Home » Blog » Preventing form spam on sites

Preventing form spam on sites

Spam! You probably hate this word. You’ve created an application, ultimately you will get hit with a spam mail bot. There is no perfect solution that will allow you to prevent form spam on sites. I want to share a few good workable solutions to fight back.


Honeypots are very easy to set up. It is a field added to the form that the users can’t see, with CSS or JavaScript. The best thing about honeypot is that it doesn’t inconvenience users. Make sure to name the input fields something that seems legitimate, that way the bots think it’s a field that should be filled out. If the hidden form input that should never have value, has a value then it’s probably from a bot, you can confidently reject the form as spam.


CAPTCHA blocks spam bots from gaining access to your web forms, at the same time humans can get through it. You should avoid using it as it inconveniences users. Google has invisible reCaptcha which might be the satisfactory captcha option.

Validate Emails

If your form requires an email then you could verify that the email actually exists and that they click a button or link in the email to confirm registration.

Another option is – identibyte that will verify an email through their API. This saves the hassle of making your users go through extra steps.

Moderate Comments

Moderate comments for links and inappropriate words.


If you are a consumer of services like Cloudflare you could make use of their “page rules”. If you are already using their service, you can try this feature to quickly set up the rule.

Spam Services

Use spam services like Akismet by WordPress and Stop Forum Spam. For Laravel, you can use nickurt/laravel-akismet and nickurt/laravel-stopforumspam.

Limit the Login Attempts

You can reduce the spam and increase security by setting the number of failed login attempts then blocking the user’s IP address, this way you can stop automated bot scripts and protect your website.

Ask Test Questions

Challenge the user by putting a simple question that would be easy to answer for a human, and will cause problems for the bot. It is usually a simple math problem or a well-known question like “What is the color of the sky?”.

Embed Session Tokens

Another way to prevent spam attacks is by setting the session tokens. If the session cookie wasn’t set on the form, probably it is not a human being because most of the spambots attack the forms directly and this measure will help to get rid of them.

Out of all these options, I’d recommend starting with the honeypot, then if that fails, continue to the other options until you’ve successfully stopped the bots from attacking your web forms.