7 Powerful Ways to Block Spam and Secure Your PHP Contact Forms

7 Powerful Ways to Block Spam and Secure Your PHP Contact Forms

In today’s digital world, contact forms are essential for user interaction on websites. However, they often become targets for spam and malicious attacks. To keep your PHP-based contact forms secure, it’s crucial to implement measures against spam and Cross-Site Request Forgery (CSRF) attacks. This guide will walk you through simple yet effective techniques to protect your forms.

1. Implement reCAPTCHA

To implement reCAPTCHA v3 for your contact form, follow these steps:

  • Register on Google reCAPTCHA: Visit Google reCAPTCHA to register your site. Select “Google reCAPTCHA v3” and add your domain (e.g., example.com and localhost). You’ll get a SITE KEY and a SECRET KEY.
  • Include the reCAPTCHA Script: Add the following script in the head tag or body tag where your form is available. Replace YOUR_RECAPTCHA_SITE_KEY with your actual SITE KEY.
    
        
        
    
  • Add Hidden Input in the Form: Before the submit button, include this hidden input field to store the reCAPTCHA token.
    
        
    
  • Validate reCAPTCHA on the Server: In your form processing PHP script, use the following code to validate the reCAPTCHA response. Replace YOUR_SECRET_KEY with your SECRET KEY.
    
        
        if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {
            $recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
            $recaptcha_secret = 'YOUR_SECRET_KEY';
            $recaptcha_response = $_POST['recaptcha_response'];

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $recaptcha_url);
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
                'secret' => $recaptcha_secret,
                'response' => $recaptcha_response
            ]));
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

            $recaptcha = curl_exec($ch);
            curl_close($ch);
            $recaptcha = json_decode($recaptcha);

            if (!isset($recaptcha) || !$recaptcha->success || !isset($recaptcha->score)) {
                exit('Recaptcha verification failed');
            }

            if ($recaptcha->score < 0.5) {
                exit('Recaptcha score too low');
            }
        }
        
    

Continue with your other form processing logic such as sending emails or saving data to a database.

2. Honeypot Technique

The honeypot technique involves adding hidden fields to your forms that humans won’t see or fill, but bots will. If the hidden field is filled, it’s likely a bot submission.

    
        
// PHP (submit.php) if (!empty($_POST['website'])) { die("Spam detected!"); }

3. Limit Form Submissions

Limiting the frequency of form submissions from the same user or IP address helps prevent spam attacks. This can be achieved using session variables to track submission times.

    
        
        session_start();
        if (isset($_SESSION['last_submission']) && (time() - $_SESSION['last_submission'] < 60)) {
            die("Please wait before submitting again.");
        }
        $_SESSION['last_submission'] = time();
        
    

4. Email Validation

Validating email addresses ensures that only correctly formatted emails are accepted. This simple check can help reduce the number of invalid submissions

    
        
        $email = $_POST['email'];
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            die("Invalid email format.");
        }
        
    

5. Block IPs

Blocking specific IP addresses that are known to be sources of spam can help reduce unwanted submissions. You can maintain a list of such IPs and prevent them from accessing your forms.

    
        
        $blocked_ips = ['192.168.1.1', '10.0.0.1'];
        if (in_array($_SERVER['REMOTE_ADDR'], $blocked_ips)) {
            die("Your IP is blocked.");
        }
        
    

6. CSRF Protection

CSRF tokens protect your forms from unauthorized submissions by ensuring that each form submission is intentional and from a valid user. This is done by generating a token when the form is loaded and verifying it upon submission.

    
        
        // Generating Token (form.php)
        session_start();
        $csrf_token = bin2hex(random_bytes(32));
        $_SESSION['csrf_token'] = $csrf_token;
        
        
    
        
        // Verifying Token (submit.php)
        session_start();
        if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
            die("CSRF token validation failed.");
        }
        unset($_SESSION['csrf_token']);  // Regenerate for next request
        
    

7. Setup Allow Origin in Thank You Page

When redirecting users to a “Thank You” page after form submission, ensure the origin of the request is allowed to prevent open redirects and unauthorized access.

    
        
        // PHP (submit.php)
        $allowed_origin = 'https://yourwebsite.com';
        if ($_SERVER['HTTP_REFERER'] !== $allowed_origin) {
            die("Unauthorized origin detected.");
        }
        header("Location: thankyou.php");
        exit;
        
    

Conclusion

Securing your PHP contact forms is essential to prevent spam and malicious attacks that could compromise your website’s functionality and user data. By integrating measures such as reCAPTCHA, honeypot fields, rate limiting, email validation, IP blocking, CSRF tokens, and checking request origins, you can create a robust defense against unwanted submissions and enhance the user experience. Implementing these techniques ensures that your contact forms remain a secure and reliable communication channel.

Remember, security is an ongoing process. Regularly update and audit your forms to keep up with new threats and vulnerabilities.

Connect with Developer @ Shivafeb17.com for personalized assistance and advanced security solutions for your PHP projects.

About Author

Shiva Sheshendra

Senior Web Developer / Senior PHP Developer / Full Stack Developer

“Web Development, Website Maintenance, Server Management, On-Page SEO, Security, and Malware Removal”

Connect with Developer View Portfolio

Request A Callback

Ready to unlock your digital potential?
Request a callback to learn how we can help

© All rights reserved 2025 codenbrand. Designed and Developed by shivafeb17

WhatsApp Icon