How to prevent bots from submitting your forms

How to Stop Bots Submitting Your Forms (7 Ways)

Editorial Note: We may earn a commission when you visit links on our website.

Do you want to prevent bots from submitting your forms?

Form spam is a huge problem in WordPress, and bots can find ways to get around spam plugins.

Fortunately, there are a few highly effective ways you can stop this from happening.

Create Spam Free WordPress Forms Now

Why Do Bots Fill Out Contact Forms?

Bots fill out forms to send spam or phishing links. Sometimes bots are used to send spoof domain renewal emails that are designed to catch you out.

Without protection, dangerous spambots may even cause an outage on your site or spread malware infections.

Does CAPTCHA Stop Bots?

Yes, CAPTCHAs can help to stop bots. Google reCAPTCHA is one of the most effective CAPTCHA methods. But you may have to use a CAPTCHA alternative if you find that bots are getting around your CAPTCHA rules.

How To Prevent Bots From Submitting Your Forms

1. Akismet

Akismet is the most widely-used spam-filtering tool for WordPress. It not only blocks comment spam, but it also integrates very well with the best form builder plugins.

All versions of WPForms (including Lite) come with a native Akismet integration that helps to filter bots. You can find this setting in the Spam Protection and Security settings.

Enabling Akismet protection for a form

Akismet uses its vast databases of known spam entries to filter spam when it’s entered into your forms. It can also analyze user behavior to distinguish between bots and real human users.

For more information, check out how to use Akismet to prevent contact form spam.

2. Anti-Spam Form Tokens

Are you looking for a form honeypot?

Bots can usually get around honeypot fields because they learn how to fill out the hidden field that users can’t see. That allows them to pass the field validation and send a message through the form.

In WPForms, honeypot fields have been replaced by form tokens.

Form tokens are enabled by default. You’ll see them in the Spam Protection and Security section of the form builder.

Enable anti-spam protection in WPForms

WPForms form tokens are time-sensitive strings that are submitted when real users submit a form.  Bots aren’t able to detect or mimic WPForms anti-spam tokens effectively, so enabling these tokens is a smart anti-spam tactic.

If your form tokens don’t seem to prevent spambots from submitting your forms, you might have an issue with JavaScript. Try disabling any caching plugins to see if that helps.

3. Country and Keyword Filters

Bot spam often follows certain patterns. If you’re receiving a lot of spam submissions to your forms, you might notice that they tend to come from a certain country or include specific words or phrases.

You can block form submissions that include these suspicious elements using the WPForms country and keyword filters.

WPForms custom spam filters

You can also create an email allowlist or a denylist to prevent submissions getting through from fake emails or real ones.

Creating a denylist in WPForms

If this method is effective, you might want to block visitors from your site based on their IP address. Check out our list of the best security plugins to find out how this works.

4. Cloudflare Turnstile

Cloudflare Turnstile is a privacy-focused, CAPTCHA-like service. You can sign up for a Cloudflare account and use it for free, so it’s a great way to stop spammers in their tracks.

To set it up, you’ll first need to log in to your Cloudflare account or sign up for a new one.

Access Cloudflare Turnstile Site and Secret Keys

Once you’ve set up your account, go to your dashboard and find the Turnstile page. Here, you’ll need to add your site.

Adding a site for Cloudflare TurnstileEnter your website’s information on the next screen. Then choose your widget type. This will determine how Cloudflare processes your CAPTCHA requests.

Selecting a widget type for Cloudflare TurnstileThen click Create.

Create Cloudflare Turnstile siteYour Cloudflare Turnstile site and secret keys will be generated.

Cloudflare Turnstile site and secret keys Enable Cloudflare Turnstile in WPForms

In your WordPress dashboard, go to WPForms » Settings » CAPTCHA and select the Turnstile option.

WPForms Captcha settings

Enter your site and secret keys in the fields provided.

Entering your Cloudflare Turnstile site and secret keys

There are a few other options here you can configure as well. See our guide to setting up Cloudflare Turnstile for more details.

Make sure to save your settings. Now you’re ready to add Turnstile to a form.

Add Cloudflare Turnstile to a Form

Open your form in the form builder and click on the Settings tab on the left side of the screen. Then select the Spam Protection and Security settings.

Opening the form spam and security settings

Under CAPTCHA, toggle on Enable Cloudflare Turnstile.

Enabling Couldflare Turnstile

Or if you prefer, you can add a Turnstile field to your form instead.

Adding a Turnstile field to your form

When Turnstile is enabled, your form will have a badge showing that it’s protected.

Cloudflare Turnstile badge

And that’s it! Now your form data will pass through Cloudflare’s anti-spam system before the form can be submitted.

5. Math or Q&A CAPTCHA

WPForms offers a Custom Captcha addon that allows you to set up custom math questions to filter human users from bots.

You can also use this addon to create a question and answer that only a human could solve.

Despite being simple, this is one of the most effective ways to stop bots submitting your forms. It’s also ideal if you’d rather not use third-party providers.

Here’s how to use it.

Enable the Custom Captcha Addon in WPForms

In the WordPress admin area, head over to WPForms » Addons.

Accessing the WPForms addons screen

Scroll down till you see the Custom Captcha addon, then click Activate.

activate custom captcha addon

Now open up the form that bots are submitting.

You’ll find the Custom Captcha field in the Fancy Fields section. Drag and drop the field onto your form.

custom captcha field

Now we need to set up the question.

To do that, click on the Custom Captcha field, and then on the Advanced tab.

advanced tab custom captcha

Scroll down to the section labeled Type and click on the field where it says Math. You can change this to a question if you prefer.

custom captcha math

Save the form and you’ll see that it now has a question on it. Bots won’t be able to solve this without human help!

custom captcha frontend

This method doesn’t stop determined human spammers. For that, reCAPTCHA can help.

6. Google reCAPTCHA

Google reCAPTCHA is the go-to tool for fighting form spam for millions of websites. Here’s how to set it up:

Create a reCAPTCHA Account

To use reCAPTCHA in WordPress, we’ll need to create a reCAPTCHA account and get a Secret Key and Site Key for your website.

To get started, log on to the reCAPTCHA admin console to register a new site and get these keys.

First, you’ll need to enter a Label. This is your domain name.

recaptcha enter label

Then you’ll need to choose a reCAPTCHA type.

Google uses various methods to detect real people according to the way they behave:

  • reCAPTCHA v3 can evaluate user behavior and filter bot activity without your visitor having to do anything.
  • reCAPTCHA v2 presents a challenge to the user, like a checkbox.

Once you’ve decided which version to use, tick the checkbox next to it.

For this guide, we’ll go with invisible reCAPTCHA v2. This reCAPTCHA type provides a good balance between spam prevention and good user experience.

Select reCAPTCHA type to use

Next, enter the domain name where you’ll use the reCAPTCHA keys. You can enter multiple sites here.

You’ll also need to accept the reCAPTCHA terms of service. Once you’ve done this, click Submit.

reCAPTCHA configuration and submit button

And you’ll have registered a new site!

You’ll now see your Site Key and Secret Key. Grab these and let’s head back into the WordPress admin dashboard.

Copy reCAPTCHA keys

Now, we’ll head into WPForms » Settings » CAPTCHA. 

You’ll see that you’ll have a choice of hCaptcha, reCAPTCHA, or none. Choose reCAPTCHA to continue with the setup.

Selecting reCAPTCHA in the CAPTCHA settings

As we mentioned, there are different versions of reCAPTCHA to choose from. We’ve gotten a site key for invisible reCAPTCHA so that’s what we’ll choose in the WPForms settings.

Add site key and secret key for reCAPTCHA

Next, enter your Site Key and Secret Key, and remember to save these settings. That will be all for this stage.

In the next step, we’ll add a reCAPTCHA field to our form.

Add reCAPTCHA to a Form

If you tried the previous method, you’ll already have a form ready for use. To find it, click through WPForms » All Forms to get to the Forms Overview page.

The WPForms Forms Overview page

Click on the form name to open it up in the form builder. If the form already had a WPForms Custom Captcha field, you’ll want to remove this to make way for the reCAPTCHA field.

Click on the form to open it in the form builder. We’ll then head into the standard fields section of the form builder and click on the reCAPTCHA field to enable it.

Adding reCAPTCHA to a contact form

And that’s it.

In the form builder, you’ll now see that reCAPTCHA has been enabled.

recaptcha enabled

Remember, we chose invisible CAPTCHA, so don’t expect to see the CAPTCHA field on the frontend, until it is triggered by suspicious behavior.

simple form frontend

And that will be all for adding reCAPTCHA to a WordPress form.

If you’d like to use a more privacy-focused anti-spam provider, we have one final option you can try.

7. hCaptcha

hCaptcha is a popular alternative to Google reCAPTCHA.

Unlike reCAPTCHA, there’s only one version of hCaptcha, but you can adjust the difficulty levels of the image challenges to be displayed to users.

To use hCaptcha on your WordPress forms, first you’ll need a hCaptcha account. Here’s how to set one up:

Create a hCaptcha Account

To get started, navigate to the hCaptcha website and click Signup.

signup hcaptcha

You’ll be given a range of plans to choose from.

We recommend choosing the free plan for companies or websites. This plan is labeled Add hCaptcha for Publishers to my website or app.

hcaptcha plans

The next step would be to get your hCaptcha Site Key and Secret Key.

Get Your hCaptcha Site Key and Secret Key

hCaptcha will generate these for you. All you have to do is grab them and enter them correctly in the WPForms settings.

dashboard hcaptcha

But first, there are a few steps to take in configuring your site key.

In the hCaptcha admin dashboard, click on Sites. You’ll see your site key on the new page.

hcaptcha default sitekey

Click on Settings.

hcaptcha settings

The main thing you need to do here is to add your domain name to the Site Key.

In the section labeled Hostnames, paste in your domain name (again, don’t add the https://www), then click Add new domain.

hcaptcha add domain

There are a few other settings to play around with, such as the difficulty level, but none of these are essential.

For more details, check out our complete guide to setting up hCaptcha in WordPress. Now, we’ll head back into WordPress to set up WPForms with your hCaptcha Site Key and Secret Key.

Configure WPForms and hCaptcha

Back in the WordPress dashboard, click on WPForms from the left sidebar, then click Settings » CAPTCHA.

wpforms captcha

We’ve been here before, when we set up reCAPTCHA. This time we’ll choose hCaptcha.

Selecting hCaptcha in the CAPTCHA settings

Enter your Site Key and Secret Key and save these settings.

wpforms hcaptcha keys

hCaptcha will now be ready for use with your WPForms forms. Next, we’ll show you how to add a hCaptcha field to a form.

Add a hCaptcha Field to Your Form

Back in the form builder, look for the hCaptcha field in the Standard Fields section. Just like before, we’ll first remove any other CAPTCHA type that we’ve added to our form.

To disable reCAPTCHA, simply click on the reCAPTCHA field back in the form builder, just as you did to enable it.

This is also true for hCaptcha. Go ahead and enable the hCaptcha field by clicking on it.

WPForms hcaptcha field

You won’t see a hCaptcha field appear on your form but you should see a notice in the top right corner of the form builder, showing that hCaptcha has been enabled.

wpforms captcha enabled

You can now embed your form on a page on your website following the instructions we shared previously.

Here’s what your hCaptcha-enabled form looks like on the frontend:

hcaptcha frontend

And that’s it! We’ve shown you how to prevent bots from filling out your forms using CAPTCHAs and CAPTCHA alternatives. One or two of these methods should help to reduce bot attacks on your site.

Create Your WordPress Form Now

Next, Apply Web Form Design Best Practices

Now that we’ve shown you some ways to stop bots filling out your forms, it would be a good idea to take a look at some of the best WordPress plugins for fighting spam.

Create Spam Free WordPress Forms Now

Ready to build your web form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.

Using WordPress and want to get WPForms for free?

Enter the URL to your WordPress website to install.


  1. Thank you for this informative post on stopping spam entries via wpforms. I notice that you’ve not mentioned the honeypot method that works very well in stopping bots. I wondered if there is a reason for not mentioning this? I use the WP Armour plugin which seems to work very well with WPFORMS…

    1. Hi Richard,

      Thanks for sharing the great insights here. However, WPForms used honeypot spam field in the older version.It has now been replaced with Anti- Spam Protection. Please see the guide for more information.

      Hope this helps 🙂

    1. Hey Andrew, Currently our forms do not have the ability to add Cloudflare Turnstile as an option alongside ReCaptcha and hCaptcha. I do agree it would be super helpful, though, and it’s certainly on our radar as we plan out our roadmap for the future. I’ve added your email to this request, as well.


  2. And another item I use it to disallow URL’s in comments fields. It’s custom code but would be a great option too if built in.

    1. Hey Tom- Yes, you got that correct! You can restrict the URL from getting entered in the form fields using the custom code. Here is a Developer guide to achieve the same.

      Hope this helps 🙂

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.