Do you want to prevent bots from submitting your forms?
Form spam is a huge problem in WordPress. And when it happens, it can be a huge hassle to deal with.
Fortunately, there are a few highly effective ways you can fight spam and stop bots from filling out your forms.
In this article, we’ll discuss 3 of these tools, and show you how to set them up.
Create Spam Free WordPress Forms Now
Why Do Bots Fill Out Contact Forms?
Bots fill out forms for several reasons like link spam, advertisement, attempting phishing scams, or looking for security vulnerabilities on your site.
Without protection, dangerous spambots may even cause an outage on your site or spread malware infections.
This makes it so important that you implement strong anti-spam measures on your WordPress forms.
Does CAPTCHA Stop Bots?
CAPTCHAs do block a lot of bot form submissions, but they’re not 100% effective. They will prevent simple bots from filling out your web forms. However, it’s been shown that new, more advanced bots can get around CAPTCHAs.
So, the best thing you can do is add a CAPTCHA to your website’s forms and use other anti-spam methods too. We’ll cover all these solutions in this post.
How To Prevent Bots From Submitting Your Forms
Getting Started: Install WPForms and Create a New Form
To get started, you’re going to need a WPForms installation on your website. The other two methods we’ll be discussing in this article are compatible with any WPForms license, but you can only use Custom Captcha on WPForms paid plans.
So we’ll get started by installing WPForms Pro, our most popular paid license. If you need a little help with this step, take a look at this helpful guide to installing WordPress plugins for beginners.
Once you have installed and activated WPForms, we’ll need a new form. Creating a new form is really easy to do in WPForms. The plugin allows you to create a form from scratch using the drag-and-drop form builder, or to pick from 400+ prebuilt form templates to get started.
From the WordPress dashboard, you’ll see a WPForms tab in the left sidebar. Click on this, and then on Add New.
This will take you to the WPForms template library. You can choose a suitable template here or even build a form from scratch if you’d like to.
We’re going to choose the Simple Contact Form template for this guide.
This will open up the form builder with additional form fields on the panel on the left.
Give your form a name and save it by clicking the Save button at the top right corner of the page.
Now, you can head back into the WordPress admin area where we’ll set up WPForms’ Custom Captcha, before we return to our form.
Method #1: Use WPForms Custom Captcha
WPForms offers a Custom Captcha tool that allows you to set up custom math questions to filter human users from bots. Follow these steps to set it up:
Enable the Custom Captcha Addon
First, you’ll need to enable the Custom Captcha addon. This can be done with a single click. In the WordPress admin area, head over to WPForms » Addons.
Scroll down till you see the Custom Captcha addon, then click activate.
Now, we’ll return to the form we created and add a Custom Captcha field to it.
Add a Custom Captcha Field to Your Form
Back in the form builder, you can find the Custom Captcha field in the Fancy Fields section. Drag and drop the field onto your form, and that’s it!
The form will come with a maths challenge by default. But you can also customize this question. To do this, click on the Custom Captcha field, and then on the Advanced tab.
Scroll down to the section labeled Type and click on the field where it says Math.
This will open a dropdown with another option labelled Question and Answer.
When you click on this, you’ll see that you can set up a custom test question and answer pairing. set this up with whatever question and answer you’d like to use, and you’ll be done here.
Embed the Form
Now, all that’s left to do is to embed your Custom Captcha-enabled form on a page and publish it. Go ahead and save the form, again, then click the Embed button right next to the Save button.
This will trigger a modal offering you the option of embedding your form on a new or existing page. For this guide, we’ll embed our form on a new page.
Give your new page a name;
Then simply publish it to make your form live.
As you can see, our form now has a Custom Captcha field with a math question.
Next, we’ll explore reCAPTCHA, showing you how to use it to protect your forms.
Method #2: Use Google reCAPTCHA
Google reCAPTCHA is the go-to tool for fighting form spam for millions of websites. Here’s how to set it up:
Create a reCAPTCHA Account
To use reCAPTCHA in WordPress, we’ll need to create a reCAPTCHA account and get a Secret Key and Site Key for your website.
To get started, log on to the reCAPTCHA admin console to register a new site and get these keys.
First, you’ll need to enter a Label. This is your domain name without the “https://www.”
Then you’ll need to choose a reCAPTCHA type. There are two broad types of reCAPTCHA to choose from:
reCAPTCHA v3 – This version of reCAPTCHA can evaluate user behavior and filter bot activity without having to interact with users on the page. It is quite powerful but also a little invasive, as it collects tons of user data.
reCAPTCHA v2 – This version of reCAPTCHA relies on the traditional challenge-based CAPTCHA. There are actually two types of reCAPTCHA v2.
There is the Checkbox CAPTCHA and the Invisible CAPTCHA. The Checkbox CAPTCHA requires users to simply tick a checkbox to prove they are human.
Invisible CAPTCHA, on the other hand, works in the background and only challenges users once it detects suspicious activity.
Not sure which is best for your site? We’ve got a comprehensive piece of documentation that covers this here: How to Choose a CAPTCHA in WPForms.
Once you’ve decided which version to use, tick the checkbox next to it.
For this guide, we’ll go with invisible reCAPTCHA v2. This reCAPTCHA type provides a good balance between fighting bots and offering a good user experience.
Something to keep in mind is that once a site key has been set up for a particular reCAPTCHA type, you can’t use it with a different reCAPTCHA version.
Next, enter the domain name where you’ll use the reCAPTCHA keys. You can enter multiple sites here. Just as before, enter the domain alone, and omit the “https//www.”
You’ll also need to accept the reCAPTCHA terms of service. Once you’ve done this, click Submit.
And you’ll have registered a new site!
You’ll now see your Site Key and Secret Key. Grab these and let’s head back into the WordPress admin dashboard.
Now, we’ll head into WPForms » Settings » CAPTCHA.
You’ll see that you’ll have a choice of hCaptcha, reCAPTCHA, or none. Choose reCAPTCHA to continue with the setup.
As we mentioned, there are different versions of reCAPTCHA to choose from. We’ve gotten a site key for invisible reCAPTCHA so that’s what we’ll choose in the WPForms settings.
Next, enter your Site Key and Secret Key, and remember to save these settings. That will be all for this stage.
In the next step, we’ll add a reCAPTCHA field to our form.
Add reCAPTCHA to a Form
If you tried the previous method, you’ll already have a form ready for use. To find it, click through WPForms » All Forms to get to the Forms Overview page.
Click on the form name to open it up in the form builder. If the form already had a WPForms Custom Captcha field, you’ll want to remove this to make way for the reCAPTCHA field.
Click on the form to open it in the form builder. We’ll then head into the standard fields section of the form builder and click on the reCAPTCHA field to enable it.
And that’s it.
In the form builder, you’ll now see that reCAPTCHA has been enabled.
Remember, we chose invisible CAPTCHA, so don’t expect to see the CAPTCHA field on the frontend, until it is triggered by suspicious behavior.
And that will be all for adding reCAPTCHA to a WordPress form.
We’ll now discuss using hCaptcha to prevent bots from filling your forms, and then we’ll wrap things up with some additional anti-spam tools.
Here we go!
Method #3: Use hCaptcha
hCaptcha is a popular alternative to Google reCAPTCHA.
Unlike reCAPTCHA, there’s only one version of hCaptcha, but you can adjust the difficulty levels of the image challenges to be displayed to users.
To use hCaptcha on your WordPress forms, first you’ll need a hCaptcha account. Here’s how to set one up:
Create a hCaptcha Account
To get started, navigate to the hCaptcha website and click Signup.
You’ll be given a range of plans to choose from.
We recommend choosing the free plan for companies or websites. This plan is labeled Add hCaptcha for Publishers to my website or app.
The next step would be to get your hCaptcha Site Key and Secret Key.
Get Your hCaptcha Site Key and Secret Key
hCaptcha will generate these for you. All you have to do is grab them and enter them correctly in the WPForms settings.
But first, there are a few steps to take in configuring your site key.
In the hCaptcha admin dashboard, click on Sites. You’ll see your site key on the new page.
Click on Settings.
The main thing you need to do here is to add your domain name to the Site Key.
In the section labeled Hostnames, paste in your domain name (again, don’t add the https://www), then click Add new domain.
There are a few other settings to play around with, such as the difficulty level, but none of these are essential.
For more details, check out our complete guide to setting up hCaptcha in WordPress. Now, we’ll head back into WordPress to set up WPForms with your hCaptcha Site Key and Secret Key.
Configure WPForms and hCaptcha
Back in the WordPress dashboard, click on WPForms from the left sidebar, then click Settings » CAPTCHA.
We’ve been here before, when we set up reCAPTCHA. This time we’ll choose hCaptcha.
Enter your Site Key and Secret Key and save these settings.
hCaptcha will now be ready for use with your WPForms forms. Next, we’ll show you how to add a hCaptcha field to a form.
Add a hCaptcha Field to Your Form
Back in the form builder, look for the hCaptcha field in the Standard Fields section. Just like before, we’ll first remove any other CAPTCHA type that we’ve added to our form.
To disable reCAPTCHA, simply click on the reCAPTCHA field back in the form builder, just as you did to enable it.
This is also true for hCaptcha. Go ahead and enable the hCaptcha field by clicking on it.
You won’t see a hCaptcha field appear on your form but you should see a notice in the top right corner of the form builder, showing that hCaptcha has been enabled.
You can now embed your form on a page on your website following the instructions we shared previously.
Here’s what your hCaptcha-enabled form looks like on the frontend:
Method #4: Use Cloudflare Turnstile
Cloudflare Turnstile is a privacy-focused, CAPTCHA-life service. You can sign up for a Cloudflare account and use it for free, making it a highly affordable reCAPTCHA alternative.
To set it up, you’ll first need to either log in to your Cloudflare account or sign up for a new one.
Access Cloudflare Turnstile Site and Secret Keys
If you don’t already have a Cloudflare account, create one.
Once you’ve set up your account, go to your dashboard and find the Turnstile page. Here, you’ll need to add your site.
Enter your website’s information on the next screen. Then choose your widget type. This will determine how Cloudflare processes your CAPTCHA requests.
Then click Create.
Your Cloudflare Turnstile site and secret keys will be generated.
Enable Cloudflare Turnstile in WPForms
In your WordPress dashboard, go to WPForms » Settings » CAPTCHA and select the Turnstile option.
Enter your site and secret keys in the fields provided.
There are a few other options here you can configure as well. See our guide to setting up Cloudflare Turnstile for more details.
Make sure to save your settings. Now you’re ready to add Turnstile to a form.
Add Cloudflare Turnstile to a Form
Open your form in the form builder and click on the Settings tab on the left side of the screen. Then select the Spam Protection and Security settings.
Under CAPTCHA, toggle on Enable Cloudflare Turnstile.
Or if you prefer, you can add a Turnstile field to your form instead.
When Turnstile is enabled, your form will have a badge showing that it’s protected.
And that’s it! We’ve shown you how to prevent bots from filling out your forms using 4 different CAPTCHA tools.
Wondering if there are other ways to fight form spam? We’ll discuss this next.
Bonus: Other Ways of Filtering Spam With WPForms
WPForms takes form spam very seriously which is why it supports various bot spam prevention methods.
You can use these extra form prevention tools along with the main methods mentioned above if you’d like to add an extra layer of security.
Akismet is the most widely-used spam-filtering tool for WordPress. It not only blocks comment spam, but it also integrates very well with top form builder plugins like WPForms.
All versions of WPForms (including Lite) come with a native Akismet integration that helps to filter bots. You can find this setting in the Spam Protection and Security section of the form builder.
Akismet uses its vast databases of known spam entries to filter spam when it’s entered into your forms. It can also analyze user behavior to distinguish between bots and real human users.
Anti-Spam Form Tokens
Another thing you can do is enable WPForms form tokens. This setting is also found in the Spam Protection and Security section of the form builder.
WPForms form tokens are cryptographic, time-sensitive strings that are submitted when real users submit a form. Bots aren’t able to detect or mimic WPForms anti-spam tokens effectively, so enabling these tokens is a smart anti-spam tactic.
Country and Keyword Filters
Bot spam often follows certain patterns. If you’re receiving a lot of spam submissions to your forms, you might notice that they tend to come from a certain country or include specific words or phrases.
You can block form submissions that include these suspicious elements using the WPForms country and keyword filters in the Spam Protection and Security section of the form builder.
And that’s it for our guide to preventing bots from filling your forms!
Next, Apply Web Form Design Best Practices
Looking to improve conversion on your site? Form design is crucial. Here’s all you need to know about effective form design, covered in our guide to web form design best practices.
Now that we’ve shown you some ways to stop bots filling out your forms, it would be a good idea to take a look at some of the best WordPress plugins for fighting spam.
And if you’re new to form-building, check out our guide to embedding a form on your website. You might also be interested in our tutorial on creating a WordPress registration form with PayPal enabled.
Create Spam Free WordPress Forms Now
Ready to build your web form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.
If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.
Thank you for this informative post on stopping spam entries via wpforms. I notice that you’ve not mentioned the honeypot method that works very well in stopping bots. I wondered if there is a reason for not mentioning this? I use the WP Armour plugin which seems to work very well with WPFORMS…
Thanks for sharing the great insights here. However, WPForms used honeypot spam field in the older version.It has now been replaced with Anti- Spam Protection. Please see the guide for more information.
Hope this helps 🙂
Are you going to add Cloudflare Turnstile as an option alongside ReCaptcha and hCaptcha?
Hey Andrew, Currently our forms do not have the ability to add Cloudflare Turnstile as an option alongside ReCaptcha and hCaptcha. I do agree it would be super helpful, though, and it’s certainly on our radar as we plan out our roadmap for the future. I’ve added your email to this request, as well.
And another item I use it to disallow URL’s in comments fields. It’s custom code but would be a great option too if built in.
Hey Tom- Yes, you got that correct! You can restrict the URL from getting entered in the form fields using the custom code. Here is a Developer guide to achieve the same.
Hope this helps 🙂