number of levels – including a spam firewall that blocks traffic from IP addresses contained in a database of proven spammers. This invalid traffic doesn’t even get to access the website.

Further to this, visitors can be blocked by country or language. Use of a user-supplied list of inappropriate words can also cause a submission to be not accepted.

In general use, the visitor enters their information and, upon submission, the information is analysed by the cloud service before being accepted as a legitimate submission.

Detailed logs are maintained and available for inspection by the website administrator.

For most sites that I administer, it is usual to log several hundred visits per week blocked by the spam firewall. In the case of sites with genuine traffic from overseas countries, such as the Swamp Productions site and the Echoes Of Jesus site, the number is in the thousands per week.

If your website is experiencing regular messages from Eric Jones, or any other invalid traffic from your contact form, please don’t hesitate to contact me directly to discuss the installation of CleanTalk.

You’ll be pleasantly surprised at just how effective and invisible this anti-spam service really is.

Similar Posts


Leave a Reply

Your email address will not be published. Required fields are marked *