12 Ways to Stop Contact Form Spam in Joomla
 
    Are you facing a lot of contact form spam in Joomla?
Spam and abuse are some of the biggest headaches for websites with contact forms, but the good news is that you don’t have to handle it manually.
In this post, we’ll show you some simple and effective techniques to block contact from spam in Joomla, starting with using the right tools.
- Why Contact Form Spam Is Dangerous
- Get a Joomla Form Extension With Built-in Spam Protection
- Use CSRF Tokens
- Use Honeypot Fields
- Prevent Spam with a Form Submission Timer
- Use Google reCAPTCHA
- Use hCaptcha
- Add Cloudflare Turnstile
- Add Math CAPTCHA
- Enable Email Validation Using DNS Verification
- Block Email Addresses of Repeat Spammers
- Block Form Submissions Containing Profanity (Bad Words)
- Create Custom Validations
- Conclusion
Why Contact Form Spam Is Dangerous
Contact form spam isn’t just annoying; it poses real risks to your website. Here are five reasons why it’s dangerous:
- Submit Harmful Links: Spambots may submit links that lead to malware. A single click can infect your system or site.
- Email Deliverability Issues: Spam floods your inbox, affecting email deliverability and leading to bulk email errors.
- Denial of Service (DoS): Some bots overload forms with requests, slowing down your site or causing an outage.
- Hacking: Bots can target login forms, attempting brute force attacks and compromising user accounts.
- Productivity Losses: Your team spends time filtering spam instead of handling genuine inquiries, leading to missed opportunities.
But the good news is that blocking contact form spam is extremely easy. Below, we’ll show you the best tools and techniques to eliminate contact form spam.
Get a Joomla Form Extension With Built-in Spam Protection
To stop spam submissions in Joomla, use a contact form extension like Convert Forms, which includes advanced spam protection features such as Honeypot, CAPTCHA integration (Google reCAPTCHA, hCaptcha, Math CAPTCHA), and custom validation rules to effectively combat spam.
After installing Convert Forms, create a form and activate its anti-spam functionalities. With multiple protection methods available, you can choose the most suitable one for your site.
Next, we’ll explore the easiest and most reliable anti-spam method built into Convert Forms.
Use CSRF Tokens
A CSRF (Cross-Site Request Forgery) token is a security measure that ensures form submissions are legitimate. It prevents unauthorized requests by adding a unique token to each form. This helps confirm that the request came from your site, not from an external source.
Convert Forms relies on Joomla's built-in CSRF mechanism to add extra spam protection. To enable it, go to the Extensions Configuration Page, navigate to Security, and enable the option “Use Joomla! CSRF Token.”

This simple step adds a layer of behind-the-scenes protection against spam and malicious submissions. It's the best spam-blocking technique because it’s more privacy-friendly than others and provides the best user experience.
Use Honeypot Fields
A honeypot may sound sweet, but it’s actually a clever trick to catch spammers. It’s a hidden form field that bots can’t resist filling out. Since real users won’t see or interact with it, the form submission fails if the honeypot field is filled out, trapping the spam bot.
In Convert Forms, honeypot is enabled by default for all new forms. To ensure it’s activated in your form, Open the Behavior Tab, go to Security & Restrictions, and ensure the Honeypot Protection option is enabled.

This is the most flexible and easiest way to add honeypot field spam protection features in Joomla contact forms.
Prevent Spam with a Form Submission Timer
One of the easiest ways to detect and block bots is by measuring how fast a form is submitted. Spam bots typically fill out and submit forms instantly, while real users take at least a few seconds to type their responses.
The Time to Submit feature in Convert Forms allows you to set a minimum time a user must spend on the form before submitting it. If a submission happens too quickly, it is flagged as spam and rejected.

To enable Time to Submit in Convert Forms, follow the steps below:
- Open your form in the form builder.
- Go to the Behavior tab.
- Scroll down to Security & Restrictions and find the Time to Submit option.
- Set the minimum time (e.g., 3 seconds).
- Save your form.
Now, any form submission that occurs faster than the configured time will be blocked, preventing bots from spamming your forms. This method is invisible to users, doesn’t require CAPTCHAs, and helps eliminate automated spam efficiently.
Use Google reCAPTCHA
Google’s reCAPTCHA is a popular tool used to distinguish between human users and bots. It works by offering puzzles or detecting user behavior to verify that a submission is made by a real person, not an automated bot.
 .
.
As of now, there are three types of Google's reCAPTCHA version available:
- Checkbox reCAPTCHA v2: In this version of reCAPTCHA, users must click a checkbox to verify that they aren't bots. Usually, a text with the words "I am not a robot" is displayed next to the checkbox. If users' activity is found suspicious on the page, they might be asked to do an image verification test to verify that they are real.
- Invisible reCAPTCHA v2: This version of reCAPTCHA doesn't add a checkbox; instead, it works secretly and detects the user's behavior to identify if the visitor is human.
- reCAPTCHA v3: reCAPTCHA v3 is the most advanced of all the CAPTCHA types. Unlike the two reCAPTCHA types mentioned above, v3 works in the background. Its process is based on Java scripts and helps you detect abusive traffic on your website without user friction.
To enable reCAPTCHA in Convert Forms, we first need to generate a set of API keys and connect them with Convert Forms. To do so, follow the steps below:
- Choose which reCAPTCHA version you’ll use.
- Generate the respective API Keys. Learn how to get your API Keys.
- Go to the Convert Forms Extension Configuration Page.
- Click the reCAPTCHA tab.
- Paste the generated API Keys in the respective input fields.
- Click Save.

Next, go to the form builder to add the reCAPTCHA field to your form by following the steps below:
- Go to the Add Fields tab.
- Scroll down to the reCAPTCHA field and click to add it to the form.
- Choose the reCAPTCHA version in the Version Dropdown (v2 invisible, v2 checkbox, or v3).
- Optionally, choose the theme and size of the reCAPTCHA layout.

This will add an extra layer of protection against spam submissions!
Use hCaptcha
hCAPTCHA is a privacy-focused, GDPR-compliant alternative to Google’s reCAPTCHA. It protects against bots while respecting user privacy, making it a great option for websites that prioritize data security.

It comes in two versions:
- Invisible: Works in the background without requiring user interaction, only triggering challenges when needed.
- Checkbox: Requires users to check a box to confirm they are human.
Convert Forms supports hCAPTCHA even in the free version, so anyone can take advantage of it. Here’s how to enable it:
- Generate your API Keys: Learn how here.
- Go to the Convert Forms Configuration Page.
- Click the hCAPTCHA tab and paste your API keys.
- Click Save.

Then, to add the hCAPTCHA field to your form:
- Edit your form.
- Go to the Add Fields tab.
- Find and click the hCAPTCHA Field.
- In the Type option, choose between Invisible or Checkbox.
- Save your form.

And that's it! This is how simple it is to add hCaptcha to Joomla Forms using Convert Forms.
Add Cloudflare Turnstile
Cloudflare Turnstile is a user-friendly, GDPR-compliant alternative to reCAPTCHA, designed to eliminate the frustrating experience of traditional CAPTCHAs. Unlike conventional methods, Turnstile operates in the background without puzzles or interruptions, ensuring a smooth web experience for real users while blocking spam and abuse.

Like all built-in antispam solutions of Convert Forms, Cloudflare Turnstile is available in the free version. To set it up, follow the steps below:
- Generate your API Keys on Cloudflare. Learn how here.
- Go to Convert Forms Configuration > Turnstile tab.
- Paste the API Keys and click Save.

Next, add Cloudflare Turnstile to your Joomla form:
- Edit your form.
- Open the Add Fields tab.
- Add the Cloudflare Turnstile field.
- Customize the theme and size as needed.
- Save your form.

Enjoy enhanced spam protection with privacy compliance.
Add Math CAPTCHA
Math CAPTCHA is a privacy-friendly, GDPR-compliant alternative to solutions like reCAPTCHA. Instead of tracking user behavior, it asks visitors to solve a random mathematical problem, such as 5 + 5. Bots struggle to solve these problems, making Math CAPTCHA a powerful spam deterrent.

Convert Forms includes a Math CAPTCHA Field, even in the free version, where you can also adjust the complexity of problems:
- Low: Numbers from 1 to 10. Operators: Addition (+)
- Medium: Numbers from 1 to 20. Operators: Addition (+), Subtraction (-)
- High: Numbers from 1 to 30. Operators: Addition (+), Subtraction (-), Multiplication (*)
To add a Math CAPTCHA to your Joomla contact form, follow the steps below:
- Edit your form.
- Go to the Add Fields section.
- Add the Math CAPTCHA field.
- Optionally adjust the Complexity.
- Save your form.

The form will display a random math question regenerating with each page load or refresh, effectively reducing spam.
Enable Email Validation Using DNS Verification
One powerful way to ensure only real email addresses are submitted is by validating that an email is associated with an active domain. This is achieved by checking the domain’s DNS records, particularly its MX (Mail Exchange) records.

Out of the box, Convert Forms checks for valid email syntax (e.g., correct characters, “@” symbol, and TLD like .com). However, even fake emails can pass this check. DNS verification goes further by confirming that the domain after the “@” exists and is active.
To enable Email DNS Check in your Joomla forms, follow the steps below:
- Edit your form.
- Locate the Email Input Field in the form builder.
- Open the field settings.
- Enable the DNS Check option.
- Save your form.
Block Email Addresses of Repeat Spammers
Captchas are effective in stopping automated bots, but not humans.
With the intent of promoting products, increasing traffic on sites, or for any other malicious intent, people fill out the form on your site and send you tons of spam emails.
It's difficult to stop them from using Captcha services as they are real visitors. The best way to stop contact form spam generated by humans is to block their email addresses and email domains.
To block specific email addresses or domains, use the code snippet below. Copy the code and place it into the PHP Scripts > Form Process area of your form.
// You can add as many email addresses as you'd like to this list.
$blacklist = [
    '@domain1.com',
    '@domain2.com',
    '[email protected]'
];
// The name of the field representing the email address input
$field_name = 'email';
// The error message to show when an invalid email address is submitted
$error_message = 'This email is not allowed';
// Do not edit below
foreach ($blacklist as $blacklist_email)
{
    if (stripos($post[$field_name], $blacklist_email) !== false)
    {
        throw new Exception($error_message);
    }
}
Block Form Submissions Containing Profanity (Bad Words)
Blocking email addresses is one way to stop spam submissions from human visitors. Another method you can use to stop spam bypassing Captcha is to create a list of expletive words.
Create a list of bad words you would like to filter out, and then add the code snippet below into your form's PHP Scripts > Form Process area.
// The list of not allowed words
$not_allowed_words = [
	'dog',
	'cat',
	'elephant'
];
// The Field Name where search will be performed against the not allowed words
$field_name = 'text';
// The helpful message that will appear if bad words are found
$error_message = 'Your text contains words that are not allowed.';
// Do not edit below
foreach($not_allowed_words as $word)
{
	if (stripos($post[$field_name], $word) !== false)
	{
		throw new Exception($error_message);
	}
}
This PHP snippet is quite helpful for users also, as when a user submits a form, and one of the words you've listed occurs in it, this PHP snippet will additionally show them a warning message.
Create Custom Validations
Convert Forms is developer-friendly and allows you to create custom form validation fields. For example, the code snippet below displays an error message when the field message exceeds the characters' limit.
$max_chars = 50;
$error = "Maximum character limit reached.";
if (strlen($post["message"]) > $max_chars) {
   throw new Exception($error);
}
If you have experience with PHP and MySQL, you can add as many custom validations as possible in the PHP Scripts section of Convert forms.
Conclusion
Contact form spam can be a persistent problem, but with the right tools and techniques, you can protect your Joomla website effectively. By using advanced features like those in Convert Forms—such as built-in spam protection, CAPTCHAs, and custom validations—you can ensure a safer and more efficient user experience.
Whether leveraging honeypot fields, enabling email validation, or implementing Cloudflare Turnstile, these strategies are straightforward to apply and offer robust protection against spam. Take control of your contact forms today to focus on what truly matters—genuine user interactions.
 
            
 
        