Preventing Spam in WPForms

Would you like to prevent spam from being sent through your WordPress forms? Many anti-spam options are available, and it can be hard to know which one(s) to choose.

In this tutorial, we’ll walk you through the anti-spam options available in WPForms.

Preventing Spam Overview

Requirements: The Akismet, reCAPTCHA, hCaptcha, and Cloudflare Turnstile integrations are available with any version of WPForms, including WPForms Lite. The Custom Captcha addon is available with any paid license.

Accessing Spam Protection and Security Settings

WPForms has its own spam protection and security settings that you can access directly in the form builder.

To get started, you’ll first need to create a new form or edit an existing one to access the form builder.

Once you’ve opened the form builder, head to Settings » Spam Protection and Security.


Here is where you’ll find most of the configuration options for preventing spam in your form entries.


Throughout this tutorial, we’ll cover how to configure the available anti-spam options.

Enabling Anti-Spam Protection

Note: For anti-spam protection to function properly, JavaScript must be enabled on your site.

WPForms has built-in anti-spam protection that verifies a token that our plugin adds to each form.

The token is a time-sensitive cryptographic string that’s very hard to guess or fake. This allows us to halt form submission processing if there’s no token or if the token has expired or is invalid.

You can find this anti-spam option in the form builder under Settings » Spam Protection and Security.

The Enable anti-spam protection option should be toggled on by default, but you can check it here.


With this setting enabled, your form will not submit if a bot triggers the anti-spam protections.


Enabling Akismet Anti-Spam Protection

Akismet anti-spam protection helps keep spammers from submitting WordPress forms. Using smart algorithms, Akismet stops form entries identified as spam from being saved. These algorithms adapt based on user-reported spam, automatically flagging similar content as spam over time.

For a step-by-step guide to using Akismet with WPForms, refer to our tutorial on setting up Akismet anti-spam protection.

Enabling Spam Entry Storage

WPForms lets you choose whether to block spam entries completely or store them in your database. For example, instead of blocking spam entries with Akismet, you can temporarily save them in your form entries page as spam. This allows you to review spam submissions and easily recover false-positive entries.

To allow spam entry storage, toggle the Store spam entries in the database option to the on position.

Store spam entries in the database

Once enabled, entries identified as spam will be stored in the Spam section on the form’s Entries page.

For a detailed guide to spam entry management, see our tutorial on viewing and managing spam entries.

Enabling Minimum Time to Submit

WPForms provides the option to set a minimum time before users can submit your form. Setting a minimum time to submit a form helps to reduce bot submissions on your WordPress forms.

To set it up for a form, toggle the Enable minimum time to submit option to the on position.

Enable minimum time to submit option

Next, enter a value in the timer field that appears. This value is in seconds and would apply to users filling out the form.

Set the timer

If a user attempts to submit the form before the minimum time you configured, they’ll see an error message prompting them to wait a little longer before submitting the form.

Minimum time not reached error message

Adding a CAPTCHA to Your Forms

CAPTCHAs are automated tests that check that users are real people and not spambots. There are four different CAPTCHA options you can add to your forms for additional protection beyond the built-in option WPForms provides.

We’ve created separate tutorials to guide you through each method, so you can select the one that best suits your needs.

  • reCAPTCHA: Strengthen your form’s security using Google’s reCAPTCHA service.
  • hCaptcha: Add an extra layer of protection with the hCaptcha alternative.
  • Cloudflare Turnstile: Secure your forms by integrating them with Cloudflare Turnstile.
  • Custom Captcha: Create a custom captcha solution tailored to your specific requirements.

Simply click on any of the preferred methods above to explore each option and learn how to add them to your forms.

Adding Spam Filters

Under the Filtering section of your Spam Protection and Security settings, there are 2 different filters you can enable to prevent users from submitting your form.

Here you’ll see an option for enabling a country filter and another for enabling a keyword filter.

Filtering options

We’ll cover how to use each of these filters below.

Adding a Country Filter

Using a country filter is a simple and effective way to allow or deny form submissions from specific countries.

To enable this feature from the form builder, head to Settings » Security and Spam Protection and toggle on the Enable country filter option.

Enable country filter toggle

Next, click the dropdown menu under Country Filter and select Allow if you’d like to permit users from specific countries to submit your form. If you’d like to block users from specific countries from submitting your form, select Deny.

Select allow or deny from dropdown

Then, click the other dropdown and select the countries you’d like to allow or deny entries from.

Select countries from dropdown

For our example, we’ll choose to Allow entries from United States of America only.

Allow entries from usa

Now if a user attempts to submit our form from outside of our selected country, the form will fail to submit. They’ll also see a default message that reads, “Sorry, this form does not accept submissions from your country.”

Country filter message

If you’d like to change the message shown to the denied user, you can add your custom message to the field under Country Filter Message.

Custom country filter message

Once you’ve added a country filter, be sure to save your form to apply the changes.

Note: The country filter will only apply to this specific form and won’t apply to other forms on your site that you’ve created with WPForms.

Adding a Keyword Filter

Using a keyword filter is an easy way to manage inputs for all fields in your forms. To start, toggle the Enable keyword filter option to the on position.

Enable keyword filter

Next, click Edit keyword list to open your list of keywords.

Click edit keyword list

You’ll then see a text box labeled Keyword Filter List. To add words or phrases to your list, simply type them in the text box. If you add more than one word or phrase, be sure to type each one on its own line.

Add keywords and phrases

Note: Because the keyword filter is case-insensitive, it doesn’t detect any difference between lowercase or uppercase letters.

If you use commas to separate the words or phrases in your keyword list instead of placing each on its own line, you’ll likely see a prompt to reformat your list. Reformatting your list helps the filter detect the specific words and phrases that you want to block in your forms.

If you wish to reformat, simply click the Yes, Reformat button.

Click yes reformat button

After reformatting your list, the commas will be removed, and the words and phrases will appear on their own line. This can be particularly helpful if you’re copying a list from a CSV file since commas often separate CSV file values by default.

Reformatted keyword list

Once you’ve added your keywords, click Save Changes to update your list of blocked keywords.

Click save changes button

Note: The words and phrases added to your Keyword Filter List will apply to all forms on your site that you’ve created with WPForms.

Now when a user attempts to submit your form with one of the blocked keywords, the form will fail to submit. The user will also see a default message that reads, “Sorry, your message can’t be submitted because it contains prohibited words.”

Keyword filter message

To change the message that’s displayed to the denied user, replace the text in the Keyword Filter Message field with your preferred message.

Customize keyword filter message

Once you’ve set up your keyword filter, be sure to save your form.

Creating an Allowlist or Denylist

Another effective method to safeguard your forms from spam is by using an allowlist or denylist. This approach limits form submissions based on the email addresses of users. If a user’s email address doesn’t comply with your list’s rules, they will be unable to submit the form.

For detailed instructions on these spam protection methods, refer to our full tutorial on setting up an email allowlist or denylist.

Frequently Asked Questions

Below, we’ve answered the top questions we get about spam protection in WPForms.

There’s an option in my settings to enable an anti-spam honeypot. How does that work?

Our anti-spam honeypot was included for any forms created prior to our 1.6.2 release. However, forms created after that update will only use our newer anti-spam protection option.

That’s it! Now you know how to prevent spam in your forms.

Next, would you like to edit entries that have been submitted through your forms? Be sure to check out our tutorial on editing entries in WPForms for more details.