Whenever you add forms to your websites like contact forms or registration forms, spammers won’t be far behind. As spam submissions grow, so does the time it takes you to sift through the junk that’s being sent to you through your website.
As web hosts, this topic is not unusual to us – we help site owners cut down on spam submissions all the time. Bad submissions don’t generally go down to zero, but by blocking known spammers and certain types of bots, these nuisance submissions can be greatly reduced.
It’s important to understand that while some spam submissions are manual, most are automated. Since most people simply delete spam, these efforts have a very low conversion rate for the spammers so it’s not cost-effective for spammers to engage in manual submissions.
It’s equally important to understand the goals of these submissions. Some form submissions are from scammers and hackers that want you to click a link or reach out so that they can engage in nefarious activities. Others think that this is a good way to connect with you to engage in legitimate business. In all cases, there’s money on the line, so spammers are motivated to get past your defenses.
The healthiest plan is therefore to keep your security practices up-to-date to protect against known spammers, frequently submitted spam content, and automated submission tools that spammers utilize. This typically includes working with your web host and web developers to react to new or spam sources.
With all of that in mind, here are some tried and tested techniques that can help decrease spam submissions through your web forms:
1) Web Application Firewalling (WAF)
A good WAF is more affordable (and much more necessary) than the average website owner realizes. When properly configured and managed, it can block many types of threats, including IP addresses that are known to be used for malicious activities.
2) Bot Mitigation
While this is sometimes provided by advanced WAF solutions, there are standalone bot mitigation tools too. These solutions are typically built for enterprise use cases, but the number of providers continues to grow. They can help stop everything from ad fraud and content scraping to carding and scalping attacks. Examples include PerimeterX and DataDome, but there are many more companies like Cloudflare that offer competing solutions as part of a more robust WAF solution. When in doubt, ask your web host for advice on what will work best as part of your web hosting security stack.
3) Blocking IPs and Regions
Chances are that a good percentage of attacks on your site are not being launched from domestic web servers. That means that in some cases, you can greatly reduce the volume of attacks on your site by simply blocking traffic from regions of the world that you don’t service. For instance, if you don’t do business with clients in China or Russia, simply having your host configure your firewalls to block traffic from those locations can greatly diminish attacks on your site.
4) Captcha / Ask a Question
This is a common solution, but not one of the best solutions. When someone is trying to fill out a form on your website, the last thing they want to do is prove to a server that they are indeed not a robot. Whether it’s asking users to select images, answer a question, or even solve a simple math problem, asking your site visitors to use more time to solve your spam problems is inconvenient, and may lead to lower conversion rates.
5) Honeypots / Invisible Captcha
Rather than asking real users to prove that they are human, a better solution is to add form fields in the coding of your website that are invisible on the frontend of your site. If such fields are filled out during a form submission, that submission was obviously made by a bot and can be discarded automatically.
6) Require Users to Login
There are some use cases where you can force a user to be logged in to get access to a form. This makes sense, for instance, if you have an eCommerce website and you want to force users to login in order to leave a product review. You may still need to worry about your registration page being spammed though, so while this approach can be helpful, it’s not a one-size-fits-all solution.
7) Platform-specific Solutions
There are many settings and add-ons that you can consider that are specific to eCommerce platforms like Magento and WordPress plugins like Contact Forms 7, PWForms, Ninja Forms, Formidable, and Gravity Forms.
- Blocking users from adding links in form submissions
- Setting a minimum amount of time for form submissions (ex. 3 seconds)
- Using shared global blacklists to block spam submissions
- Blocking specific keywords from being submitted or setting forms to disallow frequently submitted spam content.
With so many possible approaches to take, it’s recommended to have your web developers and web host work closely together in order to make sure that complementary solutions are being deployed. For example, if your WAF includes certain bot protections, you may not need to install a separate add-on in your website to address the same thing. In practical terms, if your WAF can block bots that submit a form in less than 3 seconds, you don’t need a plugin to do the same thing.