When I was building the contact form for this website (the one you're on right now), I had a choice. I could slap on a basic form that takes a name, email, and message and fires it to my inbox. Done in 20 minutes. Or I could build it right.
I built it right. And I'm going to tell you why, because if you run a business with a website, this probably affects you too.
Your Contact Form Is an Open Door
Here's what happens to most business websites: the developer (or the page builder, or the WordPress plugin) creates a contact form that does exactly one thing. It takes whatever someone types in and emails it to you. No verification. No checks. No questions asked.
It's like having a mailbox on the street with no lock. Anyone can stuff anything in there.
Spam bots are automated scripts that crawl the internet all day, every day. They find these forms and blast them. Fake names, garbage messages, phishing links. Some are testing whether your form can be tricked into sending emails on behalf of your server to other people. Some are just throwing junk at every form they find.
It's not personal. They don't care that you're a contractor in Sedalia or a coffee shop in Warrensburg. They just see an unprotected form and hit send. Thousands of times.
What I Built on This Site (And Why)
When I set up the contact form for orlovdigital.com, I knew it would get hit. Every contact form on the internet does. So I built in four layers of protection before the site even went live. Here's what they are and how they work.
Honeypot Field
There's a hidden field on my contact form that you can't see. It's completely invisible because CSS hides it from the page. If you're a real person filling out the form, you'll never know it's there.
But bots don't see the page like you do. They read the raw code and fill in every field they find. If that hidden field has anything in it? Bot. Rejected. The form returns a fake "success" message so the bot thinks it worked, but nothing actually gets sent.
This one trick catches the majority of automated spam without any of my real visitors noticing.
CSRF Token
Every time someone loads my contact page, the server generates a unique, one-time code and embeds it in the form. When you hit send, the server checks: does this code match the one I issued? If yes, it's a real submission from someone who actually visited the page. If a bot is trying to submit the form remotely without ever loading the page, it won't have the code. Rejected.
This also blocks a more dangerous attack where someone could trick your form into sending emails through your server to people you've never heard of.
Rate Limiting
My form allows a maximum of 5 submissions from the same IP address in a 15-minute window. After that, you're blocked until the timer resets.
No real customer is going to submit your contact form five times in a row. But a bot will try hundreds of times in a minute. This stops that cold.
Server-Side Validation
Every single field gets validated on the server, not just in the browser. Is the email formatted correctly? Is the message actually there? Are the required fields filled in? The browser can check this stuff too, but bots bypass browser checks entirely. The server is the last line of defense, and it has to be solid.
"Can't I Just Add reCAPTCHA?"
You can. And a lot of sites do. But here's what I don't love about it: those "click every picture with a traffic light" puzzles are annoying. I've gotten frustrated with them myself. Some of your customers will give up and leave your page without ever contacting you.
The other thing worth knowing is that reCAPTCHA sends your visitors' data to Google. Every single person who loads your contact page. If you care about that (or your customers do), it's worth thinking about.
The system I built works silently. No puzzles, no checkboxes, no "prove you're human" nonsense. Your visitors just fill out the form and hit send. Everything happens behind the scenes.
The Bigger Problem
I look at a lot of local business websites. It's kind of an occupational hazard. I can't help it. And most of what I see worries me. Contact forms with zero protection are just the beginning.
If the contact form is wide open, what else is? Are the server configuration files accessible? Is there directory browsing enabled so anyone can see your file structure? Are there basic security headers telling browsers how to handle your site safely?
Spam in your inbox is annoying. But an unprotected website is a liability. The spam is really just a symptom telling you the rest of the house might not be in order either.
What You Can Do
If you're drowning in spam from your contact form, the fix isn't a plugin or a band-aid. It's rebuilding the form properly with real protection built in from the start. Protection that works invisibly, doesn't annoy your customers, and actually stops the bots.
That's what I do. If you want me to take a look at your site and tell you honestly where it stands, reach out. No pitch. I'll just tell you what I see.