Would you like to prevent spam from being sent through your WordPress forms? Many anti-spam options are available, and it can be hard to know which one(s) to choose.
In this tutorial, we’ll walk you through the anti-spam options available in WPForms.
In This Article
Requirements: The Akismet, reCAPTCHA, hCaptcha, and Cloudflare Turnstile integrations are available with any version of WPForms, including WPForms Lite. The Custom Captcha addon is available with any paid license.
Accessing Spam Protection and Security Settings
WPForms has its own spam protection and security settings that you can access directly in the form builder.
To get started, you’ll first need to create a new form or edit an existing one to access the form builder.
Once you’ve opened the form builder, head to Settings » Spam Protection and Security.
Here is where you’ll find most of the configuration options for preventing spam in your form entries.
Throughout this tutorial, we’ll cover how to configure the available anti-spam options.
Enabling Anti-Spam Protection
WPForms has built-in anti-spam protection that verifies a token that our plugin adds to each form.
The token is a time-sensitive cryptographic string that’s very hard to guess or fake. This allows us to halt form submission processing if there’s no token or if the token has expired or is invalid.
You can find this anti-spam option in the form builder under Settings » Spam Protection and Security.
The Enable anti-spam protection option should be toggled on by default, but you can check it here.
With this setting enabled, your form will not submit if a bot triggers the anti-spam protections.
Enabling Akismet Anti-Spam Protection
Akismet anti-spam protection helps keep spammers from submitting WordPress forms. Using smart algorithms, Akismet stops form entries identified as spam from being saved. These algorithms adapt based on user-reported spam, automatically flagging similar content as spam over time.
For a step-by-step guide to using Akismet with WPForms, refer to our tutorial on setting up Akismet anti-spam protection.
Enabling Spam Entry Storage
WPForms lets you choose whether to block spam entries completely or store them in your database. For example, instead of blocking spam entries with Akismet, you can temporarily save them in your form entries page as spam. This allows you to review spam submissions and easily recover false-positive entries.
To allow spam entry storage, toggle the Store spam entries in the database option to the on position.
Once enabled, entries identified as spam will be stored in the Spam section on the form’s Entries page.
For a detailed guide to spam entry management, see our tutorial on viewing and managing spam entries.
Enabling Minimum Time to Submit
WPForms provides the option to set a minimum time before users can submit your form. Setting a minimum time to submit a form helps to reduce bot submissions on your WordPress forms.
To set it up for a form, toggle the Enable minimum time to submit option to the on position.
Next, enter a value in the timer field that appears. This value is in seconds and would apply to users filling out the form.
If a user attempts to submit the form before the minimum time you configured, they’ll see an error message prompting them to wait a little longer before submitting the form.
Adding a CAPTCHA to Your Forms
CAPTCHAs are automated tests that check that users are real people and not spambots. There are four different CAPTCHA options you can add to your forms for additional protection beyond the built-in option WPForms provides.
We’ve created separate tutorials to guide you through each method, so you can select the one that best suits your needs.
- reCAPTCHA: Strengthen your form’s security using Google’s reCAPTCHA service.
- hCaptcha: Add an extra layer of protection with the hCaptcha alternative.
- Cloudflare Turnstile: Secure your forms by integrating them with Cloudflare Turnstile.
- Custom Captcha: Create a custom captcha solution tailored to your specific requirements.
Simply click on any of the preferred methods above to explore each option and learn how to add them to your forms.
Adding Spam Filters
Under the Filtering section of your Spam Protection and Security settings, there are 2 different filters you can enable to prevent users from submitting your form.
Here you’ll see an option for enabling a country filter and another for enabling a keyword filter.
We’ll cover how to use each of these filters below.
Adding a Country Filter
Using a country filter is a simple and effective way to allow or deny form submissions from specific countries.
To enable this feature from the form builder, head to Settings » Security and Spam Protection and toggle on the Enable country filter option.
Next, click the dropdown menu under Country Filter and select Allow if you’d like to permit users from specific countries to submit your form. If you’d like to block users from specific countries from submitting your form, select Deny.
Then, click the other dropdown and select the countries you’d like to allow or deny entries from.
For our example, we’ll choose to Allow entries from United States of America only.
Now if a user attempts to submit our form from outside of our selected country, the form will fail to submit. They’ll also see a default message that reads, “Sorry, this form does not accept submissions from your country.”
If you’d like to change the message shown to the denied user, you can add your custom message to the field under Country Filter Message.
Once you’ve added a country filter, be sure to save your form to apply the changes.
Note: The country filter will only apply to this specific form and won’t apply to other forms on your site that you’ve created with WPForms.
Adding a Keyword Filter
Using a keyword filter is an easy way to manage inputs for all fields in your forms. To start, toggle the Enable keyword filter option to the on position.
Next, click Edit keyword list to open your list of keywords.
You’ll then see a text box labeled Keyword Filter List. To add words or phrases to your list, simply type them in the text box. If you add more than one word or phrase, be sure to type each one on its own line.
Note: Because the keyword filter is case-insensitive, it doesn’t detect any difference between lowercase or uppercase letters.
If you use commas to separate the words or phrases in your keyword list instead of placing each on its own line, you’ll likely see a prompt to reformat your list. Reformatting your list helps the filter detect the specific words and phrases that you want to block in your forms.
If you wish to reformat, simply click the Yes, Reformat button.
After reformatting your list, the commas will be removed, and the words and phrases will appear on their own line. This can be particularly helpful if you’re copying a list from a CSV file since commas often separate CSV file values by default.
Once you’ve added your keywords, click Save Changes to update your list of blocked keywords.
Note: The words and phrases added to your Keyword Filter List will apply to all forms on your site that you’ve created with WPForms.
Now when a user attempts to submit your form with one of the blocked keywords, the form will fail to submit. The user will also see a default message that reads, “Sorry, your message can’t be submitted because it contains prohibited words.”
To change the message that’s displayed to the denied user, replace the text in the Keyword Filter Message field with your preferred message.
Once you’ve set up your keyword filter, be sure to save your form.
Creating an Allowlist or Denylist
Another effective method to safeguard your forms from spam is by using an allowlist or denylist. This approach limits form submissions based on the email addresses of users. If a user’s email address doesn’t comply with your list’s rules, they will be unable to submit the form.
For detailed instructions on these spam protection methods, refer to our full tutorial on setting up an email allowlist or denylist.
Frequently Asked Questions
Below, we’ve answered the top questions we get about spam protection in WPForms.
There’s an option in my settings to enable an anti-spam honeypot. How does that work?
Our anti-spam honeypot was included for any forms created prior to our 1.6.2 release. However, forms created after that update will only use our newer anti-spam protection option.
That’s it! Now you know how to prevent spam in your forms.
Next, would you like to edit entries that have been submitted through your forms? Be sure to check out our tutorial on editing entries in WPForms for more details.