how-to-stop-contact-form-spam-on-wordpress_o

How to Stop Contact Form Spam on WordPress in 2020

Do you want to prevent spam form submissions?

A lot of those spam submissions are automated with bots. However, with WPForms, and just a few steps, you can build spam-free WordPress contact forms and get better leads.

In this article, we’ll show you exactly how to stop contact form spam on your WordPress site.

Why Do Bots Spam Forms?

Since bots are automated, they crawl websites to try and find ways to email you through an non-secure form. Worse, some bots are looking for ways to exploit your site or email list through a form.

This is why it’s such a good idea to have a contact form plugin that helps you stop form spam, especially if you’re running a small business site.

How to Stop Contact Form Spam

Asking yourself what is form spam and how do I stop it?

WPForms is the best WordPress Form Builder plugin. Get it for free!

There are several great ways to stop contact form spam and spam email. Here are some quick links for you to jump to each section so you can read about which type of spam-free form you want to create for your site:

How to Add reCAPTCHA to Your Contact Forms (Method #1)

Here we’re going to show you how to create a contact form that’ll have an interactive reCAPTCHA. This reCAPTCHA section is for site visitors to click on to prove they’re human when they submit a form.

Why Use reCAPTCHA?

1. Block Spam — By verifying that a human is submitting a form, all automated spam attempts are blocked. The added security can also make users feel that the form is secure and help reduce form abandonment.

2. Easy to Use — Originally CAPTCHA was sometimes hard to get right, even for us humans. Google has since improved their CAPTCHA tool, making reCAPTCHA v2 much easier for users. Now instead of entering text, users can just put their mouse over the checkbox and the tool understands that this is not an automated spam bot.

In the fall of 2018, Google released something called reCAPTCHA v3, which uses a behind-the-scenes scoring system to help you detect abusive traffic all over your website without asking users to do anything.

Since there’s a chance that v3 reCAPTCHA may prevent some legitimate users from submitting your forms, we recommend using reCAPTCHA v2 to help you stop contact form spam.

reCAPTCHA v2 has 2 options, interactive checkboxes and invisible reCAPTCHA. This guide will focus on adding reCAPTCHA v2’s interactive checkboxes or invisible reCAPTCHA to your WordPress forms.

How to Add a reCAPTCHA Checkbox to Your Forms

Now, let’s see how to add an interactive reCAPTCHA checkbox to your contact forms.

Step 1: Create a Simple Contact Form in WordPress

The first thing you’ll need to do is install and activate the WPForms plugin. For more details, see this step by step guide on how to install a plugin in WordPress.

Next, you’ll need to create a WordPress contact form. For help with this step, check out our tutorial on how to create a simple contact form in WordPress.

simple contact form on wpforms to stop contact form spam

Step 2: Configure reCAPTCHA Settings

Next, you need to configure reCAPTCHA settings in WordPress.

To start, go to WPForms » Settings. Then, click on the reCAPTCHA tab.

recaptcha settings to stop contact form spam

Choose Checkbox reCAPTCHA v2 to add an interactive reCAPTCHA box to your contact form.

select checkbox recaptcha contact form with captcha

reCAPTCHA is a service provided by Google. It’s free, but requires a site key and secret key. You can easily generate those keys for your site by visiting Google’s reCAPTCHA setup page.

Once you’re on this setup page, click on the Admin console button in the top right corner.

google recaptcha admin console

Then, sign in to your Google account.

After logging in, you’ll be redirected to a page where you can register your site for reCAPTCHA.

If you’ve already registered a website for Google reCAPTCHA in the past, you’ll see a different screen. In that case, just click on the plus sign to Register a new site.

recaptcha-admin-console-add-new

Enter the name of your website in the label field. This is for your own use, so that you can identify the website if you ever needed to get the keys again.

register-new-site-for-recaptcha

Then, choose the type of reCAPTCHA you want to add to your website. In this example, we’ll select reCAPTCHA v2 and then the “I’m not a robot” Checkbox.

how-to-setup-recaptcha-on-wordpress-forms

After that you need to add your website’s domain, such as example.com.

To save your site, click the Submit button.

enter-domain-in-recaptcha-setup

Next, you’ll see a page with a site key and secret key for your website.

recaptcha-keys

Copy your site and secret key, and switch back to the WPForms » Settings page. Paste your site and secret keys under the reCAPTCHA settings.

Click on the Save Settings button to store your changes.

recaptcha site keys for stopping spam

Step 3: Add the Checkbox reCAPTCHA to Your Contact Form

Adding Checkbox reCAPTCHA to your WordPress form is easy to do.

To enable reCAPTCHA in the simple contact form you created earlier, go to Add Fields in the form editor and click on the reCAPTCHA button.

click on the reCAPTCHA button

You’ll be notified that Google Checkbox v2 reCAPTCHA has been enabled.

enabling google recaptcha pop up

Click OK to see the reCAPTCHA enabled badge on your form.

recaptcha enabled badge on form

Don’t forget to save it!

Now you can add your contact form, complete with Google Checkbox reCAPTCHA, to your website.

Step 4: Add Contact Form with reCAPTCHA to WordPress

WPForms lets you add your forms to many locations on your website, including your blog posts, pages, and even sidebar widgets.

Let’s take a look at the most common option of post/page embedding.

To start, create a new post or page in WordPress and then click on the Add WPForms icon inside of a block.

insert-wpforms-into-page-or-post

Next, select your form from the dropdown in the modal popup.

insert-contact-form-into-block

Then, publish your post or page so your reCAPTCHA-enabled form will appear on your website.

recaptcha-in-form

Next up, we’ll show you how to use the WPForms Custom Captcha addon.

How to Use the WPForms Custom Captcha Addon (Method #2)

Let’s show you how to add a contact form with captcha to your site with a WPForms addon.

If you don’t want to use Google reCAPTCHA to stop contact form spam, but know you want to add an interactive reCAPTCHA element to your website, you can always use our Custom Captcha addon.

With this addon, you can define custom questions or use random math questions as CAPTCHA to fight spam form submissions.

Step 1: Create a Simple Contact Form in WordPress

The first thing you’ll need to do is install and activate the WPForms plugin. For more details, see this step by step guide on how to install a plugin in WordPress.

Next, you’ll need to create a WordPress contact form. For help with this step, check out our tutorial on how to create a simple contact form in WordPress.

stop contact form spam with simple contact form on wpforms

Now, scroll down and click on the Captcha button to activate the Custom Captcha addon.

activate captcha button

A window will pop up — click Yes, Install and Activate.

install and activate captcha addon to stop contact form spam

After the installation is complete, click Yes, Save and Refresh.

save and refresh catpcha addon to stop contact form spam

Your Custom Captcha addon is now active and ready to be added to your form.

Step 2: Add and Customize the Captcha Form Field

Once you’ve created a contact form, stay in the form builder to add your custom captcha form field.

Just drag it from the left hand panel to the right hand panel to add it to your form.

drag captcha field onto form

The form field will automatically display a random math question for site visitors to answer before they can submit their form on your site. A new math problem (addition, subtraction, or multiplication) will appear every time the page loads or refreshes.

For help customizing the Math Captcha, check out our documentation on how to change the Math Captcha.

To make changes to the form field, click on it. You can change the label, type of captcha, and add a description.

stop contact form spam by editing captcha

If you prefer to use a custom question and answer instead of the Math Captcha, change the type of captcha to Question and Answer in the Field Options section.

type of captcha change

There, you can also change the question and answer that site visitors have to type out a response to in order to submit their form on your site.

If you want to display random questions and answers every time your page loads or refreshes, click on the (+) button to add another question and answer.

add questions and answers to custom captcha

Click Save when you’ve customized your custom captcha to your liking.

save captcha form

You’re now ready to add your Custom Captcha-enabled contact form to your website.

Step 3: Add Contact Form with Custom Captcha to WordPress

WPForms allows you to add your forms to many locations on your website, including your blog posts, pages, and even sidebar widgets.

Let’s take a look at the most common post/page embed option.

To start, create a new post or page in WordPress and then click on the Add WPForms icon inside of a block.

insert-wpforms-into-page-or-post

Next, select your form from the dropdown in the modal popup.

add-custom-captcha

Then, publish your post or page so your contact form will appear on your website.

How to Build a Spam-Free Contact Form Without Captcha (Method #3)

Here we’ll show you how to build a spam-free contact form in WordPress and prevent form spam without Captcha so the user experience is never disrupted and filling out your forms is as easy as possible.

Why Not Use Captcha?

You want to make it as easy as you can for your visitors to fill in your contact form, while making it as hard as possible for spambots to get through your security.

One of the most common ways to stop spambots is to use a form field that only a human could answer, called Captcha.

Captcha usually requires users to enter specific text into a box.

CAPTCHA Example

Though our Custom Captcha addon (shown above in Method #2) works a bit differently by creating a field that asks a user to solve a simple math problem or answer a question correctly, this can still be an extra step that frustrates the user and may decrease form submission rates.

custom captcha example

Users may not want to take the time to answer irrelevant questions. And, some users may have difficulty answering math questions or reading CAPTCHA text, especially if they have a disability.

Luckily, it’s easy to create a spam-free contact form without Captcha using WPForms. We’ll show you how to do this with Google Invisible reCAPTCHA v2 now.

How to Add Invisible reCAPTCHA to Your Forms

Now, let’s see how to add invisible reCAPTCHA to your contact forms.

Step 1: Create a Simple Contact Form in WordPress

The first thing you’ll need to do is install and activate the WPForms plugin. For more details, see this step by step guide on how to install a plugin in WordPress.

Next, you’ll need to create a WordPress contact form. You can make a simple contact form or even a multi-step form in WordPress. For help with this step, check out our tutorial on how to create a simple contact form in WordPress.

simple contact form on wpforms

Step 2: Configure reCAPTCHA Settings

Next, you need to configure reCAPTCHA settings in WordPress.

To start, go to WPForms » Settings. Then, click on the reCAPTCHA tab.

recaptcha settings to stop contact form spam

Choose Invisible reCAPTCHA v2 to add Invisible reCAPTCHA to your contact form.

select invisible recaptcha v2

reCAPTCHA is a service provided by Google. It’s free, but requires a site key and secret key. You can easily generate those keys for your site by visiting Google’s reCAPTCHA setup page.

Once you’re on this setup page, click on the Admin console button in the top right corner.

google recaptcha admin console

Then, sign in to your Google account.

After logging in, you’ll be redirected to a page where you can register your site for reCAPTCHA.

If you’ve already registered a website for Google reCAPTCHA in the past, you’ll see a different screen. In that case, just click on the plus sign to Register a new site.

recaptcha-admin-console-add-new

Enter the name of your website in the label field. This is for your own use, so that you can identify the website if you ever needed to get the keys again.

register-new-site-for-recaptcha

Then, choose the type of reCAPTCHA you want to add to your website. In this example, we’ll select reCAPTCHA v2 and then the Invisible reCAPTCHA badge.

invisible-recaptcha-setup

After that you need to add your website’s domain, such as example.com.

To save your site, click the Submit button.

enter-domain-in-recaptcha-setup

Next, you’ll see a page with a site key and secret key for your website.

recaptcha-keys

Copy your site and secret key, and switch back to the WPForms » Settings page. Paste your site and secret keys under the reCAPTCHA settings, making sure Invisible reCAPTCHA v2 is selected for Type.

Click on the Save Settings button to save your changes.

save recaptcha settings

Step 3: Enable Invisible reCAPTCHA on Your Contact Form

Adding Invisible reCAPTCHA to your WordPress form is easy to do.

To enable reCAPTCHA in the simple contact form you created earlier, go to Add Fields in the form editor and click on the reCAPTCHA button.

click on the reCAPTCHA button

You’ll be notified that Google Invisible v2 reCAPTCHA has been enabled.

invisible enabled to stop contact form spam

Click OK to see the reCAPTCHA enabled badge on your form. Don’t forget to save it!

recaptcha enabled badge on form

Now you can add your contact form, complete with Google Invisible reCAPTCHA, to your website.

Step 4: Add Contact Form with reCAPTCHA to WordPress

WPForms lets you add your forms to many locations on your website, including your blog posts, pages, and even sidebar widgets.

Let’s take a look at the most common option of post/page embedding.

To start, create a new post or page in WordPress and then click on the Add WPForms icon inside of a block.

insert-wpforms-into-page-or-post

Next, select your form from the dropdown in the modal popup.

insert-contact-form-into-block

Then, publish your post or page so your reCAPTCHA-enabled form will appear on your website.

Now any time someone tries to submit a form on your website, Google will determine whether it’s a spambot trying to submit a fake form or not. Your users, however, will on see the Captcha-enabled badge and get to submit their form without having to do anything.

How to Enable Anti-Spam Token (Method #4)

There is an anti-spam feature in WPForms that will secure your contact forms without using CAPTCHA of any kind.

This system uses a hidden token. Without that token, spambot gets stuck and can’t submit the form.

If you want to double check that it’s activated, you can go to Settings » General.

Then, near the bottom of the right-hand preview panel, you’ll see that the Enable anti-spam protection option is selected for you.

Form anti-spam protection

The anti-spam field is great because it doesn’t bother users like a Captcha field and it’s a secure tool for stopping spam and spambots.

By default, this setting is enabled for all your forms, even if you use other anti-spam strategies such as Google reCAPTCHA or the Custom Captcha addon.

If you have older forms that you need to edit, you’ll notice that they still use a honeypot field. The new and improved anti-spam field can be enabled on older forms instead. New forms won’t display the honeypot field as an option.

How to Block Email Addresses on Your Forms (Method #5)

Sometimes we all get spam submissions from the same visitors over and over again.

Many of these submissions come from real visitors, so honeypots and traps don’t always work.

In WPForms, you can easily block specific email addresses so that these spammers can’t submit new entries any more. Each form has its own allowlist and denylist, and you can have custom settings for each one.

Step 1: Edit Your Form

Start in the WordPress dashboard. In WPForms, find the form you want to add a denylist to. Then click Edit under the name of the form.

Edit contact form link

Next, you’ll want to click on the Email field on your form to open up the settings for the field.

You’ll see the label and description on the left.

Go ahead and click Advanced Options to expand this section.

Email advanced options menu

Step 2: Set Up an Email Denylist

Now that Advanced Options is open, you’ll see lots of extra settings for the email field.

Scroll down and click the Allowlist / Denylist dropdown. Choose which method you want to use on this form.

Select the email denylist to prevent spam

Here’s what these options mean here:

  • Allowlist will only allow specified email addresses to submit your form. This is a great option if you want to allow entries from a small group of people.
  • Denylist will block the email addresses or domains you specify. This helps to block persistent spammers or specific domains.

We’ll select Denylist in this example.

In the box underneath, type in the email addresses you want to deny. You can also use an asterisk * to create a partial match here.

Use the WPForms email allowlist to control who can submit your forms

Here are a few examples you can try:

  • spammer@example.com – this will block the specified email address. Since we didn’t use an asterisk, the email address will have to be an exact match to be blocked.
  • spammer1@example.com,spammer2@example.com – this will block either email address from submitting the form. You can type as many comma-separated email addresses as you want.
  • spammer@* – this will block email addresses starting with ‘spammer@’ at any domain
  • *@example.com – this will block all email addresses at the example.com domain

These are just examples. You can place the asterisk anywhere in the email address, and you can also combine different formats as long as you separate them with commas.

When you have your denylist set up, save your form.

It’s a good idea to test out the denylist on the frontend. When you type in an email you’ve blocked, you’ll see an error message. Also, the form won’t submit.

This email address is not allowed.

If you want to change the wording, you can customize the message in WPForms » Settings in the Validation tab.

Customize WPForms email restricted text

In Conclusion

And there you have it! You now know how to successfully stop contact form spam on your WordPress site using Google Checkbox reCAPTCHA, Google Invisible reCAPTCHA, the WPForms Custom Captcha addon, or the anti-spam option in your form settings.

Do you need to stop user registration spam? You might also want to check out our guide on simple tricks to eliminate spam user registration.

So, what are you waiting for? Get started with the most powerful form WordPress plugin today.

And don’t forget, if you like this article, then please follow us on Facebook and Twitter.

Using WordPress and want to get WPForms for free?

Enter the URL to your WordPress website to install.

Comments

    1. Hi BARISH BAYKAR. I’m having the same problem and have done all the same things. Did you ever find a solution that works?

  1. Hey there, please add the information that plugins can only be instelled, if you have the business plan and higher. Plugins cannot be installed in WordPress if you only have the professional plan.

  2. I think you should add a blacklist for the addresses “from” the field and also IP’s.
    I receive spam from the same address over and over again and it would be very easy for me to just block this address.

    1. Hi Romina!
      Currently, we do not have the Blacklist feature in WPForms. I do agree it would be super helpful, though. I’ve made a note of the feature request and we’ll keep it on our radar as we plan out our roadmap for the future.
      Have a good one 🙂

  3. Be nice to know how to hide reCaptcha Badge with CSS which is fine with Google as long as you put the notice on the page.

    1. Hi Erik – Sure, I can definitely understand wanting this, especially if you’re seeing their floating badge and it could be covering up something important on your site.

      In case it helps, you can move that badge so that it appears above your submit button (here’s our doc with details).

      Or if you’d like to completely hide the badge, I’ve shared the CSS you’d need here. In case it helps, here’s WPBeginner’s tutorial on how to easily add a CSS snippet like this to your site.

      I hope this helps! 🙂

  4. I manage over 100 websites for a company and many of the sites are getting SPAM from the same business…name…and email address. I can’t ban the IP address each time because they use a large bank of IPs from the ISP. Is there a way to use conditional logic to automatically mark an entry as SPAM if an email address, name, or message with specific words is included?

  5. This information is good relative to bots being used to auto-fill forms. Is there somewhere in this blog which addresses forms being populated by an actual person (not bots) and the ability to filter out malicious links placed in the forms?

    1. Hey there – I totally agree that manual spams are really hard to combat but most of the time, they won’t be much harmful as manual spams will be very less in numbers. I am afraid there is no built-in option like this in WPForms. Probably, you can try with your host to block those IPs permanently from which the manual spams are being posted. Our Geolocation addon might be helpful in tracking down the location and IPs in this case (obviously if the spammer is not using fake IPs to post the spams).

      I hope this info help!

  6. I did both 3 and 4, but emails still get into spam. Could you please give us an additional piece of advice below my comment?
    I would like to have one more try.
    Thank you.

  7. I manage many new WP sites, all using WPForms, all following the option 1 route and only 1 of the sites gets hit with spam.

    All sites hosted on the same server, all using the modified default form.
    Even after making a new form, incase they are targeting the form ID, still spam.

    Unfortunately, only using the free version.
    Customers do not see it as their problem, but the developers problem for not fixing it.

    1. Hey there – I’m sorry that you’re still having spam even with reCAPTCHA enabled. If you haven’t already done so, you can consider increasing the security level of the reCAPTCHA integration on your site. For v2 reCAPTCHA, you can do this by going to your reCAPTCHA account. Then in the settings of your current integration, you can make adjustments to the Security Preference slider (https://a.supportally.com/gssJgT).

      Alternatively, you can try out our built-in anti-spam feature in the form builder and it doesn’t require any additional setup. We also have a tutorial on how to prevent spam which comes with other spam prevention measures.

      I hope this helps 🙂

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.