Almost everyWordPress site operator is familiar with this problem: strange spam messages regularly end up in their email inbox via the contact form. Aside from the fact that this is naturally annoying, it also raises the question of whether the WordPress site is secure.
In the following article, we will show you how to protect your contact form from spam messages. And we can say one thing right up front: spam messages via the contact form are not usually an indication of the security of the site.
Do you need help?
Spam messages via contact forms are annoying and time-consuming. At this:matters, we are happy to help you protect your WordPress website from them. As a Cloudflare partner, we know the tricks that keep spam messages and spam traffic away from your WordPress hosting.
Update from February 7, 2024:
Since the beginning of November 2023, we have noticed a massive increase in spam messages sent via contact forms and newsletter forms. The senders of these messages are becoming increasingly sophisticated, which is why more stringent measures should be taken.
Automatic contact form messages – the basics
To understand how you can block automatic contact form messages, it is important to learn the basics of how the whole thing works in the background.
As you can imagine, the contact forms are not filled out by hand. As with spam comments, there are programs that do the work for you.
These programs or bots search the internet for certain keywords or link lists in order to find pages such as "Contact." It is often helpful to search within the pages for HTML references such as "gform_fields_1" for the Gravity Forms plugin, which is frequently used.
Once this page with the contact form has been found, the bot starts entering data of any kind. Often, this is data from people who want to sell something (SEO services or illegal goods) or fake data intended simply to cause disruption.
The great thing about these bots is that they always proceed in roughly the same way and, fortunately, are not yet equipped with artificial intelligence.
With this in mind, the following tips for stopping contact form spam work perfectly.
Stop spam messages with a web application firewall (WAP)
The option we recommend first, but which is more complex, is to use Cloudflare and its Web Application Firewall (WAP).Cloudflare is a service that acts as a proxy between the visitor and your server, preventing bots and spam from reaching your server in the first place, depending on your settings.
Cloudflare is known for its ability to reliably filter out bots as well as DDoS attacks.
The Free Plan certainly helps with many great features, but we recommend the Pro subscription for $20 per month, which comes with an improved web application firewall. If you're struggling with a lot of bot traffic and spam, you should check out our Managed Cloudflare Enterprise Plan.
We are happy to help you set up your Cloudflare accounts and the Web Application Firewall for effective spam protection.
Captcha – but only Cloudflare Turnstile
Another reliable method for preventing spam messages via contact forms is to use a captcha.
A captcha shows the user an image with numbers and letters, which they must then enter correctly. If the visitor fails, a new captcha appears. A slightly newer technology involves selecting the correct images, such as traffic lights or mountains.
The problem with captchas is that they can also be solved by humans and require additional resources to load. This can reduce the speed and user-friendliness of your WordPress website.
Cloudflare solved this problem in 2022 with "Turnstile." Turnstile is a captcha that solves itself in 90% of cases when a human visits the website. The project has been available to everyone since 2023, offering simple protection for forms.
If you don't want to deal with Cloudflare completely, you can install this protection using the Simple Cloudflare Turnstile WordPress plugin.
Activate honeypot if possible
The honeypot is a popular option in many good contact form plugins to prevent spam messages. The function is relatively easy to explain.
The plugin creates an additional form field that we humans cannot see with the naked eye. However, bots read the source code of a page and can therefore see the additional field. Once the field has been filled in, the plugin immediately knows that this must be a bot and sends the request straight to the spam folder.
Plugins we can recommend for this purpose are:
Reducing spam with a math problem
Another method of blocking spam messages is to insert a simple math problem. The advantage here is that the problem is easy to read and answer, unlike a captcha.
Create an additional selection field using a good contact form plugin. Enter your math problem there and offer 2–3 possible answers, only one of which is correct, of course. Thanks to "conditional logic," which your plugin should be able to handle, the "Send" button will only appear once the correct solution has been selected.
Summary
Contact forms are a must-have on every website today. Although you can also provide an email address, this will ultimately result in even more spam.
Thanks to our tips above, you can easily prevent spam messages via your contact form without much effort.
If you continue to have problems despite our tips, you can contact us at any time and we will take a closer look at yourWordPress website.
in Switzerland