Typically, this event is unexpected and sometimes unavoidable, and one that often causes at least a little mayhem as you scramble to clear your emails from junk submissions and solve the issue. To combat this, we’ve pulled together a list of our eight top tips to help you reduce the chances of your WordPress website falling victim to spam.
#1 Use a form builder plugin
If you’re using WordPress, we recommend opting for a form builder plugin such as Ninja Forms or Gravity Forms instead of building PHP forms. Form builder plugins are generally more secure, stay up to date with the latest industry standards, and allow for additional security measures such as basic Honeypot spam protection as well as some of the different methods we’ve explored below. They also make the setup process a lot easier, and they’ll keep form submissions logged in the WordPress admin area – much better than relying on email notifications.
#2 Use honeypots, CAPTCHA, reCAPTCHA or a human question
In most cases, spam is automated, meaning that instead of actual humans trying to target your site, software and bots are used to bulk-attack websites. Therefore, one of the simplest ways to stop this is by using some kind of check that only a human can do. Below are several examples that you can add to your site to help prevent spam:
- Honeypot – This is one of the most basic protections and usually involves an invisible form element that a human wouldn’t see but a bot crawling the code would. If the component is interacted with, only a bot would have done it, proving it’s spam.
- CAPTCHA – This is where a graphic showing distorted letters, numbers or other characters is displayed, and the user has to type what they can see.
- reCAPTCHA – Similar to the above, this is Google’s version and has advanced over the years. reCAPTCHA will display a checkbox or grid of images, asking users to select those that show a particular item, i.e. traffic lights. More recent versions are completely invisible, but all are designed to use automated systems to detect humans versus bots.
- A question only a human could answer – Malicious software is designed to push information into a form, without thinking. Adding a question such as ‘What’s 3 + 2?’ is another method that can differentiate between a human and a bot.
It’s worth highlighting that malicious software and bots are becoming more sophisticated and aim to bypass these methods. While they may provide decent protection, they may not stop all spam.
#3 Choose a hosting partner that values security
Cheap hosting will not necessarily make you more prone to spam, but it will not improve the situation. We recommend using a reputable hosting provider suitable for your requirements. You can learn more about the different types of hosting here. We use WP Engine to host many of our client’s websites. They have built-in security measures to help protect against spam and hacking.
#4 Deactivate auto-fill
You may have noticed that most websites will allow you to use Autofill, which pulls saved data such as email, mobile, name, address, etc. from your stored information when you go to complete a form. You can deactivate this for your website to help prevent spam.
#5 Block copy and paste
By blocking copy and paste functionality on your website, you’ll prevent spammers from copying and pasting their details straight into your form. Although this does create a negative user experience for actual users so should only be done as a last resort.
#6 Block traffic by IP address or country
If you notice suspicious behaviour from a particular IP address or a country that you don’t directly deal with, you can block traffic from them to prevent spam. You might also consider this if you notice a high traffic volume from a particular place/ address over a short period or increased form submissions.
#7 Use a security plugin or service
If you have a WordPress website, there are a wide range of security plugins that can help prevent spam and other malicious activity, and we’d recommend using them even if you’re not getting spammed.
Two that we’d recommend are Sucuri, who also offer a paid monitoring, clean up and firewall service, and WordFence, which have several advanced features to help prevent traffic from suspicious sources coming to your website. They carry a blacklist of known spammers and can block them from visiting your website. They’ll also be able to identify abnormal activity from a specific IP address (as mentioned above) and block this without your involvement. These plugins have free and paid versions, including AI (Artificial Intelligence) and ML (Machine Learning) technology to help predict and prevent spam.
#8 Keep your site updated
The final step you can take to improve your site’s security and reduce the risk of spam is to keep any themes, plugins and the WordPress core up to date. This means carrying out regular updates either internally or via your web agency or hosting provider.
We hope you found this blog useful. If you’d like to stay up to date with our marketing hints and tricks, please register for our newsletter below.