How to stop spam in your WordPress contact form in 2022 - step by step guide

Imagine waking up to 50 new requests from your contact form. All excited you open them up one by one - only to realize that they’re all from spam bots… Not the best way to start a new day.

Unfortunately contact form spam is very real and the responsible bots don’t discriminate - it can happen to any website! And it can have serious repercussions.

In this article, we’ll explore how contact form spam works, why it happens and the steps you can take to prevent it on your WordPress website.

---

Why are contact forms important?

Contact forms are a core functionality of almost every WordPress site. Although they are primarily meant to let your visitors contact you with questions and requests, they also are an effective way of collecting customer information and feedback from your visitors. They can be used:

• To give potential customers a way to contact you with questions or support requests or show interest in your product;
• To understand what customers think about your products or services and improve accordingly;
• To gather information about products or services that may be useful for future marketing campaigns;
• To get testimonials from happy customers which can be used in your marketing efforts, like social media posts and email campaigns;
• To allow yourself to be contacted for promotions and collaborations.

The benefits of contact forms are crystal clear and with WordPress there are lots of options to add such a form (or any other form) to your website. A possible consequence of such a form though can be that you receive large amounts of fake responses, the unfortunately well-known ‘spam submissions’. Let’s dive some deeper into what this is exactly and what can be the consequences if you let this happen.

---

What is contact form spam?

Spam can be sent manually by people who want to annoy you or send you unwanted messages. It’s hard to tackle that kind of spam, because it could mean taking measures that can also affect your real users. For now, we’re going to leave that kind of spam out of this; also because it’s probably not the biggest spam enemy you have to face.

What we do want to talk about is spam that is automated by software that sends out thousands of messages at once. Contact form spam is any kind of automated spam that uses contact forms as a way of spreading itself around.

Why does spam occur?

Spam is usually sent for two reasons:

1. Commercial purposes, to sell products or services;
2. Malicious intent, to spread viruses or steal data.

Spammers will do their best to get your attention and they can do this in several ways:

• Spam bots submitting your forms over and over again;
• Spam emails being sent from your form;
• Spam comments on your posts;
• Spam reviews on your products or services.

In most case spammers use automated software to scan websites for forms and submit them with random data. One of the reasons they do this is because they want to send as many messages as possible hoping that some will get through and reach real people who might click on their links or buy their products. If enough people click on their links or buy their products, they will keep sending more spammy messages.

What are the consequences of contact form spam?

The obvious consequence of spam is that it distracts you from your day-to-day focus on your business, school, training, etc. From bad to worse, these are some possible consequences:

• You receive lots of unwanted messages that fill up your inbox and distract you from the emails you really want to receive;
• You lose time having to delete all these unwanted messages manually;
• Your website’s reputation may suffer if spammers use it to spread malicious content;
• Your website may get blacklisted by email providers if too many spammy messages are sent from it.

Clearly, contact form spam can be very annoying and time-consuming for site owners, so it’s important to understand how to prevent it.

---

How to prevent contact form spam?

Luckily there are a few different ways to prevent contact form spam:

1. You can try to not be distracted by it;
2. You can try to prevent it with visual anti-spam mechanisms;
3. You can try to prevent it with invisible anti-spam mechanisms (using Tripetto).

Let's dive deeper into each of those options, beginning with not being distracted.

1. Not be distracted by contact form spam

This first option is not really a solid solution, but we do want to mention it, as it can be a temporary workaround in some cases. In some cases it’s just not possible to take measurements to prevent spam entries at all. In that case you could choose to just let the spam entries happen, but minimize the distraction that you get from it.

You can for example block emails based on certain criteria, such as whether they contain certain keywords or whether they come from certain IP addresses. It depends on your email provider if this is possible and how to do it. Gmail for example offers a spam filter that you can use to filter your incoming messages and make sure that spam messages don't reach your inbox.

This option can primarily work in case you only receive the contact form entries in your mailbox. If you also store the entries in a database, or even have configured automations that automatically follow-up after a form submission, this is not really a proper solution, because you still haven’t tackled it at the core. You just don’t see the spam entries in your inbox anymore. In that case you probably want to dive a little deeper.

2. Prevent contact form spam with visual anti-spam mechanisms

Ever since contact form spam really got overwhelming, multiple different ways to prevent such spam entries have been developed. The idea is to let your real users prove that they are indeed real humans and let them do tasks that a robot probably can’t. Well-known techniques for that are:

• Solving a simple calculation and entering the outcome;
• Reading a (barely readable) captcha code and entering the combination of letters/numbers;
• Using a reCAPTCHA technique from Google to identify a real person. That can for example work by ticking a “I’m not a robot” checkbox or solving a puzzle in where you have to identify certain visible objects, like “Select all images with a traffic light”.

Although they do a good job in preventing spam entries, it also has the risk of impacting your user’s experience. Such visual anti-spam mechanisms are often placed at the end of your form, at the point that your respondents simply want to submit the form as quickly as possible. But then there’s another threshold that your respondent has to take: solving the calculation/captcha/puzzle. Next to a negative experience, this can even result in actual drop-offs from respondents that don’t take the time and effort to solve it and then abandon the form.

Wouldn’t it be nice if there was another solution to prevent large amounts of contact form spam, but without interfering with the user experience? That’s exactly why Tripetto does this a little differently!

3. Prevent contact form spam with invisible anti-spam mechanisms (using Tripetto)

Tripetto is an all-in-one form plugin for WordPress websites. It enables you to build fully customizable, conversational forms and surveys. Its drag-and-drop builder helps you to not only add the questions to your form, but also makes conditional logic an integral part of your form design. Because of that your forms become really smart and only ask the right questions, based on the already given answers of each respondent.

On top of that you can display each form in 3 totally different form layouts:

• Autoscroll layout, which displays one question at a time and automatically scrolls through the form;
• Chat layout, which presents questions and answers in a chat format, including chat bubbles and avatars;
• Classic layout, for a more traditional format to present multiple questions at a time.

This all helps you to get higher completion rates, because your form is tailored perfectly to your audience and even tailored for every individual respondent. Of course, you don’t want to tear down that experience at the end of your form with an anti-spam mechanism in which the respondent must solve a puzzle. That’s why Tripetto implements an anti-spam solution that’s not visible to the respondent, but does its work in the background.

How does Tripetto prevent contact form spam?

Tripetto is built at its core to make it very hard for spammers to use the form. It uses the following principles to take care of that:

• Data structure difficulty - The technical structure of your forms is managed in such a way spam bots will have a very hard time learning the structure of the form. And without understanding the structure, it gets hard for the spam bot to even use that structure to fill out the input fields, preventing it from being able to fill out the form automatically;
• Increasing posting difficulty - Next to the difficulty of filling out the form, Tripetto also makes it very hard for spam bots to submit Tripetto forms. There is a sophisticated technique behind the submitting process that increases in difficulty each time a spam bot tries to submit a form. This will discourage spammers to repeatedly/automatically keep submitting forms.

And the best part is that your real respondents won't notice these built-in hurdles for spam bots at all. It only comes into play when a larger amount of submissions is done from the same IP address, generally typical for a spam attack by spam bots.

Configuring Tripetto’s spam protection

By default, all Tripetto forms use the built-in spam protection, so you are protected against spam attacks. On some occasions you might want to alter that spam protection level though, for example if you share your form with a class of students at the same time who are all on the school’s network (and thus using the same IP address). If all those students would submit the form in a short period of time, Tripetto would normally think it is an attack and not all form submissions would be accepted.

That’s why there are two anti-spam settings you can change:

• Set the spam protection mode - You can choose from maximal, normal, minimal or fully disable the spam protection.
• Enter an IP allow list - You can also enter a list of IP addresses that are excluded from the spam protection, regardless of the active spam protection mode. Handy for the mentioned use case where lots of submissions are done from the same IP address, like on a school or an office.

---

Conclusion

As we have seen spam is a very serious issue if it influences your day-to-day routine. Next to the hassle you get from working around all spam messages, it can also have some serious consequences to your website’s reputation and status.

That’s why it is important to take some measures against such contact form spam. In this article we discussed a few possible solutions. None of those solutions will be 100% bullet proof to prevent spam from ever coming through again. And some of the solutions can also have a negative effect on the user’s experience.

That’s why Tripetto comes with a built-in spam protection mechanism which is a balance between preventing large amounts of spam and not bothering your respondents with anti-spam measures. This is fully included in all packages of the Tripetto WordPress plugin, which also comes with a 14-day money-back guarantee – no questions asked!