5 Ways of Battling Form Spam

5 Ways of Battling Form Spam

Once you’ve created an application sooner or later you are going to get hit with a spam bot. It’s inevitable.

On one of my projects the registration form got hit and I ended up with 17,000+ fake users and it was a pain to clean up. As part of the process, I asked on Twitter how other people are fighting bots and I had a huge response with a lot of great ideas. I wanted to share all the ones mentioned so that if you ever get hit you’ll know how to fight back.

1. Cloudflare

If you are using a service like Cloudflare you can utilize their “page rules” set up to lock the URL with form submissions down.

I do not believe this will work as well as the others, but it’s quick to implement if you are already using the service and it shouldn’t hurt anything.

2. Honeypot

Honeypots are a first-line defense and are pretty easy to setup. The way they work in this context is you add a hidden form input that should never have a value, then when the form is submitted if that hidden field has a value you know it’s probably from a bot.

You can implement this yourself but if packages like spatie/laravel-honeypot exist to make integration a breeze.

Just remember if you are making your own name the input fields something that seems legitimate, that way the bots think it’s a field that should be filled out.

3. Validate Emails

If your form requires an email, like for new user registration then you could verify that the email actually exists and that they click a button in the email to confirm registration. This option is how a lot of newsletters work including our weekly Laravel Newsletter.

You enter your email. The service we use sends you an email. You click confirm. Then you are a subscriber.

This helps ensure they really wanted to signup and are not a bot, or someone signing up an enemy.

Another option that goes along with this is a service like identibyte that will verify an email through their API. This saves the hassle of making your users go through extra steps.

4. Captcha

This is my least favorite option because I really hate captchas. Google has invisible reCaptcha which is probably the best captcha option.

5. Dedicated Spam Services

The two primary spam services are Akismet by WordPress and Stop Forum Spam. Akismet is paid and Stop Forum Spam is free.

I’ve used Akismet extensively on every WordPress site I run, but you can use it with any app including Laravel. You’ll just need to tap into their API or use an existing page like nickurt/laravel-akismet.

Stop Forum Spam is a free service that sounds similar to Akismet and Laravel packages like nickurt/laravel-stopforumspam exist to help with the integration.

***

Out of all these options I’d recommend start with the honeypot, then if that fails, continue to the other options until you’ve stopped the bots from attacking your forms. Just remember what works today, may not work tomorrow. So it’s always going to be a battle.

Filed in: Laravel Tutorials
Laravel News Partners

Laravel Jobs

Senior Full-Time Laravel Developer (REMOTE)
Remote, ANYWHERE
Vue School
Senior Laravel Developer
Remote, USA & Canada Only
Givecloud
Full Stack Laravel Developer (Full-time/Contract)
Remote or Columbus, OH
EduSourced
Backend PHP Developer
Hamburg
ABOUT YOU GmbH
Senior Developer
Remote
Shelterluv

Newsletter

Join 31,000+ others and never miss out on new tips, tutorials, and more.