Range Marketing

How to Keep Bots from Spamming Your Contact Forms

Hardening Your Site Against Automated Traffic

May 31, 2023 | Posted in: Web Design

With the rise of artificial intelligence, spam bots are getting even more difficult to fend off. You may have already noticed that your contact forms are receiving more submissions than they used to. Letting bots through can bog down both your staff and your server. High quantities of fraudulent usage can be prevented by ensuring your site is equipped with a cutting-edge front line of defense.

Step 1: Install Google reCAPTCHA

Google reCAPTCHA Basics

The free reCAPTCHA service is a security measure implemented by Google to protect websites from spam and abuse. It helps differentiate between humans and automated bots attempting to submit forms on websites. reCAPTCHA works by presenting users with various challenges or tests to prove that they are human. The most common form of reCAPTCHA is the “I’m not a robot” checkbox, where users simply need to check the box to confirm their humanness. However, more advanced versions of reCAPTCHA may include additional tasks, such as image recognition or audio challenges, to provide a higher level of security.

When a user interacts with a reCAPTCHA-enabled form, the reCAPTCHA system analyzes various factors, including mouse movements, click patterns, and browsing behavior, to assess the likelihood of the user being a bot or a human. It also takes into account the user’s IP address and browsing history. If the system detects a high probability of the user being a bot, it may present additional challenges to further confirm their authenticity. For instance, the user may be asked to select specific images that match a given description or solve a puzzle.

By implementing reCAPTCHA, website owners can significantly reduce the number of spam form submissions. The system effectively blocks automated bots from submitting forms, as they typically fail to complete the reCAPTCHA challenges accurately. This helps ensure that genuine users can interact with the website while keeping unwanted spam submissions at bay.

Google reCAPTCHA Pros & Cons

Key advantages:

  • Google typically stays one step ahead of the average spammer
  • reCAPTCHA is utilized by millions of websites and adapts to spam trends across that entire network
  • Compatible with almost all website and contact form providers


  • reCAPTCHA pulls in a lot of code which can slow down your site and lower your PageSpeed score
  • Having to complete a captcha may deter a small percentage of users from submitting a form

Step 2: Route Traffic Through Cloudflare

What is Cloudflare?

Cloudflare is a publicly traded company that provides a suite of services aimed at enhancing the performance, security, and reliability of websites and online applications. It operates as a content delivery network (CDN), reverse proxy, and DNS provider, offering a range of features to optimize and protect websites. The basic premise is that you point your domain name to Cloudflare as an intermediary between users and your website host.

Cloudflare acts as a reverse proxy by sitting between the website server and the user’s browser. This positioning allows Cloudflare to filter and inspect incoming traffic, blocking malicious requests, spam, and DDoS attacks. It employs various security measures, including web application firewall (WAF) rules and rate limiting, to safeguard websites from common threats.

Cloudflare also offers DNS services, allowing website owners to manage their domain’s DNS records efficiently. This includes features like DNSSEC, which adds an extra layer of security to the DNS infrastructure. SSL/TLS encryption is also applied to enable secure HTTPS connections, protecting the confidentiality and integrity of data transmitted between visitors and the website server.

Overall, Cloudflare acts as a protective shield and performance booster for websites, helping to ensure their availability, security, and fast loading times. It is widely used by businesses of all sizes, including small websites, large enterprises, and even internet giants, to improve their online presence and user experience. It can be particularly beneficial for small to medium-sized websites that may not have the resources or infrastructure to handle large-scale DDoS attacks or optimize performance on their own. The free plan is typically sufficient.

Google reCAPTCHA Pros & Cons

Key features:

  • Cloudflare provides robust distributed denial-of-service (DDoS) protection using their vast network infrastructure to mitigate attacks
  • Firewall rules can be setup to block malicious traffic
  • Acting as a shield, Cloudflare absorbs the cost of bot traffic and keeps your server from getting bogged down

Potential issues:

  • Part of Cloudflare’s methodology involves caching (saving a copy) of webpages, which can cause issues with websites that include their own caching mechanism
  • Verifying an SSL certificate (like Let’s Encrypt) on your server is slightly more complex when traffic routes through Cloudflare

Step 3: Block Traffic from Other Countries

Should I block traffic from foreign countries?

If your website caters only to a local or regional audience, blocking traffic from foreign countries is a worthy option to consider. You can potentially improve website performance by reducing server load and optimizing resources for the intended users. If you have identified specific regions or countries that are a significant source of malicious traffic, hacking attempts, or spam, blocking traffic from those areas may help mitigate security risks. This approach can reduce the potential attack surface and provide an additional layer of protection for your website.

A block on traffic outside your market can also have legal and compliance benefits. Some industries or organizations have different requirements in foreign countries that mandate restricting access to services or data. This can be related to data privacy, export controls, or other regulatory obligations. In such cases, blocking traffic from specific countries could prevent your website from falling outside the local laws in that region.

Do note that users from your target audience will also be blocked when they travel abroad or use an international VPN. For this reason, it is typically best to setup a “challenge” rather than an outright “block.”

How to Implement Geolocation Controls

Best Option: Cloudflare’s JavaScript Challenge

The built-in firewall in all Cloudflare plans allows webmasters to add custom rules. Visit the “Security” tab and click “WAF” (web application firewall) to view your current ruleset. Apply a new custom rule to all traffic outside your target region: Set the rule to “JS Challenge” those visitors, which means Cloudflare will prompt a JavaScript challenge that functions much like Google’s reCAPTCHA. The majority of bots cannot pass this challenge and will not be able to reach your site, but real human users can easily pass through it.

Strongest Protection: IP Address Blocking

If your website does not have Cloudflare or needs an absolute block on traffic from certain regions, the best method is to block all devices within those regions’ IP address ranges. WordPress sites can set this up by installing a plugin and most others can do so by editing their “htaccess” file on the server. This option will prevent bots and real users from viewing the site, so be careful not to include any regions that host customers, employees, or even software that is connected to your website.

Let's get started.
We Can't Wait to Meet You.

We will take a close look at your business and your current website. One of our experts will contact you with informed analysis and a plan to grow your business. Request a free analysis:

  • By providing a telephone number and submitting the form you are consenting to be contacted by SMS text message. Message & data rates may apply. Reply STOP to opt out of further messaging.
  • This field is for validation purposes and should be left unchanged.
Range Marketing Range Marketing