Add Spam Protection

Knowledge Base → Forms → Form Building → Add Spam Protection

Formidable includes several built-in options for spam protection including a captcha and captcha alternatives. Each of the options below will stop spam by preventing the entry from being submitted if it appears to be spam.

Get Better Forms FREE!

JavaScript token

In addition to HoneyPot, the anti-spam JavaScript token is also built-in. Use this for a more effective spam protection using JavaScript, including protecting file uploads from spam. This spam option generates a token that is specific to your site, and is good for at least 24 hours.

To turn on the Javascript token, check the box to Check entries for spam using JavaScript.

With this option enabled, the token may be cached longer than expected and end up with false positives. If you run into this, you may increase the expiration time on the token with custom code.

If you need to extend the valid token times before or after today, use the frm_form_token_check_before_today or frm_form_token_check_after_today hook.

Honeypot

Honeypot is a type of invisible spam protection. Normal users won't be affected by this spam protection. Suspicious submissions will be marked as spam and Formidable will prevent the entry from being submitted.

This feature is enabled by default on all forms and can be configured by going into your Formidable → Global Settings → Captcha/Spam. Under the Spam section, you should see the Use Honeypot to check entries for spam checkbox. When this is enabled, it will include an invisible field in your form to trick bots.

Note: As of version 6.21, the Honeypot strict option has been removed to help prevent issues with false positives for iOS users.

Empty field above form

If the Formidable styling is missing from the page, you may see the empty form field at the top of each form. If you see this extra field with the label 'If you are human leave this field blank', follow these steps:

Clear any caching from your site (i.e. from a plugin, or from your host) and then refresh the page.
If the issue persists, go to the Form Styler page and click the Update button.

Akismet

Akismet saves you time by automatically detecting and preventing spam. It runs hundreds of tests on each entry and determines whether or not to allow form submission. As a result, you don't have to waste your time sorting through and deleting spam entries. Follow the directions below to set it up.

Go to your Wordpress plugins. Install and activate Akismet.
Sign up for an Akismet API key. Akismet may require a paid subscription depending on the type of site you have.
Go to your Akismet Settings and save your API key.
Go to the form Settings page for each form you would like protected. Look for the On Submit section, and you should see the Use Akismet to check entries for spam dropdown.
You can set Akismet to check entries for no one, everyone, or visitors who are not logged in.

Akismet Troubleshooting

If you are seeing an error message like Your entry appears to be spam, you might have an email address or URL that is getting flagged. Please contact Akismet support. Choose the I think Akismet is catching my comments by mistake option, and they'll investigate the issue.

Captcha

Captchas are used by many websites to prevent abuse from 'bots', or automated programs usually written to generate spam. Bots cannot easily submit forms protected by Captcha.

reCAPTCHA

reCAPTCHA is a script that judges whether a user is a human or a robot. You have probably seen some variation of reCAPTCHA.

Learn more about setting up reCAPTCHA in your forms.

hCaptcha

hCaptcha is a program that is designed to distinguish human users from spam via a challenge-response test. It is a popular alternative to Google's reCAPTCHA.

Learn more about setting up hCaptcha in your forms.

Turnstile

Turnstile by Cloudflare is an alternative to CAPTCHAs that is available at no cost. This solution helps reduce spam form entries without sacrificing user experience or compromising visitors' data privacy. It provides your website visitors with a seamless, hassle-free experience while verifying their authenticity.

Learn more about setting up Cloudflare Turnstile in your forms.

StopForumSpam API

Select the Use stopforumspam API to check entries for spam checkbox to validate form entries for spam against the StopForumSpam API. When this is enabled, IPs and email addresses will be validated against a spam database.

Custom disallowed and allowed words

Field data is now compared to a comprehensive denylist during field validation. This significantly helps to block form data that looks like spam. By creating a list of custom allowed and disallowed words, you can effectively protect forms from spam by restricting submissions based on users' email addresses.

This feature can be configured by going into your Formidable → Global Settings → Captcha/Spam. Under the Spam section, you should see the boxes to enter your custom disallowed and allowed words.

Comment Blacklist

In addition to Honeypot spam protection, every form submission goes through the comment blacklist checks. It allows adding custom terms to the comment blacklist and integrating several spam protection plugins without extra effort.

To add words, IPs, or URLs to your blacklist, go to the WordPress Settings → Discussion page. Add values in the Disallowed Comment Keys box, following the WordPress instructions: One word or IP address per line. It will match inside words, so "press" will match "WordPress."

When a form submission is determined to be spam, an error message appears:

Your entry appears to be blocked spam!

To disable blacklist spam checks, use the frm_check_blacklist hook.

Block IP addresses

Use the Disallowed Comment Keys textarea in the Discussion Settings to block IP addresses. An IP address listed in this option will be blocked from submitting a form entry and uploading files.

To add IP addresses with a snippet, you can hook it into the disallowed_keys option instead of updating it.

add_filter( 'option_disallowed_keys', function( $keys ) {
    return $keys .= ' 1337.HAXORS';
} );

If you are getting multiple file uploads from a specific IP, you can block and prevent the IP from uploading any files by adding the IP address to your disallowed comment keys.

CleanTalk

Anti-Spam by CleanTalk is a cloud-based service with a firewall that helps prevent spam bots before they get access to your website. It analyzes comments on your site and determines if it's from a visitor or a spam bot. If the comment is found to be from a spam bot, they will be blocked. And it's easy to install Cleantalk on your website.

Troubleshooting

Spam submissions continue

If you are still receiving spam submissions with reCaptcha installed, you may be seeing manual spam rather than automated. We have seen this happen occasionally on various sites. Manual spam attacks are much more difficult to prevent with automated spam protection. There are a few options available by combining multiple spam prevention options.

Add Akismet. Since Akismet is frequently updated, there may be certain IPs, URLs, or phrases that other option may not catch.
Check the entries for common phrases, URLs, or IPs. If you find something repeated, add it to the comment blacklist. This works well for targeted manual spam.

Your entry appears to be spam

If you see this error message and have Akismet installed, follow these troubleshooting steps. If you don't have Akismet installed, the Honeypot spam protection system is one possible source of this error message. We have seen this occasionally happen when autocomplete is enabled in the browser. It can sometimes add value to the hidden Honeypot field, marking the entry as spam. You can switch off Honeypot in your form settings to remove the validation check.

Your entry appears to be blocked spam

If you see this message, the submission is being caught by a line in the comment blocklist. Remember that WordPress checks for word fragments, so something like "woo" would also flag "woocommerce."

If you continue to experience issues with entries getting flagged as spam, you can use this code snippet to disable the denylist spam checks.

That file looks like spam

If you see this error message, it could be due to the Honeypot spam protection system. To fix this, go to your form Settings → On Submit, and select Off from the Use Honeypot to check entries for spam dropdown.

Form token is invalid

This message can appear when the javascript token is outdated when the form is submitted. It is often caused by the cache holding onto the old page without the token.

Best solution: Extend the time that a token is valid with the frm_form_token_check_before_today hook.
Temporarily disable any plugins that include caching.
Clear all browsers and hosting cache.
Investigate any external caching like Cloudflare or MaxCDN.

This page isn't loading JavaScript properly

This error message is displayed when the Antispam token fails to validate because no token is sent. This means there is a javascript issue on the page, which is usually related to the theme, custom code, or another plugin. See how to fix it.

If you need a quick fix, you may turn off the antispam token. To do so, go to your form Settings → On Submit, and uncheck the box to Check this form for spam using JavaScript.

To turn off Honeypot on one or all forms, use the frm_run_honeypot hook.
To manually flag the submission of a form as honeypot spam, use the frm_process_honeypot hook.
To remove the spam bot error when there is no IP, use the frm_validate_entry hook.
To extend the valid token times before today, use the frm_form_token_check_before_today hook.
To extend the valid token times after today, use the frm_form_token_check_after_today hook.
To filter the allowed IP addresses in spam check, use the frm_allowed_ips hook.
To enable or disable the denylist spam check, use the frm_check_denylist hook.
To filter the denylist data, use the frm_denylist_data hook.
To filter the denylist IPs data, use the frm_denylist_ips_data hook.
To filter the request data sent to the StopForumSpam API , use the frm_stopforumspam_request_data hook.
To filter the StopForumSpam API based URL, use the frm_stopforumspam_api_url hook.
To prevent honeypot validation when uploading files, use the frm_check_honeypot_on_file_upload hook.

JavaScript token