Step by step guide to blocking bots from registration

Last Updated Feb 22, 2021
Emma Jagger

Engineer, maker, Google alumna, CMU grad

How to block bots from registering to my forms and newsletters?

The robots that browse the internet looking for weakly protected forms are very numerous. They will try to register to your forms, hoping to get information about your server and infrastructure to send them back to their creators or to create an account on your website to use it for spamming.

The more popular your site will become, the more you will be subject to robot attacks.

It is crucial to protect your website against these attacks, avoid giving information to potential hackers, and avoid filling your database with dummy email addresses that would damage your SMTP reputation.

Know your enemy: the different type of robots attacking your webforms

There are different types of robots, more or less evolved. The simplest will limit themselves to analyze the HTML code and post data to your forms endpoints. The more complex will simulate users navigating your website, moving the mouse, and executing JavaScript components. And the most powerful will even be able to receive your confirmation email and simulate a click on the link they contain.

Protection against the simplest and most numerous robots

The easiest and simplest protection to implement and protect you against the most simplistic robots consists of a honeypot, a trap consisting of a hidden text field.

Your human users will not see it, so the honeypot field will be empty when a real person submits the form. On the other hand, robots will consider it legitimate and will fill it with a value. To be efficient, you should name the honeypot field with a usually important but currently unused name, such as "first_name" or "email_confirmation".

Once reaching the server-side, you can check if the honeypot field is empty or contains a value. If it does, you can consider a robot submitted it and dismiss the data.

Captchas: efficient protection but can ruin your conversions

Another level of protection is captchas, which is an efficient way to protect your forms but extremely annoying for your users. It slows them down right when they are filling-up your forms, which is, let's face it, never an enjoyable task.

Most marketers are searching for ways to reduce the number of steps in a form to reduce the number of people leaving the page before submitting it, and captchas are adding a bothersome step to your forms.

Captchas are not only repulsing robots but also your legitimate users.

The sweet spot of form protection: email confirmation

A level of protection that works very well against the most advanced robots is to send a confirmation email to the address provided and wait for the person to click on its link before validating the registration.

This solution is very efficient, commonly accepted, and does not bother users as much as a captcha. It is an excellent solution to protect your forms against the vast majority of robots.

However, the most advanced robots can receive your confirmation emails and simulate a click on the link.

Fill the last hole: advance email validation.

To protect yourself against the most advanced category of robots and enhance your email confirmation system, you should implement a powerful email validation mechanism.

By checking that the provided email address is legitimate, hosted on a correctly configured SMTP server, does not correspond to a catch-all address, and is not a disposable address, you will protect your form against most, if not all, of the robots attacks.

Abstract provides a free and real-time API that you can use to implement such an advanced email validation mechanism in a few seconds. It's as easy as making a GET request and checking the response's JSON fields.

Related articles