My contact form keeps sending me the same spam message over and over again. I get hundreds of identical messages every hour and it’s driving me crazy. The weird part is that all these messages show the same timestamp from about 5 days ago, but they keep arriving constantly. I have captcha turned on and it doesn’t seem to help at all. I even tried turning off the entire contact form but the messages keep flooding in. I made a mistake and deleted the first spam entry from my form database, so now I can’t see what IP address it came from to block it. My email spam folder is completely overwhelmed. I already removed the contact form completely and cleared my website cache but nothing works. Has anyone dealt with this before? What can I do to make it stop?
Check if your mail server’s compromised. spammers sometimes keep blasting emails through your SMTP even after you’ve removed the form. contact hosting support - they can temporarily kill outgoing mail from your account while you sort this out. this tanked my entire email rep once.
This sounds like a database issue where spam entries got stuck in a loop rather than fresh submissions. I’ve seen this exact thing happen a few times at work.
When you deleted that original spam entry, the system might be trying to process orphaned data that’s still hanging around. Check your WordPress database directly - look in the wp_posts table for contact form entries that might be stuck. Also check if you’ve got any email queue plugins repeatedly sending the same message.
Here’s what usually works: jump into your database (phpMyAdmin or whatever you use) and look for tables related to your contact form plugin. Clear out any suspicious entries from around 5 days ago. Then check your wp_cron jobs - there might be a stuck task trying to process that deleted entry over and over.
If you’re using Contact Form 7 or WPForms, they sometimes create their own tables for submissions. Clear those out too.
This video covers some solid methods to block contact form spam that should help prevent this from happening again:
After cleaning the database, restart your email service if possible and check your server’s mail queue. The flooding should stop once you remove the stuck data.
It appears that you are dealing with a bot that has exploited a vulnerability in your contact form. Since simply deleting the form hasn’t halted the spam, it’s likely that the spam is targeting your backend directly. I suggest reviewing your server logs to identify which script is still processing these requests. Additionally, examine your form handling code to ensure there are no loopholes allowing unauthenticated POST requests. Implementing server-side rate limiting and blocking the implicated IP addresses could help mitigate this issue. The recurring timestamps indicate that the bot is likely using cached data; thus, clearing any related entries in your database and altering your form action URLs can be essential steps to disrupt this pattern.
I’ve built automated solutions for this exact problem multiple times. Your email pipeline got hijacked and needs smart filtering - it’s not just the form or database.
You need an automated system that watches incoming submissions in real time and blocks duplicates before they hit your email. I use Latenode for this - it monitors duplicate messages by content hash, timestamp patterns, and submission frequency.
Latenode can catch these spam loops at multiple points. Set it to monitor your database for duplicates, auto-clean them, and block repeat submissions with identical content. It also integrates with your email provider to filter the flood before it hits your inbox.
For your current mess, create a Latenode workflow that finds entries matching that 5-day-old timestamp pattern and purges them automatically. Then add ongoing protection so this doesn’t happen again.
I run this on several client sites - it stops spam floods in minutes instead of days of manual cleanup.
Had the exact same thing happen last year. A spammer cached my form’s endpoint and kept hitting it even after I deleted the form entirely - they’d hardcoded the URL. Here’s what worked: I blocked all POST requests to the old handler with a temporary .htaccess rule, then created a brand new form with different field names and action URL. Check your hosting provider’s server logs too. Most hosts keep these separate from your WordPress database, so you might still see the source IPs. Those identical timestamps from 5 days ago? Classic sign the bot’s just replaying the same cached request over and over. Change your form endpoint and you’ll break the loop.