At times, malicious users will take advantage of contact forms on websites to see if they can exploit them to send out spam email. Sometimes this can be just a minor annoyance where you receive hundreds of emails they’ve attempted to send, other times they may be able to successfully exploit your contact form.

This can also affect any other form on your website, especially where you’re asking for an email address. Spammers may use the the wrong return email address so that the data they fill out is sent to an email address off their email list.

The main reason that these forms are exploited is that they have no validation that a human has completed a form. There are two ways to prevent this:


The first is via CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. This generally involves a part of the form submission which requires obscured text with a possible audio representation of the text  to be successfully validated. This makes it difficult (albeit not impossible) for automated scripts to exploit the form. While it does provide a minor annoyance for users, this is common that most are used to completing it.

One of the most popular implementations is via reCAPTCHA. The system (now owned and run by Google) uses real text from photos and scanned books which automated scripts have found difficult to automatically read. Plugins for reCAPTCHA are available for all major CMS systems such has WordPress, Joomla and Drupal.

This is an example of what the reCAPTCHA validation looks like: 
contact form spam - recaptcha

The second generation (v2) of ReCAPTCHA provides the ability for this form to be a single click option which is just as effective as the manual matches and generally displayed to the user like this:

preventing contact form spam

The button itself can also be completely hidden, without requiring the user to click on the form. It does this by measuring the interaction between the user and the browser to determine real user activity.

The latest version (v3) features further detection options and has the most comprehensive methods of detecting real users from spam bots.


Conetix recommends this as the most effective measure to prevent contact form spam.

CSRF Prevention

Cross Site Request Forgery (CSRF) involves the exploiting of sites using unauthorised calls or scripted form completion. It can affect more than just forms, anything which calls data from a remote site can also be potentially exploited.

To prevent this, many systems set a CSRF Token to validate that the form sent from the browser matches a unique token on the webserver. Because the token is unique and only valid once, it means that automated scripts can’t be used to continually call and inject data into a form. Many of the plugins for CMS’s like WordPress, Joomla and Drupal all have an option to prevent CSRF attacks.


With either or both of these options enabled, the only way spam email can be sent via your contact form is manually by a human. As this is a time consuming process, it means that it’s not effective for spammers to do so.

Conetix highly recommends that you have some form of script prevention on your site. We can also install this on your behalf for all Managed WordPress customers.

Was this article helpful?

Related Articles