How do I block bots on my website?

I’m using Audienceful for my newsletter. In the last few weeks, I’ve been targeted by spam bots filling out my newsletter sign up form. I don’t really know what to do to stop them.

I don’t want to add CAPTCHA for newsletter sign ups, but looks like that’s the only way Webflow is offering for bots. I contacted Audienceful, they said I could use CloudFlare’s bot protection, but I don’t find a way to use CloudFlare with Webflow without breaking the SSL.

My last option is to add double opt-in for emails, but I’m worried that people just won’t opt-in with the added friction. There are many newsletters I joined that don’t require double opt-in.

I want to see if anyone has any idea how to combat this.
My link is

I would think audienceful would have its own mechanic for detecting spam emails, but if not, there are a few ways you could do this.

First, I regularly setup reverse proxies and there are ways to prevent the SSL issues, but I don’t think paying for bot management is necessarily the right approach here.

Another option is to simply buffer the submissions and verify them yourself before submitting them to audienceful. you could just have them fed e.g. to Make or Zapier, spam-check and then forward the good ones.

There are 3rd party APIs that let you validate an email and grade it A to F. Generally, A’s and B’s are good, anything lower is crap.

You can use a honeypot technique. e.g. your form is configured to send to your Make webhook, but there’s a hidden field with junk in it. If a bot encounters the form, it will “fill in” the fields and submit the whole form to the action URL.

However on your site, you’d have a script capturing the submit event, and it would remove those fields before the submission happens. Generally, a bot won’t do that, so you can easily identify real website-submitted leads v. bot direct-to-webhook submissions.

There are more complex ways a well… time-sensitive passcodes where your script adds a field instead which is a special hashed timestamp. The server compares it to the time of receipt to see if the submission actually came through the site legitimately.

I wouldn’t go too nuts with all this, but just thought I’d suggest some options.

Thank you for the detail write out. I tried CloudFlare first, it does eliminate a lot of bots, but not completely. Then I found out Audienceful does have a honeypot mechanic to refuse spam submissions. Now problem is solved. Hopefully not more bots from now on.