creative designer

No one likes spam bot form submissions but they are a reality of putting your business online. There's no golden fix here so regardless of what methods you try be very aware that you won't stop them all.

(This ramble is a post in writing, so expect changes and additions to be made.)

When merchants try and add Captchas to storefronts the common approach is to use some form of javascript solution - whether it be some form of simple math solving or more complex drag and drop unlock process. I've seen a variety of crazy things - plenty built in by myself.

The problem however is that these solutions won't make a vast impact since the rely entirely on JavaScript to function. You can get as tricky as you like but don't make the assumption that bots fill out the form like a normal human. In most cases they don't, so will not be trapped by simple math forms, html5 required elements, or whatever else you've cooked up.

Those bots they do use javascript seriously won't be slowed down by some simple math question either so keep that in mind. 

For many hosted platform - Shopify included - a true captcha system would need support on the server side. I would like to think such a feature would be added soon but for now it doesn't.

Should I add a captcha?

My advice - don't bother unless you are really getting slammed by spam. In that case stopping a few percent could actually equal a lot of processing time on your end. If you're only seeing a few per week this is really nothing to lose sleep over. Seriously.

If you think I am crazy for saying that - you could be right. Just weigh up the pros and cons yourself and make a call either way. You must realise that adding a captcha is going to hurt conversion to some degree. What's worth more - the conversion, or the lack of annoyance for you managing the spam. There's no right answer here so go with your gut.

If not a captcha, what?

I do like how mailchimp add some basic low level detection in their forms. They purposeful add a field that is not seen, but can be found easily by a bot. If a bot fills out the field you can be confident that whatever filled it out is a bot, and just purge the data. Whilst not stopping the spam, being able to detect it faster helps alleviate the concerns with trying to wrestle into action. Until then, hope that a more bulletproof, server side solution is added on whatever hosted platform you're using.

I'd likely opt for something that uses the technique above along with code that adds the form HTML with  JavaScript. This way there's zero form for the bot to harvest in the html, but if it does that extra field should help weed out the fakers.

For Shopify this can work pretty well but keep in mind the form endpoints will always exist. So form or no form you can still post data and have it process server side.

Do you have some sweet code examples?

soon... feel free to annoy me if this bit is taking too long to be written...

Like to work with me?

Let's talk