Sick of WordPress contact form spam? We don't blame you! Here are 8 anti-spam techniques to help prevent spam form submissions.
Approximate read time: 5.5 minutes
Spam seems to be everywhere.
If you run a website, a lot comes from contact and comment forms. But with so many different spam protection services, surely there's a way to fight it. And there is.
Stop WordPress Contact Form Spam Now!
So, we'll focus on the different ways to block spam on a WordPress contact form so there are no more wasted hours sifting through spam emails.
Here's how to stop spam on WordPress comment forms and contact forms:
1. Block the IP address
If you see a repeat offender, you can block the whole IP address in the WordPress comment blocklist. Just go open your WordPress dashboard and head to Settings → Discussion. Then add them to the Disallowed Comment Keys list.
Or, if you're using a service like Cloudflare, you can even block whole countries.
But most of the time, spam contact form submissions come from bots — not real people. Unfortunately, spambots usually use proxies (a wide range of fake IP addresses).
Blocking the IP address may protect you from human spammers, but this method doesn't work against robots.
This strategy is only effective if you're constantly tracking spam IP addresses. And who has time for that?
2. Add a JavaScript token
Since most spammers aren't human, the JavaScript on your site isn't triggered. That's because an autogenerated JavaScript token is only created when a human visits your WordPress site.
Then, it's inserted into your forms without real visitors knowing it's there. The token is checked when a contact submits the form.
So by having your site first check to see if a JavaScript token is being submitted with the form, you can instantly reject any entries that don't have the token.
And don't worry. We know seeing the word "JavaScript" can be scary. Especially if you're not an experienced developer. But with Formidable Forms, you can activate this spam prevention method in one click!
This way, you can protect your contact forms and message fields without lifting a finger or making users do annoying puzzles.
3. Block WordPress contact form spam with the honeypot method
The honeypot method is a pretty sweet type of contact form spam protection. Get it?
Here's how the honeypot spam blocker works:
- It creates a hidden field on your contact form page that is invisible to visitors but seen by bots.
- Since the bot sees the honeypot field, it fills it out.
- Then, when the bot tries to submit its contact form spam message, the submission is blocked because there's a form filled out that shouldn't be.
Gotcha!
And just like with the JavaScript token option, the best contact form plugins like Formidable Forms let you activate it with a button.
A few other form builders use the honeypot method to prevent contact form spam. For example, a honeypot plugin for Contact Form 7 adds anti-spam protection.
4. Use reCAPTCHA
Google’s reCAPTCHA is designed to tell the difference between a human and a bot. They've made this tool widely accessible to developers. There's only one issue: it can be complicated if you aren't a developer.
This is where a plugin like Formidable Forms can help once again. You can add a reCAPTCHA to a WordPress contact form in a few clicks.
Looking for a free alternative to Google reCAPTCHA? Check out Cloudflare Turnstile — you can add it to your Formidable forms too!
reCAPTCHA v2
Here is when things get interesting. You'll probably know this reCAPTCHA:
This new version of reCaptcha tracks the movement of your mouse after you click the box. If the movement is still suspicious, you'll be clicking on boats, cars, and trains to prove that you are not a spam bot.
This is one of the most widespread solutions currently available. Why? because it works! It does not annoy the user that much, and the bot finds it very hard to bypass the mouse tracking.
But still, you want the perfect user experience, right? Do you want to capture as many valid email addresses as possible? There are a few more ways to block contact form spam in WordPress.
5. Add invisible reCAPTCHA
Invisible reCaptcha V2 is here to save the day! It tracks mouse movement but in the background while staying invisible. So, while real human users happily click and go through the pages, bots are blocked.
Invisible reCaptcha is available with one click in a WordPress contact form builder like Formidable.
6. Use reCAPTCHA V3
Just in case you didn't have enough reCAPTCHA options... Here's another one to help stop WordPress contact form spam.
reCAPTCHA V3 gives you invisible anti-spam but scores every submission in a form. You choose which scores to block, and your site handles the rest.
Over time, this reCAPTCHA learns more about your site by seeing real traffic. Then, website owners can adjust the score threshold to block more or less strictly. This is a great way to stop human spammers, too.
👉 Learn how to add reCAPTCHA to WordPress contact forms.
7. Create custom spam protection form fields
Are you still looking for more contact form anti-spam for WordPress sites? We've got a couple more that could help.
If you have a solid form builder, you can create your own spam blocker!
You formulate questions and ask the visitor to answer them. Because the questions and answers are unique to each site, bots have a tough time understanding them.
One simple custom captcha method: a math question. Ask something like “5+6=?” and let the user fill in the answer. While it is a very accessible solution, it still slightly decreases the user experience.
8. Install WordPress spam-blocker plugins
Without mentioning anti-spam plugins, no contact form spam protection for WordPress articles would be complete.
The most popular ones are Akismet, WordPress Zero Spam, and Jetpack. These plugins work independently from your contact form tools.
They also tap into already-known spam IP databases so they can help block the threat even before it appears.
Ready to stop contact form spam on WordPress?
Creating anti-spam protection on your WordPress site while keeping the user experience high will require some help. Luckily, the methods we describe in this post are easily accessible if you have the right tools.
For example, combining Invisible reCaptcha, Honeypot, and one of the WordPress plugins will give you several layers of protection for stopping spam. The best part? None of those methods are intrusive for users!
For more top WordPress tips and tutorials, follow us on Facebook, Twitter, and YouTube.
Read more posts about anti-spam in WordPress
Formidable Forms is much more than an anti-spam tool. It's a complete website solution. Build forms plus more with one of our risk-free premium plans today!
Nat Miletic says
Thank you, this is great. I use the reCaptcha for this purpose but didn't know about these other options as well.
Will use in the future.
Steve says
Glad this was helpful for you. Best of luck on all your current and future projects.
Debbie says
I always use reCaptcha. Thanks for making it so easy to use!
Steve says
Glad you like it. reCaptcha really is a great way to reduce spam in your WordPress forms. best of luck on your current and future projects.
Craig says
Wow, I never knew about the HoneyPot method, this is a very valuable blog, thank you, signed not-a-bot
Steve says
Hi not-a-bot 😉
Yeah, HoneyPot spam protection for WordPress forms is fairly new. It isn't always the most bullet-proof option for spam protection, but it is great to use in conjunction with other spam protection methods like reCaptcha or Akismet.
Connie Blakemore says
HoneyPot method is a great tip!
Steve Wells says
Yep, It's a great tool. Glad the article helped.
Silvia Suria Torres says
I always used reCaptcha until it didn't work anymore, I never didn't know why, so I searched other methods like these. Thanks for the post!
Steve says
Yeah, it is strange that sometimes one spam protection method works and other times it doesn't. I think server and site configurations can play a big role in this. We always recommend using a Honeypot spam option in conjunction with something else like Akismet or reCaptcha.
Balint says
As someone who is starting his first blog, this post has been very helpful!
Steve says
Congratulations on starting your first blog. Glad you were able to find our blog and that it was useful for you. Best of luck.
Nitin Dabas says
The honeypot method is just amazing! I'll definitely try it.
Thanks for sharing the information.
~Nitin
Steve Wells says
Thanks for the comment. While it isn't always the best option by itself, honeypot spam control is a great way to beef up other spam protection methods like Akismet or reCaptcha.
Nitish Lakra says
I will follow these tips on my wp site.
Steve Wells says
Glad you liked the spam protection tips. If you haven't already, you can subscribe to our blog to get other super helpful tips to make your WordPress forms even better.
Abhishek Upadhyay says
I am literally getting tens of submissions every single day on my blog. I'll use all the techniques to reduce spam as much as possible.
Thanks for helping me by posting this valuable piece of content.
Steve Wells says
Ugh, Spam is the worst. Sorry you are having trouble with it. Hope the tips and solutions in this article are helpful for you.
Elissa Hammond says
So, spammers use proxies to spam with multiple IP addresses...I wonder if this works the same way with spam phone calls. I receive so many unwanted calls daily, ill block the number & they will call from another number the next day. Anyway, I think the idea you developed is a great one!
Steve Wells says
Great idea...I'm not exactly sure how this would work, but the principles should do the trick if they can be applied to phone calls.
Nazmul Huda says
Thanks
James Heath says
I have a few 'Contact Us' forms that have been absolutely blasted by spammers, so I've implemented honeypot, recaptcha, and a conditional check for Russian characters and links in the message field.
Steve Wells says
That's a great idea to check for specific characters...Did you know you can use the Built-in blacklist from the WordPress Discussion settings page to block entries containing certain words?
Aditya Agarwal says
Is there any programatic way of implementing this, I did some code to block bots, yet I still get fake submittions
Steve Wells says
If you are using Formidable forms, you shouldn't need code to implement any of the above options. Otherwise, I am guessing something similar could be implemented programmatically, but that isn't something we can help with, Sorry!
FATHME GUL says
REALLY USEFUL TO ME AS A NOVICE IN WORDPRESS, I HATE SPAM COMMENTS!
The Entrepreneur says
I'm still very new to Wordpress and this world and I was not aware of any of these methods. I had started getting spam and was searching for solutions. Thank you so so much for this!
Jin says
Formidable's ability to connect forms with Akismet is not only a huge lifesaver for us, but I think it's a bit of a hidden secret setting.
After installing Akismet, check out this guide https://formidableforms.com/knowledgebase/add-spam-protection/#kb-akismet
And make sure to turn on this setting.
Lifesaver.
Bannersky.com says
Another choice that can block submission base on field content. You may also use white list, email list and IP list to block spam.
With your own keyword and apply them to a form field. The plugin will block submitting if the field content contains / same as one of your spam keyword.
It also can be used to delete entry if spam keyword found.
Antideo says
Ryan, Formidable forms is one of the popular forms out there and hence it has become a target for spammers. You have listed some very important options to weed out spam. We would like to suggest the Antideo Email Validator plugin that works out of the box with Formidable Forms, to validate emails preventing disposable emails, free emails, emails from invalid domains, generic emails etc. You can also create and save your own email as well as domain blacklists.
Ryan, it would be wonderful if you can include us in your blog as one of the options to further secure your contact forms
Ian says
Hello, formidableforms.com. s