Is your website unprotected against form spam?



It’s almost unheard of to have a lead generation website without a form. It’s industry best practice to use a form to collect the relevant information you need, eliminate those who are not viable leads and enable a safer form of communication.

Although a form eliminates the need to have an email address publicly available on your site, it does not eliminate spam entirely. The majority of those with a form on their site have experienced spam submissions.Form spam is when unwanted messages are submitted on your website form. This can be done manually, but is most frequently an automated process. This uses a program that autofills and submits your forms, often to spread malicious or low-quality links or sell services. This is why you’re most likely to see links in these forms, or even scripts to attempt to hijack the site.

Avoiding spam completely is an almost impossible task, but there are ways to protect your site from the majority of automated attacks. This type of spam is easier to combat than manual spam, as they’re easily fooled by traps. It’s important to have at least some of these measures in place to prevent wasted time and a potentially unsafe site.

A ‘honeypot’ form field

When trying to identify whether a form is being filled out by a robot, the quickest way is to supply something that only a robot can see. A ‘honeypot’ is a form field that is hidden from view using code; invisible to human eyes, it can only be filled out by a spambot that is simply searching for buttons to press. This way, we can know that anything that has also filled this part of the form out isn’t a legitimate enquiry.


CAPTCHA and reCAPTCHA has been around for a while. Historically they have been a horrible user experience with users endlessly clicking pictures of traffic lights, zebra crossings and vehicles until they are allowed to submit the form. This was because as the tests became more established, the robots designed to get around them got to know how to answer them. Luckily, in late 2018, reCAPTCHA v3 was released. It was the first recaptcha that was largely invisible to the user, without a box to tick or any questions to answer. If you’re using any form of reCAPTCHA, we recommend it is this. Not only is the user experience far better, but the updated functionality will make sure that your website is protected against the majority of known spambots.

Disallow Links

As many spambots are aiming to build links, a quick way to eliminate a large amount of these is to disallow links in your comments and forms. In general, we’d suggest removing comments on any business site. Extend this rule to the forms, and you’re likely to filter out both spam-spreading robots and manual link builders.

If you’re looking for support on your site to help prevent spam with up-to-date security measures, speak to Zinc.

Our experienced support team can help bring security and functionality to your website.

Enquire now

Should Your Brand Launch a Google Ads Remarketing Campaign?

Learn More

Why You Should Make Landing Pages Part Of Your Digital Marketing Strategy

Learn More

The Shift To Instant Response - Is Live Chat Replacing Website Forms?

Learn More

Get great content, tips and news straight to your inbox