Deleted Your WordPress Form But Still Getting Spam?

How to Stop Spam From a WordPress Form That No Longer Exists

This is a very common and frustrating situation getting Spam From a Form I Already Deleted. It feels like you’ve locked a door, but people are still getting in. The reason you’re still getting spam is almost certainly because of automated spambots.

Here’s a breakdown of why this happens and what you can do about it.

The Main Reason: Bots Don’t Need Your Website

The most likely reason is that spambots have already saved the direct link to your form’s submission script.

Think of it this way:

1. The First Visit: When your form was live, a spambot visited your website once. It didn’t fill out the form like a human. Instead, its software analyzed the form’s code and found the specific URL where the form sends data (the action attribute in the HTML).
2. The Attack: From that moment on, the bot doesn’t need to visit your webpage anymore. It has the “back-end” address. It will now send spam data directly to that URL, thousands of times, from servers all over the world.

So, even though you deleted the form from the page (the “front door”), the bots are still sending spam directly to the processing script (the “mail slot”). As long as the plugin that created the form is still active, it’s likely still listening for this data.

Other Possible Causes

• Plugin Still Active: You may have deleted the page or the shortcode for the form, but the booking form plugin itself might still be installed and active on your WordPress site.
• Caching: A cached version of your page with the form might still exist on a server or a Content Delivery Network (CDN) like Cloudflare. Bots might be hitting this old version.
• Your Email Was Scraped (Most Common for General Spam): The spam might not be coming through your website at all anymore. Spambots could have simply “scraped” your email address from the website months ago. Now, they are sending spam directly to your email inbox, but they are faking the “From” address and subject line to make it look like it came from your old booking form.

How to Fix It: Your Action Plan

Here are the steps you should take right now to solve this, starting with the easiest.

1. Deactivate and Delete the Form Plugin: This is the most important step. Go to your WordPress dashboard, click on Plugins > Installed Plugins. Find the plugin you used for the booking form (like WPForms, Contact Form 7, etc.), Deactivate it, and then Delete it. This will remove the script the bots are targeting.
2. Clear All Your Caches: Your website likely has multiple layers of caching.
   • Plugin Cache: If you use a caching plugin (like LiteSpeed Cache, W3 Total Cache, or WP Rocket), go to its settings and click “Purge All” or “Clear Cache.”
   • Server Cache: Your hosting provider (many in Uganda use local or international hosts with caching) might have server-level caching. Log into your hosting control panel to clear it, or ask their support.
   • CDN Cache: If you use a service like Cloudflare, log in to your account and purge the cache.
3. Install a Security Plugin and Run a Scan: This is crucial to check for any hidden backdoors. The bots that found your form might have tried other ways to attack your site.
   • Install Wordfence Security (a very popular and effective free plugin).
   • Run a full security scan to ensure there are no malicious scripts on your site.
4. Implement a Web Application Firewall (WAF): A firewall is the best long-term solution. It acts like a security guard, blocking known spambots and malicious traffic before they even reach your website.
   • Wordfence has a built-in firewall. Make sure it’s enabled and in “Learning Mode” for a week, then switch it to “Enabled and Protecting.”
   • Cloudflare’s free plan also offers excellent protection against bots.

By deactivating and deleting the old plugin, you will shut down the target the bots are hitting. By clearing your caches and adding a security plugin, you will clean up your site and protect it from future attacks.