The spamming of web forms has grown tremendously over the past several years. Spamming forms is inevitable with any forms on websites. This has little or nothing to do with where your website is hosted.
The main problem is that even though it is, and has always been, largely illegal, spamming is absolutely effective. When I say it’s effective, I mean that spamming generates revenue for the spammers. For this reason alone it is more than likely to continue.
Form spamming is mostly done by pieces of software commonly referred to as “bots” or “spam bots”. These “bots” search the Internet, domain by domain, looking for coding in websites that indicates the existence of a form. They then look for the coding that indicates the form’s “input” fields. Then they attempt to fill it in based on labels and text indicating what kind of input it needs. These “bots” are insanely efficient and can ultimately figure out what input to place in nearly any form.
Kinds of forms
There are generally two kinds of forms that get spammed: forms we create to gather specific information from a site visitor and comments on pages or posts.
Forms we create on websites
These would be the forms we create to gather information from potential customers, or even from potential employees. The web visitor sees the form or responds to a call to action that might be of interest. The site visitor then enters his or her information. That information is emailed to the email address set in the form handler to receive it.
Page or Post Comments
These are the comments that are allowed to be left on posts or pages on websites by website visitors. What’s usually interesting about these is that many people don’t even know they have the ability to comment on a post or page turned on in their WordPress site. Unfortunately, from a time way before spamming was a rampant as it is today, the default in WordPress is usually set to allow comments. Another fact that website operators don’t usually know is that these comments are stored in the website’s database. That means as the number of comments grows, so does the database size. This can ultimately slow down a website’s operation. It can also store malicious code in comments that bad actors may use to gain further access to the site.
To help reduce spam from input forms, there is a process using what is called CAPTCHA to reduce this spam. While this process reduces much of the spam, it does not reduce all of it. That’s mostly because actual people can usually still legitimately fill out a form that really is a spam message to the form recipient. To help, CharlesWorks has an article titled Acquiring reCAPTCHA API codes at https://charlesworks.com/acquiring-recaptcha-api-codes/ specifically about how to get a reCAPTCHA codes from Google to insert into your form software to reduce spam. We have found this method extremely effective on may sites that were plagued by spammer activity.
Another possible solution to help handle form output from your website is to manage it with its own unique disposable email address. This way, the form output can go to a single address that can be managed/viewed by whomever needs to in the organization and not intermingled with other email.
If you want comments, then there is a plugin available called Akismet. It is very good at filtering out most spammers from leaving comments. Keeping your site cleared of spam comments will also allow it to operate more efficiently as it will help keep the database smaller – which equates to faster. To help, CharlesWorks has an article titled Adding Akismet comment spam protection at https://charlesworks.com/adding-akismet-comment-spam-protection/ specifically about how to get and hook up Akismet on your WordPress website.
If you never intended for comments to be used or left or turned on in your WordPress site, CharlesWorks has an article titled How to Turn Off Post or Page Comments at https://charlesworks.com/how-to-turn-off-post-or-page-comments/ specifically about how to get rid of all the current spam comments and disallow future comments from being left.