5 Ways of Battling Form Spam


December 9th, 2019

5 Ways of Battling Form Spam

Once you’ve created an application sooner or later you are going to get hit with a spam bot. It’s inevitable.

On one of my projects the registration form got hit and I ended up with 17,000+ fake users and it was a pain to clean up. As part of the process, I asked on Twitter how other people are fighting bots and preventing form spam without captcha, and I had a huge response with a lot of great ideas. I wanted to share all the ones mentioned so that if you ever get hit you’ll know how to fight back.

  1. Cloudflare

If you are using a service like Cloudflare you can utilize their “page rules” set up to lock the URL with form submissions down.

I do not believe this will work as well as the others, but it’s quick to implement if you are already using the service and it shouldn’t hurt anything.

  1. Honeypot

Honeypots are a first-line defense and are pretty easy to setup. The way they work in this context is you add a hidden form input that should never have a value, then when the form is submitted if that hidden field has a value you know it’s probably from a bot.

You can implement this yourself but if packages like honey pot exist to make integration a breeze.

Just remember if you are making your own name the input fields something that seems legitimate, that way the bots think it’s a field that should be filled out.

  1. Validate Emails

If your form requires an email, like for new user registration then you could verify that the email actually exists and that they click a button in the email to confirm registration. This option is how a lot of newsletters work including our weekly Laravel Newsletter.

You enter your email. The service we use sends you an email. You click confirm. Then you are a subscriber.

This helps ensure they really wanted to signup and are not a bot, or someone signing up an enemy.

Another option that goes along with this is a service like identibyte that will verify an email through their API. This saves the hassle of making your users go through extra steps.

  1. Captcha

This is my least favorite option because I really hate captchas. Google has invisible reCaptcha which is probably the best captcha option.

  1. Dedicated Spam Services

The two primary spam services are Akismet by WordPress and Stop Forum Spam. Akismet is paid and Stop Forum Spam is free.

I’ve used Akismet extensively on every WordPress site I run, but you can use it with any app including Laravel. You’ll just need to tap into their API or use an existing page like nickurt/laravel-akismet.

Stop Forum Spam is a free service that sounds similar to Akismet and Laravel packages like nickurt/laravel-stopforumspam exist to help with the integration.

  1. Stopping Spam with Captcha

The last line of defense is usually captcha and Recaptcha and with some of the services now you no longer have to treat your users like robots. We have compiled a list of some of the ones available in a reCAPTCHA Packages tutorial.


Out of all these options I’d recommend starting with the honeypot, then if that fails, continue to the other options until you’ve stopped the bots from attacking your forms. Just remember what works today, may not work tomorrow. So it’s always going to be a battle.

Filed in:

Eric L. Barnes

Eric is the creator of Laravel News and has been covering Laravel since 2012.