WordPress Form Spam: Is There a Solution?

Oozle Media has recently seen a pretty dramatic surge of form submission spam; that is, bots (often from foreign countries) submitting your site forms over and over and over again. We’re seeing dozens a day, even on Oozle Media’s site, in the last week. We don’t know what’s behind this sudden spam attack, but we’re seeing dozens more affected than ever before. Some of these form submissions are a little scary, promoting illegal content on sketchy sites. It can feel frustrating, intimidating, and even a little personal, like your private inbox has been invaded.

Spam can also take more benign forms. Even Oozle Media, a digital marketing company, receives regular spammy emails claiming our site contains “errors” or needs to be “optimized” in some nebulous way. It’s clear that these bots aren’t actually identifying anything personal about your website, or they wouldn’t be trying to sell us on their services. Yet, we see these types of emails regularly.

What to Do About Spam

We’re all looking for a way to end inbox spam. The hard truth is that there is no definite solution. There’s no silver bullet to stop spam from getting into your email inbox. Forms are necessary to stay in touch with our clients, and yet they carry with them the risks of being bombed with spam. So what can we do? We’re going to start with the least invasive solutions, working our way up to the strong interventions.

Add a Honeypot

Honeypots are the most basic way to prevent spam. A honeypot is an empty form field that is hidden from regular users. You can only see it if you’re either a developer peeking at the source code, or a bot script. These scripts are programmed to enter in content for every field before submitting the form. Since they see the field exists, they try to fill it out. The form then sees that the field was filled out, assumes that the entry is from a spam bot, and rejects the submission.

Honeypots were once the most basic form of protection against spam bots. If you do a search online for “form honeypots”, you’ll find thousands of articles about honeypots as a simple, hidden solution to prevent spam. Buried in all these articles are user forums filled with people asking why honeypots don’t seem to work anymore. We’re seeing this problem as well – spam bots are simply getting too smart and have started avoiding honeypots. The general consensus is that honeypot fields still work for less busy sites, but they may be less effective for high-traffic sites.

Register and Install Akismet

Akismet Anti-Spam is one of the most well-known, effective, and long-running WordPress plugins on the market. It was developed by the WordPress team many years ago, is included with every new installation of WordPress, and is updated regularly. To use it, however, you need to sign up for an Akismet API key. On business sites, this costs $5/month. However, once you sign up for it, you can install the plugin and set it loose on your site without further work needed. It’s a pretty simple solution that is, as far as we can tell, pretty effective.

Install Google’s Invisible reCAPTCHA

This is a relatively new type of reCAPTCHA created by Google that helps protect your forms from unwanted submissions. It’s still a reCAPTCHA, but it’s invisible to most users. It works by hiding the reCAPTCHA from regular users, but showing standard CAPTCHA challenges to anything suspected of being a bot. There’s also a WordPress version of the plugin available to make this process work more seamlessly with Gravity Forms.

The downside to this plugin becomes obvious if you check out the reviews for it on wordpress.org. Users have seen conflicts with the admin login and occasionally user submissions. The plugin is invisible and can’t be turned off, so if you’re determined to be spam but don’t have the opportunity to prove you’re not, then you’re simply not able to submit forms.

However, not all users report this conflict, so it may work for your site. It’s worth a shot at least, and can always be disabled if your users have issues.

Install Google’s (Visible) reCAPTCHA

The original Google reCAPTCHA service is a simple but effective method for preventing spam. In order to submit a form, you have to pass a challenge. The simplest of these challenges is checking a box that humans can check easily, but that bots can’t. This method replaces the old Google CAPTCHA, which were not user-friendly and not particularly effective anyway.

ReCAPTCHA may be simpler for users, but comes with a few drawbacks. First and foremost, it takes up a lot of real estate on your form. This might be fine for forms on pages, but it can pose a pretty serious problem for forms in subheaders or other contained areas where space is limited. Second, it can be really frustrating if someone is flagged, for whatever reason, as a “suspicious user” and ends up needing to perform one of the more involved challenges (such as identifying all pictures in a grid with traffic lights).

However, it’s pretty effective and almost bulletproof, and it’s been updated for web accessibility.

What NOT to Do About Spam

There are a few things that won’t be helpful, and will probably be harmful, when it comes to form spam. We want to make you aware of these things so that you don’t make the same mistakes.

Don’t Send Form Submissions to Junk!

If you receive spammy emails from your website, don’t send them to your junk folder! When you do that, you’re really just flagging ALL email from your website server as spam. Depending on how often you do it, the consequences can range from never seeing your real leads in email again, to your entire website and email server being flagged as suspicious. In fact, do it often enough, and people won’t even receive your emails, let alone anything coming from the website. Be careful! Don’t send your form submissions to a junk folder.

Don’t Respond to Spammers

This should go without saying, but don’t give spam email what they want. Don’t click links, don’t respond to emails, and don’t accept any offers. The reason spam email exists is because it works. Someone, somewhere, is opening these emails and reading them and clicking the links inside. If nobody did that, these spammers would simply die out.

If you do receive emails with tantalizing offers, or you’re genuinely concerned with the issues being raised in a spam email, do some research online and find a vendor that can help you. Don’t reward spam!

Don’t Expect Absolute Solutions

It’s frustrating, but spam is just a fact of life for anyone with a form on their website. You will never be able to escape spam. Even if we could prevent and block all spambots and scripts, it would be temporary. They’re getting smarter every year and finding ways around every method. It’s almost impressive how spam technology keeps rising to meet anti-spam technology.

But that aside, even without spambots, there will always be humans filling out your form in ways you didn’t intend. Barring all technological advancement, there will always be people willing to manually fill out forms one by one, if the price is right. Sometimes they’re even small business owners genuinely trying to promote their businesses. If Google ever succeeds in creating the perfect spam-prevention tool, there will still be humans willing to manually submit forms with scam websites and phishing links.

Get Help

Do the best you can to reduce spam, both by preventing it and starving it, and focus on the emails that matter. Follow Oozle Media on Facebook for more helpful info, and let us know below if we can help you with any of these issues!