If you have forms on public web pages, you’re bound to get some spam. Spam form entries are a frustrating part of collecting leads, growing an email list, and giving people opportunities to contact you.
Why is spam so common? Because spammers set up spam bots. These are automated scripts that troll the web for forms and submit some content.
Why do people spam forms? For backlinks, mostly. Google will boost a website’s rankings if it has a lot of links, so less-than-honest marketers create bots that spam forms with links. If any of those links show up on a website, their site’s ranking improves. This method of “marketing” isn’t as effective as it used to be, but it doesn’t require the “marketer” to do anything but let a script run.
In other cases, spammers set up a group email address that they put into the email field on your form. They add a message with links to the message or comment field. If you have a default auto-response email set up (like most forms do by default), you will unwittingly send a spammy message to a list of email addresses.
In the worst cases, some bots will use your form to inject malicious code into your website. These bots could damage your pages or databases, harvest sensitive information, or even disable your site entirely.
Needless to say, it’s important to stop spam form entries however you can! Let’s dive into some strategies to reduce them.
1. Add CAPTCHA or reCAPTCHA
You’ve probably come across CAPTCHA and reCAPTCHA fields yourself. They’re all over the web for good reason: They’re powerful tools to stop spam form entries.
A CAPTCHA field is a picture with several distorted letters and numbers. Your job is to interpret the sequence and input it into the form. This field stops spam because bots usually can’t understand images.
reCAPTCHA is a Google service that requires less work from the user. Instead of answering a tedious question, users only have to click a button to identify themselves as human.
How does reCAPTCHA work? Google doesn’t give away all their secrets, but we know that when the user clicks the “I am not a robot button,” the reCAPTCHA sends a request to Google for a bunch of information, like the user’s IP address, timestamp, and even how they moved their mouse just before clicking. They put all this data together to decide whether the user seems like a real person.
If Google runs their analysis and is still unsure about the user, it gives an additional challenge: the image security check. The user is prompted to make selections based on the image (which relies on bots’ inability to read images).
In Gravity Forms, CAPTCHA and reCAPTCHA are available Advanced Fields in the Form Editor. Check out our CAPTCHA documentation to learn how to set it up.
2. Use a Double Opt-In Form
If you get a lot of spam entries to your email list (which cost you money and disrupt your email marketing metrics), you’ll want to take advantage of a double opt-in.
A double opt-in is just what it sounds like: Users have to take two actions to join your email list. 1) They have to submit their email address through your form, and 2) They have to go to their inbox and click the confirmation link in an email you send them.
The second step is key for stopping spam entries. Bots are unlikely to complete the second step. In fact, they most likely use non-existent email addresses anyway, so there’s no way for them to confirm a subscription.
Since a double opt-in is a way to prevent fake emails from getting on your email list, you’ll need to configure the double opt-in procedure in your email marketing tool. Check with your provider for specific instructions.
3. Add a Test Question
A test question is a field on your form that asks a basic question. Real people should be able to answer it without any challenge, but bots will struggle to answer it. Here are some examples:
- A panda is black and _____
- 4 + 7 = _____
- What goes up, must come _____
- A cow has how many legs? _____
If the submitter can’t answer the question properly, they must be a bot. Set your form to disregard any submission that doesn’t answer the question correctly.
In Gravity Forms, you can prevent the bot from submitting the form in the first place by adding conditional logic to the form button. If the submitter doesn’t input the correct text, the submit button never becomes active. Add conditional logic to the button under Form Settings.
Make sure your question is something anyone can answer without turning to Google. It should take them no longer to answer this question that it does to enter their own name. If the question is complex, hard to understand, or relies on special knowledge, you’ll lose valid submissions.
4. Add a Honeypot Field
Honeypots are traps that help you identify spam bots. They use a hidden field that only bots can see. Since users never see the field, they never supply an answer. If a submission comes through with an answer to the honeypot field, you know the submission came from a bot.
Honeypots are great because they don’t impact the user experience. The user is never even aware the honey pot is present.
It’s not a perfect solution, however. If your users have an auto-fill feature that populates form fields for them, the auto-select might put some kind of answer into the hidden field. This would invalidate an otherwise valid form submission.
You can add a hidden field to a Gravity Form by enabling a honeypot in Form Settings. If a bot completes the honeypot field, you won’t see the submission in your list of form entries.
If you don’t use Gravity Forms, you (or your website developer) can use HTML and CSS to style the hidden field out of the page so users can’t interact with it. Just make sure not to set the field as required, otherwise no one will be able to submit your form.
5. Install the Akismet Plugin
Akismet is a powerful WordPress plugin that checks your comments and form submissions against a global database of spam. If it identifies a submission as potential spam, it filters the submission out so you never see it.
With Akismet, a lot of the work is done for you. You don’t have to add anything to your forms. It monitors every submission and comment automatically. And of course, it’s totally compatible with Gravity Forms.
Another great thing about Akismet is that it’s an open source software. Lots of people contribute to it, so it gets better over time.
However, only its basic features are free. You may have to spend $5 to $50 per month to get the features you need to protect your website. The investment is worth your it if your site gets a lot of spam and the other methods on this list can’t keep up.
6. Hide Your Forms’ Page
If your forms are being bombarded with spam messages, you may want to take the drastic step of making your pages a little harder to find. Your site will still link to them, of course, so they’ll be available for your users, but you don’t want just anyone to find them.
You have two options:
Change the page’s URL. This is a great way to confuse spammers if you think your form is being targeted. They will have to manually find the page again in order to keep spamming, which may be more work than they’re willing to bother with.
Hide the page from search engines. If you think people spam your forms because they’re easy to find via search, consider hiding those pages from Google’s crawlers. Google lets you hide pages in Google Search Console. You can also hide pages in your site’s robots.txt file.
Naturally, both of those solutions are serious steps that could impact your overall SEO ranking and site performance. Make sure you understand their implications before you make it harder for people to find those pages.
The Bottom Line
Sadly, spam isn’t going anyway anytime soon. There will always be people who try to bombard us with unnecessary comments and links. Protect your website and reduce spam form entries with one or several of the methods we listed above.