In this exclusive tutorial I’m going to talk about protecting and keeping your Mautic instance clean and spam free. Obviously there are no 100% fool proof ways, but by implementing these strategies you can keep most of the bad guys from trashing your Mautic with fake entries.

Keeping fake entries from being submitted is especially important as new submissions are often connected with a double optin sequence. If a tzunami of fake form submissions reaches your site, it might trigger a large number of confirmation emails, which can drain your smtp allowance. If the number of submissions large enough the flow of bad emails can really affect your spamsore and negatively impact your deliverability or you might get kicked out from your SMTP provider.

In this training we will look at 4 methods, that help you keeping your Mautic safe.

1. Secure your forms with Capcha

I used to be a big advocate of Honeypots, a technique where an – only visible for humans – hint would let you proceed to the form submission. Unfortunately their effectiveness is a lot weaker lately, and they don’t work as before.

With Mautic 4.2 you’ll be able to install the capcha plugin from the Marketplace. Until then you can either use the composer or download it manually to your Mautic instance.

For composer install run this in your Mautic folder:

composer require koco/mautic-recaptcha-bundle:3.*

For ‘manual’ install download the package, unzip, chown your folders and cleare cache:

# go to the Mautic folder: (might be different for you)
cd /var/www/html/plugins

# download the plugin

# unzip

# rename to the proper name
mv mautic-recaptcha-master MauticRecaptchaBundle

# cleanup!

# clear cache and make sure you have the right persmissions
chown -R /var/www/html/mautic/
chmod -R 755 /var/www/html/mautic/
php /var/www/html/mautic/bin/console cache:clear

# if you are running as sudo, then:
sudo chown -R www-data:www-data /var/www/html/mautic/
sudo chmod -R 755 /var/www/html/mautic/
sudo -u www-data php /var/www/html/mautic/bin/console cache:clear

Go to your plugins in Mautic and reload. Turn on recapcha.

Now you are one step away: here you can request API creds from Google:

2. Turn off 404 logging

This is a feature you can have since Mautic 4.1. It turns off tracking for all the 404 hits your Mautic install will have during the crawlbots visits. You can find it under Configuration – tracking.

Turn off tracking for 404 pages in Mautic 4.1

Having 404 tracking turn off, you save your database from bloating in case a persistent crawler finds you.

3. Create a campaign, that removes newly created fake entries

Let’s say you are a victim of mass form posts, and you see bot entries popping up among your contacts. This is super annoying, and can drain your resources, mess up your statistics. In addition I personally feel a burglar has been in my home once I see entries like this:

If you look at these contacts, there is one thing common in them. It’s always entries without visits. The same contact doesn’t visit your website, just submits a form. Obviously a bot is doing it.

Knowing this, you can create a campaign, where you segment out people who haven’t visited any pages, but submitted forms. Make sure you add a Tag to the form in question as a form action step. In this example I’m adding the “newsletter-member” tag to everyone who submits the form in question. The segment will look like this:

You’ll see only contacts in this campaign, who submitted the form without checking any pages. Suspicious… Let’s delete them.

Add the freshly created segment:

Now add the campaign, where you delete all members of this campaign.

If you do it right, your campaign results will be always empty. Why? because once a contact is deleted, all connecting statistics will be deleted.

Unfortunatly the form’s submission log won’t be deleted, which can result in a long-long submission list.

There is a pro fix for that, which you can read in the supporter level part of this tutorial.

4. Lock them out on the web server level

Subscribe now and unlock all the content, scripts and videos!

5. Sanitise newly created contacts with this script

Subscribe now and unlock all the content, scripts and videos!

Did any of these solutions work for you? Share your thoughts in the comments!

4 Comment

  • miamiman


    Hello Joey.

    As usual thanks for all you do for the Mautic Community.

    Question: By captcha do you mean (also) recaptcha?

    I’ve been using the recaptcha plug-in (still in version 3) since beginning with Mautic.

    So far, thankfully, I’ve not be bombarded by form spam. I’m wondering if its the plug-in, or that, in combination with required fields?

    Spambots are the worst, almost on the level of bicycle thieves.


    • jos0405


      Hey, yes, that is what I meant. It’s a great plugin!
      The plugin works really well, thatswhy you don’t have spam.
      Some prefer to skip the capcha as it’s another barrier for submission. This article is tending to those as well with the other methods.


Leave a Reply

Your email address will not be published. Required fields are marked *