Getting Spam Through Your Contact Form
Your contact form works, but you are flooded with junk, fake, or bot messages.
Common signs of this issue
- You get many messages with gibberish, random links, or off-topic sales pitches.
- Messages arrive at all hours, often several within seconds.
- The same message repeats with slightly different names or email addresses.
- Form messages include links to unrelated websites or foreign-language ads.
Safe checks you can do yourself
None of these require sharing passwords with anyone.
- Check whether your form has any spam protection turned on at all (a CAPTCHA, honeypot, or challenge). Many bare forms have none.
- Add a simple honeypot field — a hidden box real people never fill in but bots do. Most form builders offer this in settings.
- Turn on a modern, low-friction challenge like Cloudflare Turnstile or reCAPTCHA v3, which usually does not annoy real visitors.
- Make sure your form requires a valid email and a message of reasonable length — many bots fail basic checks.
- If spam still gets through, note the time and pattern (same text, same links). That helps a helper add a targeted block.
What this usually means
Form spam almost always comes from automated bots that crawl the web submitting every form they find. It is rarely a personal attack, and it does not mean your site is hacked.
The goal is to add just enough friction that bots fail while real customers sail through. A hidden honeypot plus an invisible challenge stops the large majority without a visible puzzle.
What not to do
- Don't remove your contact form entirely — you will lose real leads along with the spam.
- Don't reply to or click links in spam messages.
- Don't switch on a hard, visible CAPTCHA on every field if a lighter option works — it can cost you genuine inquiries.
When to get help
If spam is burying real customer messages on a business site, it is worth having someone configure proper, low-friction protection quickly so you stop missing leads. This can be done without sharing your passwords up front.
Not sure what to do next?
Answer a few short questions and we'll point you to the safest next step — DIY, a freelancer, or a direct review. No passwords required.
Is this a business website? If this issue may be costing you leads, sales, or trust, you may want a direct review instead of trial and error.
Frequently asked questions
Does form spam mean my site was hacked?
Usually not. It is almost always automated bots submitting public forms. It is annoying, but not the same as a compromise.
Will a CAPTCHA stop all spam?
It stops most of it. A hidden honeypot plus an invisible challenge is the best balance — strong protection without frustrating real visitors.