I recommend using S3-compatible data stores. They scale easily.
Depending on your job profile, you can compare pricing across different vendors to help you evaluate your options for moving to S3. Maybe in the cloud, or maybe raise your own infrastructure.
Upload files and manage them via API. Distribute - via CDN.

Easier than simple:
1. Initially - img-button "Fill the form".
2. Form activation - on click (dynamic, in JS).
Those. don't give simple parsers the ability to determine that a page contains a form.
hide the checkbox behind overflow:hidden and write there: "I confirm" or "I confirm" or "I agree" and the like...
With the checkbox checked, after sending, we write in the same way as usual: "Thank you! Your form has been submitted."
On the server - with this checkbox, immediately banned.
And 99.9% - immediately get caught ..

Is there an invisible captcha from Google?

As FanatPHP said , you can make trap fields. I have a slightly different method, but also quite effective:
- create SEVERAL fields, such as "phone", "homepage", "skype" and others (for which there is enough imagination). They must be valid fields, not `type=hidden`!
- make them hidden at the CSS level (make a class that will hide them, or hide them for each ID tag). By code, these fields should look as natural as possible and not differ from the rest. (so that the person does not see them, but so that the bot sees them and thinks that these are natural fields on the form).
- under the hood, make sure that these fields are empty.
- if it was a bot, it will definitely fill in these fields. And if they are filled, then pretend that everything was successful, BUT, while doing nothing under the hood. Let the bot waste time on empty hopes!

How was the hidden field used? I put a hidden field and a hidden checkbox. If one thing is filled or marked - I send 3 letters. Doesn't seem to be spamming

You can make a hidden field, the value in which is loaded by Ajax on a keypress event in the text input field (once). Of course, it doesn’t save 100%, but a large percentage of simple bots can be cut off

It is possible, as they said, to add a trap field and more real fields that will be sent without using standard names, such as name, phone. Name, for example, field_3, field_432. For yourself in the handler, you can mark which field corresponds to what. Of course, it will not protect from a serious attack, but from fools, of which the majority, just right

paid antispam solutions

Make a simple trap.
For example, name the field for the name email, and for the email - name.
Well, check the presence of the dog in the email and the absence of the name.

if(!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest')){
  die("Thank you for sending");
}

Load a form with jquery .load() (if this library is connected)