Forms getting spammed yet site isn't on Google

I have a website that the client specifically asked to be excluded from Google (i’ve used the NOINDEX, NOFOLLOW code in the Head tag). All good, but they are receiving quite a lot of spam through their online form.

Does anyone know how people are finding the form, if it’s not indexed on Google? I will add a reCAPTCHA but have a feeling it won’t make much difference, given what others have said on this forum.

The client won’t pay for using an alternative form like Basin. And to be honest, they shouldn’t have to given how much they’re paying for WF hosting.


Here is my site Read-Only: LINK
(how to share your site Read-Only link)

It likely was not found through Google. But you could check to see if your webflow.io is listed there.
Most of the spam problems Webflow is having this year don’t appear to be through the sites, they’re directly to the form handling gateway.

Even if you deleted the form, you’d likely keep getting spam.

We resolved it for our clients using Basin, and that was the best choice for us. There are others, some free. You could probably use free-plan Make.com and automate your own notifications.

I didn’t see any improvements from recaptcha for these attackers, but you can give it a go.

1 Like

Many thanks for the swift reply, much appreciated! When you say ‘directly to the form handling gateway’, what does that entail? Is this WF’s fault? I (naively) assumed blocking indexing for the site would be enough to make the site ‘private’?

No and yes. The attack is not Webflow’s fault, however the architecture to handle form submissions could have been better designed, and made direct attacks more difficult to begin with.

I’ve seen far worse spam issues on Wordpress though. It used to be that every image you upload to WP has a commenting capability built in, and you could not disable those comments or the email notifications you get. We got thousands, daily.

Obscurity is not the same thing as security. A password-protected site would be better.

That said, I haven’t looked into the details of the gateway attack. It’s possible the spammers have never seen your site. They may just be able to increment a number and send spam to a new site.

1 Like

Many thanks Michael, that’s a really helpful explanation and makes the picture much clearer. I’ll explain this to the client.

Cheers!