Want to block spam on WordPress contact forms? Here are 8 anti-spam techniques to help prevent spam form submissions.
Approximate read time: 5.5 minutes
Spam. It just seems to be everywhere. Considering that 30%+ of websites run on WordPress, the users of this platform can expect a lot of spam.
And a lot of that spam email comes from simple contact forms.
This post will go over a few ways to stop spam in WordPress contact forms. So if you love sifting through spam submissions manually, well, this isn't the post for you!
Let’s get down to it!
👉 Want to use hCaptcha spam protector on your website? Here's how to use hCaptcha for WordPress forms
1. Completely block the IP address
Seems like the most obvious solution right? If only it were this simple!
If you see a repeat offender, you can block the whole IP address in the WordPress comment blocklist. With services like Cloudflare, you can even block whole countries.
Usually, you don't receive a spam contact form submission from a real person.
Most spam comes from bots 🤖 (programs automatically post spam messages on every WordPress contact form they can find). And to add to the fun — spammers use proxies (a wide range of fake IP addresses).
As you can see, blocking the IP address may protect you from an individual spammer but not from bots.
Blocking an IP address is easy but won't help you solve the real problem easily. This will only work if you constantly track spam IP addresses, but who has time for that?
2. Add a JavaScript token to prevent form spam without captcha
The thing is, most spammers are not humans, so the JavaScript on your site isn't triggered. You are rarely spammed by individuals but usually by bots.
A JavaScript token is an autogenerated key your site creates when a human visits your WordPress site.
Then, it's inserted into your forms without real visitors ever knowing it's there. The token is checked when a contact submits the form. It resets every day or two, so spammers are always running behind.
This way, you can protect your contact forms and message fields without lifting a finger.
3. Block spam with the honeypot method
The honeypot method is a 'sweet' form of contact form spam protection on WordPress sites. Here's how the honeypot method blocks spam. It creates a hidden field on your contact form page which is invisible to the visitors but is visible to the bot.
Hiding the field is easy — and will not disturb your visitors. But the bot scans the code of your page, so it sees the field anyway. As we discussed, bots submit spam messages automatically, identifying this “honeypot” field and filling it out.
When the bot tries to submit the contact form spam message, the honeypot feature will block it - as it will see that the “invisible field” is filled too. Gotcha!
If you are worried about difficult coding that you will have to do — worry not. Contact form plugins like Formidable Forms will make it a one-click action. A form builder like Formidable also has tons of other spam protection features.
There are a few other options that use the honeypot method. The Contact Form 7 honeypot plugin can extend the basic features of Contact Form 7, for example.
4. Use reCAPTCHA
Google’s reCaptcha is designed to tell the difference between a human and a bot. They've made this tool widely accessible to developers. There's only one issue: it can be a bit complicated if you aren't a developer.
This is where a plugin like Formidable Forms can help once again. You can add a reCAPTCHA to a WordPress contact form in a few clicks. And if you use a tool like a landing page builder, Formidable will be even easier.
reCAPTCHA v2
Here is when things get interesting. You'll probably know this reCAPTCHA:
This new version of reCaptcha tracks the movement of your mouse after you click the box, if the movement is still suspicious, you'll be clicking on boats, cars, and trains to prove that you are not a spam bot.
This is one of the most widespread solutions at the present moment. Why? Because it works! It does not annoy the user that much, and the mouse tracking is very hard to bypass by the bot.
But still, you want the perfect user experience, right? Do you want to capture as many valid email addresses as possible? There are a few more ways to block contact form spam in WordPress.
5. Invisible reCAPTCHA
Invisible reCaptcha V2 is here to save the day! It tracks mouse movement but in the background while staying invisible. So while real human users happily click and go through the pages, bots are blocked.
Invisible reCaptcha is available with one click in a WordPress contact form builder like Formidable, so it's a no-brainer for sure.
6. ReCAPTCHA V3
Just in case you didn't have enough reCAPTCHA options... Here's another one to help stop contact form spam. V3 gives you invisible anti-spam but also scores every submission in a form. You choose what scores to block, and the rest is covered.
Over time, this reCAPTCHA learns more about your site by seeing real traffic. Then, website owners can adjust the score threshold to block more or less strictly. This is a great way to stop human spammers too.
7. Custom spam protect form fields
Are you still looking for more contact form anti-spam for WordPress sites? We've got a couple more that could really help.
If you have a solid form builder, you can create your own!
You formulate questions and make the visitor answer it. As the questions and answers are unique for every site, bots have a tough time breaking them.
One simple custom captcha method: a math question. Ask something like “5+6=?” and let the user fill in the answer. While it is a very accessible solution, it still decreases the user experience a bit.
8. Install WordPress antispam plugins
Without mentioning the WordPress anti-spam plugins, no spam message-blocking list would be complete.
The most used ones are Akismet, WordPress Zero Spam, and Jetpack. These plugins work independently from your contact form tools.
They also tap into already-known spam IPs databases, so they can help block the threat even before it appears.
So how are you going to block spam on WordPress contact forms
Creating anti-spam protection on your WordPress site while keeping the user experience high will take some help. Luckily the methods we described in this post are easily accessible if you have the right tools.
For example, combining Invisible reCaptcha, Honeypot, and one of the WordPress plugins will give you several layers of protection for stopping spam. The best part? None of those methods are intrusive for users!
We hope you've enjoyed this article. If you found it useful, be sure to check back to the Formidable blog often!
Read more posts about anti-spam in WordPress
How To Use hCaptcha for WordPress Forms [Block Spam Easily!]
The Best WordPress Spam Registration Prevention Methods
How To Add a Captcha to WordPress Contact FormsFormidable Forms is much more than an anti-spam tool. It's a complete website solution. Build forms plus more with one of our 100% guaranteed premium plans today!
Thank you, this is great. I use the reCaptcha for this purpose but didn't know about these other options as well.
Will use in the future.
Glad this was helpful for you. Best of luck on all your current and future projects.
I always use reCaptcha. Thanks for making it so easy to use!
Glad you like it. reCaptcha really is a great way to reduce spam in your WordPress forms. best of luck on your current and future projects.
Wow, I never knew about the HoneyPot method, this is a very valuable blog, thank you, signed not-a-bot
Hi not-a-bot 😉
Yeah, HoneyPot spam protection for WordPress forms is fairly new. It isn't always the most bullet-proof option for spam protection, but it is great to use in conjunction with other spam protection methods like reCaptcha or Akismet.
HoneyPot method is a great tip!
Yep, It's a great tool. Glad the article helped.
I always used reCaptcha until it didn't work anymore, I never didn't know why, so I searched other methods like these. Thanks for the post!
Yeah, it is strange that sometimes one spam protection method works and other times it doesn't. I think server and site configurations can play a big role in this. We always recommend using a Honeypot spam option in conjunction with something else like Akismet or reCaptcha.
As someone who is starting his first blog, this post has been very helpful!
Congratulations on starting your first blog. Glad you were able to find our blog and that it was useful for you. Best of luck.
The honeypot method is just amazing! I'll definitely try it.
Thanks for sharing the information.
~Nitin
Thanks for the comment. While it isn't always the best option by itself, honeypot spam control is a great way to beef up other spam protection methods like Akismet or reCaptcha.
I will follow these tips on my wp site.
Glad you liked the spam protection tips. If you haven't already, you can subscribe to our blog to get other super helpful tips to make your WordPress forms even better.
I am literally getting tens of submissions every single day on my blog. I'll use all the techniques to reduce spam as much as possible.
Thanks for helping me by posting this valuable piece of content.
Ugh, Spam is the worst. Sorry you are having trouble with it. Hope the tips and solutions in this article are helpful for you.
So, spammers use proxies to spam with multiple IP addresses...I wonder if this works the same way with spam phone calls. I receive so many unwanted calls daily, ill block the number & they will call from another number the next day. Anyway, I think the idea you developed is a great one!
Great idea...I'm not exactly sure how this would work, but the principles should do the trick if they can be applied to phone calls.
Thanks
I have a few 'Contact Us' forms that have been absolutely blasted by spammers, so I've implemented honeypot, recaptcha, and a conditional check for Russian characters and links in the message field.
That's a great idea to check for specific characters...Did you know you can use the Built-in blacklist from the WordPress Discussion settings page to block entries containing certain words?
Is there any programatic way of implementing this, I did some code to block bots, yet I still get fake submittions
If you are using Formidable forms, you shouldn't need code to implement any of the above options. Otherwise, I am guessing something similar could be implemented programmatically, but that isn't something we can help with, Sorry!
REALLY USEFUL TO ME AS A NOVICE IN WORDPRESS, I HATE SPAM COMMENTS!
I'm still very new to WordPress and this world and I was not aware of any of these methods. I had started getting spam and was searching for solutions. Thank you so so much for this!
Formidable's ability to connect forms with Akismet is not only a huge lifesaver for us, but I think it's a bit of a hidden secret setting.
After installing Akismet, check out this guide https://formidableforms.com/knowledgebase/add-spam-protection/#kb-akismet
And make sure to turn on this setting.
Lifesaver.
Another choice that can block submission base on field content. You may also use white list, email list and IP list to block spam.
With your own keyword and apply them to a form field. The plugin will block submitting if the field content contains / same as one of your spam keyword.
It also can be used to delete entry if spam keyword found.
Ryan, Formidable forms is one of the popular forms out there and hence it has become a target for spammers. You have listed some very important options to weed out spam. We would like to suggest the Antideo Email Validator plugin that works out of the box with Formidable Forms, to validate emails preventing disposable emails, free emails, emails from invalid domains, generic emails etc. You can also create and save your own email as well as domain blacklists.
Ryan, it would be wonderful if you can include us in your blog as one of the options to further secure your contact forms
Hello, formidableforms.com. s