Contact form 'security' questions

Hey All!


  1. when using a contact form, does the recipient email address (the websites owner’s) show up in the source code, or is it completely concealed from those who might want to scavenger it for unsavory reasons?

  2. and, is there a way to block an ip address or an email address from a sender who uses the contact form to spam or send illegitimate emails via the website?

  3. Is there a way to capture the ip address of a contact form user so it can be blocked if unwanted?


Email addresses are completely obscured in the website code. The addresses are held within the script which isn’t visible to a spam bot that may be trawling your website.

If someone spams you using the form, its usually only someone who has filled the form manually. If that happens, you can simply blacklist the sender of the form using your host’s own blacklist feature.

The IP address of the sender is usually contained in the header information of the email received. You can use that to block future spam messages by using your web hosts anti-spam filters.

1 Like

Your receiving email address should be completely hidden in the source code, so no worries there.

To block an IP address would be something you would need to do at a server level. I have no idea how you would block specific email addresses from using the form, but again likely something at a server level.

To include the IP number in the email there was a reply given when you last asked this question a couple years ago, though I vaguely recall Norm saying it was something he would include as a standard option.

1 Like

An IP-address could be blocked by adding a .htaccess file in your website’s root folder, containing this code:

<Limit POST>
Order Allow,Deny
Allow from all
Deny from

In the example above you’d replace by the ip-address you’d want to block from using your contact form.

You would prefer to limit the ip-address from posting, as a block would prevent them from viewing your website completely. This way the user of this ip-address could still view the information on your website. This is especially handy if the abuse is coming from a single ip-address used by different visitors.

Note: this will only work on a Linux-based hosting. For a Windows-based hosting you would need to use the equivalent code for the web.config file. I do not have an example of this I’m afraid.

1 Like

thanks @hendon52 @Flashman @brechtryckaert…all great info…much appreciated!

1 Like