Spam messages are a constant nuisance on websites, especially through contact forms. If you’re using Elementor Pro’s Forms, you’ve probably already enabled reCAPTCHA, honeypot, and even disabled auto-fill – but somehow, spam still gets through.

That’s because many spam bots today are smart enough to bypass basic protection methods. They often submit links to random, unrelated websites, hoping to trick site owners into visiting them or getting SEO backlinks. A common trait in almost all spam submissions is the presence of suspicious URLs from unrelated domains.

In this post, you’ll learn a practical and effective method to stop this kind of spam without affecting genuine users, using a simple code snippet you can add to your WordPress site.

Why Typical Methods Aren’t Enough

• Honeypot fields only work on basic bots.

• reCAPTCHA is often bypassed by advanced spam software.

• Manual filtering or plugins may slow down your site or miss new patterns.

Spammers submit messages like:

“Hello, check out my site: domain1.com/buy-now or www.xyzpromo.net.”

These types of messages can flood your inbox daily.

The Better Way: Block All External Links Automatically

The code below blocks any submission that contains a URL outside your own domain. If someone tries to submit a message with such a link, they’ll receive a clear error message telling them to remove it.

And here’s the best part: a genuine visitor who truly wants to share a link will usually just write something like:

“I have a link to share, can you contact me so I can send it?”

A spam bot would never say that – it just dumps the link.

The Code Snippet

Replace contact_message with your message field ID in Elementor (you can edit it in the Form widget’s advanced settings).

add_action( 'elementor_pro/forms/validation', function ( $record, $ajax_handler ) {
// (edit start) change field ID to match the message field
$fields = $record->get_field( [
'id' => 'contact_message',
] );
if ( empty( $fields ) ) {
return;
}
$field = current( $fields );
preg_match_all( '/\b((https?:\/\/)?(www\.)?([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?)/i', $field['value'], $matches );
if ( ! empty( $matches[0] ) ) {

$allowed_domain = 'wizbeeit.com'; // Replace with your domain

$disallowed_urls = [];
foreach ( $matches[0] as $url ) {
$host = parse_url( ( strpos( $url, 'http' ) !== 0 ? 'http://' : '' ) . $url, PHP_URL_HOST );
if ( $host && stripos( $host, $allowed_domain ) === false ) {
$disallowed_urls[] = $url;
}
}
if ( ! empty( $disallowed_urls ) ) {
$error_message = 'URLs out of this website is not allowed inside message. Please remove the URL: ' . implode( ', ', $disallowed_urls );
$ajax_handler->add_error( $field['id'], $error_message );
}
}
}, 10, 2 );

If you want to allow multiple domains, replace the $allowed_domain  with

$allowed_domains = [ 'yourdomain.com', 'myotherdomain.com' ];

What This Does

• Scans the message field for URLs using regex.

• Allows links only if they belong to your domain (e.g., wizbeeit.com).

• Returns a user-friendly error if outside links are detected.

• Does not block messages with no links (i.e., normal messages).

Types of URL it can detect:

• Fully qualified with protocol:

  • http://blabla.com

  • https://blablabla.com/page

  • https://www.blablabla.net/path/to/file.html

• Without protocol (common in spam):

  • www.spamlink.com

  • example.org/shit-page

  • badsite.net/download

• Subdomains and multiple-level domains:

  • offers.ads.spammer.com.ru

  • link.mail.spamsite.biz/promo

• Query strings and fragments:

  • http://promo.site.com/?ref=abc

  • https://abc.site.net/page#section

Also if someone use link like visite_our_website@bababla.com

How to use

• Make sure your message field ID in Elementor is set to contact_message.

• You can customize the allowed domain name in the code above.

• Add the snippet to your theme’s functions.php, or use a plugin like Code Snippets.

This method helps you block spam effectively without annoying real users – and finally gives you peace of mind from those endless spam messages.

Want a demo? Just visit our contact us page and see yourself.