Preventing Spam in WPForms

Would you like to prevent spam from being sent through your WordPress forms? Many anti-spam options are available, and it can be hard to know which one(s) to choose.

In this tutorial, we’ll walk you through the anti-spam options available in WPForms.

Requirements: The Akismet, reCAPTCHA, hCaptcha, and Cloudflare Turnstile integrations are available with any version of WPForms, including WPForms Lite. The Custom Captcha addon is available with any paid license.


Accessing Spam Protection and Security Settings

WPForms has its own spam protection and security settings that you can access directly in the form builder.

To get started, you’ll first need to create a new form or edit an existing one to access the form builder.

Once you’ve opened the form builder, head to Settings » Spam Protection and Security.

spam-protection-settings

Here is where you’ll find most of the configuration options for preventing spam in your form entries.

spam-protection-and-security-settings-panel

Throughout this tutorial, we’ll cover how to configure the available anti-spam options.

Enabling Anti-Spam Protection

Note: For anti-spam protection to function properly, JavaScript must be enabled on your site.

WPForms has built-in anti-spam protection that verifies a token that our plugin adds to each form.

The token is a time-sensitive cryptographic string that’s very hard to guess or fake. This allows us to halt form submission processing if there’s no token or if the token has expired or is invalid.

You can find this anti-spam option in the form builder under Settings » Spam Protection and Security.

The Enable anti-spam protection option should be toggled on by default, but you can check it here.

enable-anti-spam-protection-option

With this setting enabled, your form will not submit if a bot triggers the anti-spam protections.

form-token-expired-message

Enabling Akismet Anti-Spam Protection

Akismet anti-spam protection is an effective way to block spammers from submitting your WordPress forms. Akismet uses anti-spam algorithms to prevent your form entries from saving if it detects them as spam. These algorithms also learn to filter out spam reported by users and will automatically tag similar content as spam going forward.

To enable Akismet anti-spam protection in WPForms, you’ll first need to install and activate the Akismet Spam Protection plugin.

Once you’ve installed the plugin, Akismet will redirect you to its settings page. From here, follow the steps for setting up an account and adding your Akismet API key.

akismet-settings

Note: For a step-by-step guide to using Akismet with WPForms, check out our full tutorial on setting up Akismet anti-spam protection.

After you’ve set up an account and added your API key, you’ll need to create a new form or edit an existing one to access the form builder.

Then in the form builder, navigate to Settings » Spam Protection and Security and toggle on the Enable Akismet anti-spam protection option.

enable-akismet-anti-spam-protection

Akismet will now start to detect spam in your form entries.

Adding a CAPTCHA to Your Forms

CAPTCHAs are automated tests that check that users are real people and not spambots. There are three ways to add one to your forms for additional protection beyond the built-in option WPForms provides.

Enabling reCAPTCHA

Google’s reCAPTCHA is a popular CAPTCHA solution. To add reCAPTCHA to your forms, you’ll need to integrate it with WPForms by going to WPForms » Settings » CAPTCHA.

Opening the WPForms CAPTCHA settings

Here, click on reCAPTCHA to enable it.

Select Google reCAPTCHA

Then fill out the fields that appear and save your settings.

The reCAPTCHA settings in WPForms

Note: For detailed steps on how to integrate reCAPTCHA with WPForms, please check out our reCAPTCHA setup tutorial.

Next, open the form you want to protect and head to Settings » Spam Protection and Security. Then, scroll to the CAPTCHA section and toggle on the Enable Google Invisible v2 reCAPTCHA option.

Enable Google v2 reCAPTCHA

Note: The label on the CAPTCHA switch depends on the version of reCAPTCHA you configured. For example, if you set up reCAPTCHA v3, the label will read “Enable Google v3 reCAPTCHA.”

Alternatively, you can always enable reCAPTCHA by adding the reCAPTCHA field to your form.

Add reCAPTCHA field

Make sure to save your changes before leaving the form builder.

Enabling hCaptcha

If you’d prefer not to use Google’s reCAPTCHA, one alternative is to add an hCaptcha to your forms. hCaptcha is free and privacy-conscious, while still offering reliable anti-spam protection.

To set up hCaptcha, you’ll first need to go to WPForms » Settings » CAPTCHA. Then select hCaptcha from the options.

Selecting hCaptcha in the WPForms settings

This will reveal some more settings for you to fill out. You’ll need to generate keys in your hCaptcha account and add them here, then save your settings.

The hCaptcha settings in WPForms

Note: For the full details on how to use hCaptcha with your forms, be sure to check out our tutorial on setting up hCaptcha.

Once you’ve added your keys to your site, you can enable hCaptcha in the form builder by navigating to Settings » Spam Protection and Security. From here, scroll to the CAPTCHA section and toggle on the Enable hCaptcha option.

Enable hCaptcha

Alternatively, you can enable hCaptcha in your form by adding the hCaptcha field.

Add hCaptcha field to form builder

To confirm that you’ve successfully enabled hCaptcha, look for the hCaptcha badge in the form builder preview area.

Form builder hCaptcha badge

Remember to save your form before you leave the builder.

Enabling Cloudflare Turnstile

Another alternative to Google reCAPTCHA and hCaptcha is the Cloudflare Turnstile CAPTCHA-like solution. It focuses on improving user experience by allowing users to submit forms without showing them any puzzle to solve.

To set up Cloudflare Turnstile, you’ll first need to go to WPForms » Settings » CAPTCHA. Then select Turnstile from the available options.

Select Cloudflare Turnstile

Once you’ve selected it, additional settings will appear. You’ll need to generate API keys from your Cloudflare account and add them here, then save your settings.

Cloudflare turnstile settings

Note: For detailed steps on how to integrate Cloudflare Turnstile with WPForms, please check out our tutorial on setting up Cloudflare Turnstile.

After saving your API keys, you’ll be able to enable Cloudflare Turnstile in the form builder by navigating to Settings » Spam Protection and Security. From here, scroll to the CAPTCHA section and toggle on the Enable Cloudflare Turnstile option.

Enable Cloudflare turnstile

Alternatively, you can always enable Cloudflare Turnstile by adding the Turnstile field to the form.

Cloudflare turnstile field

To confirm that you’ve successfully enabled Cloudflare Turnstile, look for the Turnstile badge in the form preview area.

Turnstile badge

Ensure you save your changes before leaving the form builder.

Using a Custom Captcha

Our Custom Captcha addon makes it easy to create a custom question-and-answer or math CAPTCHA for spam prevention.

Before adding a Custom Captcha to your form, you’ll need to activate the Custom Captcha addon.

Then, open the form you want to protect in the builder and head to Settings
» Spam Protection and Security
.

In the Also Available section, you’ll see a Custom Captcha option. Go ahead and click Add to Form to add Custom Captcha to your form.

Click add to form for custom captcha

Alternatively, you can add Custom Captcha to your form by clicking on the Custom Captcha field.

Adding a Custom Captcha field to a form

Once you’ve added the field, you can click on it in the preview area to open up its field options. From here, choose which type of CAPTCHA to show your users by selecting Math or Question and Answer from the Type dropdown.

Selecting a custom captcha type

The Math option will show users a randomly generated simple equation to solve.

Custom captcha number

The Question and Answer option lets you create your own CAPTCHA questions and answers. Each time your form loads, it will display one at random and require your users to answer it before submitting your form.

Custom captcha question

Note: For more details, be sure to check out our tutorial on setting up the Custom Captcha addon.

Adding Spam Filters

Under the Filtering section of your Spam Protection and Security settings, there are 2 different filters you can enable to prevent users from submitting your form.

Here you’ll see an option for enabling a country filter and another for enabling a keyword filter.

Filtering options

We’ll cover how to use each of these filters below.

Adding a Country Filter

Using a country filter is a simple and effective way to allow or deny form submissions from specific countries.

To enable this feature from the form builder, head to Settings » Security and Spam Protection and toggle on the Enable country filter option.

Enable country filter toggle

Next, click the dropdown menu under Country Filter and select Allow if you’d like to permit users from specific countries to submit your form. If you’d like to block users from specific countries from submitting your form, select Deny.

Select allow or deny from dropdown

Then, click the other dropdown and select the countries you’d like to allow or deny entries from.

Select countries from dropdown

For our example, we’ll choose to Allow entries from United States of America only.

Allow entries from usa

Now if a user attempts to submit our form from outside of our selected country, the form will fail to submit. They’ll also see a default message that reads, “Sorry, this form does not accept submissions from your country.”

Country filter message

If you’d like to change the message shown to the denied user, you can add your custom message to the field under Country Filter Message.

Custom country filter message

Once you’ve added a country filter, be sure to save your form to apply the changes.

Note: The country filter will only apply to this specific form and won’t apply to other forms on your site that you’ve created with WPForms.

Adding a Keyword Filter

To enable a keyword filter, toggle the Enable keyword filter option to the on position.

Enable keyword filter

Next, click Edit keyword list to open your list of keywords.

Click edit keyword list

You’ll then see a text box labeled Keyword Filter List. To add words or phrases to your list, simply type them in the text box. If you add more than one word or phrase, be sure to type each one on its own line.

Add keywords and phrases

Note: Because the keyword filter is case-insensitive, it doesn’t detect any difference between lowercase or uppercase letters.

If you use commas to separate the words or phrases in your keyword list instead of placing each on its own line, you’ll likely see a prompt to reformat your list. Reformatting your list helps the filter detect the specific words and phrases that you want to block in your forms.

If you wish to reformat, simply click the Yes, Reformat button.

Click yes reformat button

After reformatting your list, the commas will be removed, and the words and phrases will appear on their own line. This can be particularly helpful if you’re copying a list from a CSV file since commas often separate CSV file values by default.

Reformatted keyword list

Once you’ve added your keywords, click Save Changes to update your list of blocked keywords.

Click save changes button

Note: The words and phrases added to your Keyword Filter List will apply to all forms on your site that you’ve created with WPForms.

Now when a user attempts to submit your form with one of the blocked keywords, the form will fail to submit. The user will also see a default message that reads, “Sorry, your message can’t be submitted because it contains prohibited words.”

Keyword filter message

To change the message that’s displayed to the denied user, replace the text in the Keyword Filter Message field with your preferred message.

Customize keyword filter message

Once you’ve set up your keyword filter, be sure to save your form.

Creating an Allowlist or Denylist

Another way you can protect your forms from spam is with an allowlist or denylist. This restricts who can submit your form based on their email address. If a user’s email address doesn’t follow your list’s rules, then they won’t be able to submit your form.

To create an allowlist or denylist, open your form for editing and make sure to include an Email field in it. In the Email field’s Advanced options, use the Allowlist / Denylist dropdown to enable your list. Then add your rules.

An example of a denylist in WPForms

Note: For a step-by-step guide on creating an email allowlist or denylist, see our full tutorial on this field option.

Frequently Asked Questions

Below, we’ve answered the top questions we get about spam protection in WPForms.

There’s an option in my settings to enable an anti-spam honeypot. How does that work?

Our anti-spam honeypot was included for any forms created prior to our 1.6.2 release. However, forms created after that update will only use our newer anti-spam protection option.

That’s it! Now you know how to prevent spam in your forms.

Next, would you like to edit entries that have been submitted through your forms? Be sure to check out our tutorial on editing entries in WPForms for more details.