I despise Eric Jones. Like medieval-level despisal. Like tar-and-feathering, branding-with-a-hot-iron, pouring-boiling-oil-off-the-castle-ramparts kind of despisal.
Eric Jones – a pseudonym for a well-known SEO spambot – has sent me over 2,000 emails. Most of them come from a Gmail account, like eric.jones.z.mail@gmail.com or something like that. They promise lead magnets, SEO services, Jasper AI writing services, that kind of thing.
I couldn’t stand him anymore. How could I stop this guy (or this bot) from drowning my inbox in his SEO skullduggery?
Stopping Contact Form Spam with Elementor Forms
Let me be upfront: This is not an in-depth developer’s guide to stopping contact form spam. I don’t have that level of knowledge. And I still get spam every day. But I get 1-3 emails instead of 10-20.
Best of all, I made these changes in about 10 minutes.
I run most of my websites using WordPress CMS, the Elementor Pro page-builder, and the Hello Elementor Theme.
Elementor Pro has a built-in Forms form builder, which I used for the FLUB Contact Form. Unfortunately, the default Contact Form doesn’t seem to have a lot of anti-spam protections built in.
I should also admit that I’m not a WordPress guru, and I didn’t realize that many of the basic WordPress security plugins – like Askimet, Bot Protection or Limited Login Attempts Reloaded – don’t actually block contact form spam. Plugins do different things. I learned that blocking comment spam didn’t do anything to block contact form spam! Sounds obvious, but I had never taken the time to learn.
Equipped with my newfound knowledge, I immediately sleuthed out my problem. My Elementor Pro FLUB Contact form was naked and exposed. I had virtually no anti-spam security plugins or settings watching over it, swatting away pesky spammers. I had left it defenseless.
Ye Old Honeypot Field
Start with the easy things first, right? So the first thing I did was add a honeypot field to the Contact form. Honeypot fields are like lemon juice invisible ink. You can’t see it, but a bot can, and if a bot fills it out, then Elementor knows the sender ain’t human.
But honeypots aren’t infallible, and bots keep getting smarter.
The Heavy-Lifter: reCAPTCHA
So the next step was reCAPTCHA. There are two versions: V3 and V2. V2 is the classic “I’m not a robot” checkbox test (plus a lot of other checks going on in the background). V3 is like a silent background check, but there are some concerns about its implications for user privacy.
I prefer the reCAPTCHA V2 because if a Reader can’t be bothered to check a box to send an email – well, they really don’t want to talk to me that bad, do they?
You can create free reCAPTCHAs here with a Google account. You’ll get a Site Key and a Secret Key, which you should save in an encrypted location. Then, you can integrate your chosen Contact Form plugin with reCAPTCHA.
Here’s where you integrate reCAPTCHA with Elementor.
Once you’ve integrated it, you can select “reCAPTCHa” as an Item in your Contact Form built with Elementor Pro Forms widget. It will automatically place a V2 or V3 reCAPTCHA in your contact form, stymying any bots silly enough to mess around with it.
As you can see, reCAPTCHA is blocking multiple computer spam attempts every day.
Belt n’ Suspenders: MASPIK Plugin
But … reCAPTCHA isn’t bombproof, either. To borrow a quote from the movie Untouchables, “You wanna know how to get Capone? They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue.”
So my final Chekhov’s gun was the anti-spam plugin Maspik. It’s a free basic plugin (with paid Pro version), and it integrates well with the Elementor Forms widget.
I’ve only used Maspik for a few weeks, but so far, I like it. You can block IP addresses, countries, languages, and emails. You can add spam filter keywords or limit the maximum number of links allowed in a message. I think reCAPTCHA is doing most of the heavy lifting, but I like the belt-and-suspenders approach.
Where Are the Spammers Now?
As you can see below, Mr. Eric Jones “he-who-shall-not-be-named” is first on my list. I haven’t seen him recently, and if he approaches my digital ramparts again, I’ll be waiting, boiling oil and reCAPTCHA in hand.