Reducing Spam in Website Forms
Summary: Spam comes in many different forms: phone calls, direct mail, email inbox, and website forms. It is inevitable. But there are actions and much better tools these days to reduce spam in website forms.
Here are some ways to reduce spam in website forms:
- Make your forms more complex
- Prevent the use of URLs inside text boxes
- Prevent the use of certain words inside text boxes
- Use minimum and maximum text length for text boxes
- Blacklist email addresses and IP addresses
Reduce Spam by Making Your Form(s) More Complex
Bots or human spammers target forms that are easy to complete. Fewer roadblocks allow them to breeze through questions. In some cases, they’re not real humans. Spammers can create scripts and bots to target easy forms. Some companies choose only to capture:
- First name
- Last name
- Phone number
- Email address
- A brief message (if that)
- And perhaps address
From there, you ask your salespeople to reach out and begin the conversation. The number of cold leads is likely higher with fewer questions, but what if the conversation begins on your website? This way, when your salespeople reach out, there’s substance as the grounds for a conversation.
Why make a form more complicated?
We’re not necessarily making it more complicated. But we want to ask more questions up-front to qualify the lead better. This inherently reduces spam because the form takes more time to complete.
It benefits you because it provides more information up-front from a warmer lead. In-person, you likely ask most potential customers the same – or similar – questions. It would help if you were putting those recurring questions into your contact form, allowing the prospect to answer those questions ahead of time.
The goal is to arm you (or your salesperson, estimator, or whoever is receiving the lead forms) with warmer information so they can better quote a project/sale. More detail may give you a better idea of where the conversation or price is going. This way, the first time you call the customer back, you have a good understanding of the price you’ll give them, and perhaps can drive the conversation based on inferences drawn from their contact form details. It makes you look more prepared and efficient.
The point is to collect warmer data from customers. If they are honestly trying to be your customer and genuinely interested in doing business, they’ll gladly offer you more detail in a contact form.
Reduce spam in website forms by simply including one question that requires an actionable touch, like a multiple choice question. Or tailor the form more to fit your sales or quoting needs.

Controlling the Content in Text Boxes to Reduce Spam
This is an important section, though. A text box field allows users to freely write what’s on their minds. This is an easy target for spammers who copy and paste scripts, URLs, contact information, and more.
By watching my clients’ contact forms for many years, I’ve been able to identify habits or trends in how spammers use text boxes, greatly improving contact form security and spam reduction. Using code, you can alter text boxes to reject messages that include URLs and email addresses.
- Both “www” and “.com” are good examples of text to reject.


Secure Contact Forms Using reCAPTCHA
Google’s reCAPTCHA is probably the best-known CAPTCHA service out there. We’ve all had to click “I’m not a robot” at some point in our lives. We constantly hear people complaining about having to answer a simple question or select grids on a picture.
When you’re on the other side, as a business owner, you become more empathetic to those spam prevention tools and more clearly understand their value.
Clicking one “I’m not a robot” radio button adds minimal friction to completing a form. It’s one of the first strategies I use to protect contact forms.

Allow/Deny Lists for Email Addresses and IP Addresses
You may see repeat offenses, like certain email addresses, domains, or IP addresses. This setting is powerful. I can create partial matches in any format. Here are a few examples:
- spammer@example.com – the exact specified email address will be blocked
- spammer* – this blocks all email addresses starting with ‘spammer’
- *@example.com – blocks all email addresses at the example.com domain
- s*@example.com – this blocks all email addresses starting with the letter ‘s’ at the example.com domain
- spammer@example.com,spammer2@example.com,spammer@*.co.uk – blocks the first 2 email addresses, and creates a partial match with the 3rd.
If the spam is more severe (unlikely), I can go even deeper to look for trends, and block, IP addresses.
Not All Contact Form Tools Are Created Equal
For full-service clients, I use WPForms for our contact form tools. It’s one of the most well-known, top-rated, and evolved contact form building tools. I use it for everything from simple question forms to multi-page job applications.
Behind the scenes, WPForms adds a secret token that’s unique to each submission. Spambots can’t detect the token. And without it, they get stuck and can’t submit the form. Real users don’t even notice it’s there, with zero inconveniences. You can read more from their guide on Stopping Contact Form Spam on WordPress.
Let Your Contact Forms Work For You
The conversation doesn’t need to begin with an actual salesperson. Trust your website to get the necessary information and begin the conversation. This helps your prospects know that you’re aware and that your website is an extension of your company.
You can’t expect a salesperson to be available 24/7, after work hours, in the middle of the night, and on weekends. This means your forms should be working for your business as the ultimate website voicemail answering service. Your forms can arm your salespeople with real, usable information to better prepare themselves for the phone call. This way, when your salespeople call the lead back for the first time, they sound more intelligent and prepared.
All the while reducing spam or bot submissions due to the more complex nature of the forms. Two birds, one stone.