Do you want to prevent bots from submitting your forms?
Form spam is a huge problem in WordPress, and bots can find ways to get around spam plugins.
Fortunately, there are a few highly effective ways you can stop this from happening.
Why Do Bots Fill Out Contact Forms?
Bots fill out forms to send spam or phishing links. Sometimes bots are used to send spoof domain renewal emails that are designed to catch you out.
Without protection, dangerous spambots may even cause an outage on your site or spread malware infections.
Does CAPTCHA Stop Bots?
Yes, CAPTCHAs can help to stop bots. Google reCAPTCHA is one of the most effective CAPTCHA methods. But you may have to use a CAPTCHA alternative if you find that bots are getting around your CAPTCHA rules.
How To Prevent Bots From Submitting Your Forms
Akismet is the most widely-used spam-filtering tool for WordPress. It not only blocks comment spam, but it also integrates very well with the best form builder plugins.
All versions of WPForms (including Lite) come with a native Akismet integration that helps to filter bots. You can find this setting in the Spam Protection and Security settings.
Akismet uses its vast databases of known spam entries to filter spam when it’s entered into your forms. It can also analyze user behavior to distinguish between bots and real human users.
For more information, check out how to use Akismet to prevent contact form spam.
2. Anti-Spam Form Tokens
Are you looking for a form honeypot?
Bots can usually get around honeypot fields because they learn how to fill out the hidden field that users can’t see. That allows them to pass the field validation and send a message through the form.
In WPForms, honeypot fields have been replaced by form tokens.
Form tokens are enabled by default. You’ll see them in the Spam Protection and Security section of the form builder.
WPForms form tokens are time-sensitive strings that are submitted when real users submit a form. Bots aren’t able to detect or mimic WPForms anti-spam tokens effectively, so enabling these tokens is a smart anti-spam tactic.
3. Country and Keyword Filters
Bot spam often follows certain patterns. If you’re receiving a lot of spam submissions to your forms, you might notice that they tend to come from a certain country or include specific words or phrases.
You can block form submissions that include these suspicious elements using the WPForms country and keyword filters.
You can also create an email allowlist or a denylist to prevent submissions getting through from fake emails or real ones.
If this method is effective, you might want to block visitors from your site based on their IP address. Check out our list of the best security plugins to find out how this works.
4. Cloudflare Turnstile
Cloudflare Turnstile is a privacy-focused, CAPTCHA-like service. You can sign up for a Cloudflare account and use it for free, so it’s a great way to stop spammers in their tracks.
To set it up, you’ll first need to log in to your Cloudflare account or sign up for a new one.
Access Cloudflare Turnstile Site and Secret Keys
Once you’ve set up your account, go to your dashboard and find the Turnstile page. Here, you’ll need to add your site.
Enter your website’s information on the next screen. Then choose your widget type. This will determine how Cloudflare processes your CAPTCHA requests.
Then click Create.
Your Cloudflare Turnstile site and secret keys will be generated.
Enable Cloudflare Turnstile in WPForms
In your WordPress dashboard, go to WPForms » Settings » CAPTCHA and select the Turnstile option.
Enter your site and secret keys in the fields provided.
There are a few other options here you can configure as well. See our guide to setting up Cloudflare Turnstile for more details.
Make sure to save your settings. Now you’re ready to add Turnstile to a form.
Add Cloudflare Turnstile to a Form
Open your form in the form builder and click on the Settings tab on the left side of the screen. Then select the Spam Protection and Security settings.
Under CAPTCHA, toggle on Enable Cloudflare Turnstile.
Or if you prefer, you can add a Turnstile field to your form instead.
When Turnstile is enabled, your form will have a badge showing that it’s protected.
And that’s it! Now your form data will pass through Cloudflare’s anti-spam system before the form can be submitted.
5. Math or Q&A CAPTCHA
WPForms offers a Custom Captcha addon that allows you to set up custom math questions to filter human users from bots.
You can also use this addon to create a question and answer that only a human could solve.
Despite being simple, this is one of the most effective ways to stop bots submitting your forms. It’s also ideal if you’d rather not use third-party providers.
Here’s how to use it.
Enable the Custom Captcha Addon in WPForms
In the WordPress admin area, head over to WPForms » Addons.
Scroll down till you see the Custom Captcha addon, then click Activate.
Now open up the form that bots are submitting.
You’ll find the Custom Captcha field in the Fancy Fields section. Drag and drop the field onto your form.
Now we need to set up the question.
To do that, click on the Custom Captcha field, and then on the Advanced tab.
Scroll down to the section labeled Type and click on the field where it says Math. You can change this to a question if you prefer.
Save the form and you’ll see that it now has a question on it. Bots won’t be able to solve this without human help!
This method doesn’t stop determined human spammers. For that, reCAPTCHA can help.
6. Google reCAPTCHA
Google reCAPTCHA is the go-to tool for fighting form spam for millions of websites. Here’s how to set it up:
Create a reCAPTCHA Account
To use reCAPTCHA in WordPress, we’ll need to create a reCAPTCHA account and get a Secret Key and Site Key for your website.
To get started, log on to the reCAPTCHA admin console to register a new site and get these keys.
First, you’ll need to enter a Label. This is your domain name.
Then you’ll need to choose a reCAPTCHA type.
Google uses various methods to detect real people according to the way they behave:
- reCAPTCHA v3 can evaluate user behavior and filter bot activity without your visitor having to do anything.
- reCAPTCHA v2 presents a challenge to the user, like a checkbox.
Once you’ve decided which version to use, tick the checkbox next to it.
For this guide, we’ll go with invisible reCAPTCHA v2. This reCAPTCHA type provides a good balance between spam prevention and good user experience.
Next, enter the domain name where you’ll use the reCAPTCHA keys. You can enter multiple sites here.
You’ll also need to accept the reCAPTCHA terms of service. Once you’ve done this, click Submit.
And you’ll have registered a new site!
You’ll now see your Site Key and Secret Key. Grab these and let’s head back into the WordPress admin dashboard.
Now, we’ll head into WPForms » Settings » CAPTCHA.
You’ll see that you’ll have a choice of hCaptcha, reCAPTCHA, or none. Choose reCAPTCHA to continue with the setup.
As we mentioned, there are different versions of reCAPTCHA to choose from. We’ve gotten a site key for invisible reCAPTCHA so that’s what we’ll choose in the WPForms settings.
Next, enter your Site Key and Secret Key, and remember to save these settings. That will be all for this stage.
In the next step, we’ll add a reCAPTCHA field to our form.
Add reCAPTCHA to a Form
If you tried the previous method, you’ll already have a form ready for use. To find it, click through WPForms » All Forms to get to the Forms Overview page.
Click on the form name to open it up in the form builder. If the form already had a WPForms Custom Captcha field, you’ll want to remove this to make way for the reCAPTCHA field.
Click on the form to open it in the form builder. We’ll then head into the standard fields section of the form builder and click on the reCAPTCHA field to enable it.
And that’s it.
In the form builder, you’ll now see that reCAPTCHA has been enabled.
Remember, we chose invisible CAPTCHA, so don’t expect to see the CAPTCHA field on the frontend, until it is triggered by suspicious behavior.
And that will be all for adding reCAPTCHA to a WordPress form.
If you’d like to use a more privacy-focused anti-spam provider, we have one final option you can try.
hCaptcha is a popular alternative to Google reCAPTCHA.
Unlike reCAPTCHA, there’s only one version of hCaptcha, but you can adjust the difficulty levels of the image challenges to be displayed to users.
To use hCaptcha on your WordPress forms, first you’ll need a hCaptcha account. Here’s how to set one up:
Create a hCaptcha Account
To get started, navigate to the hCaptcha website and click Signup.
You’ll be given a range of plans to choose from.
We recommend choosing the free plan for companies or websites. This plan is labeled Add hCaptcha for Publishers to my website or app.
The next step would be to get your hCaptcha Site Key and Secret Key.
Get Your hCaptcha Site Key and Secret Key
hCaptcha will generate these for you. All you have to do is grab them and enter them correctly in the WPForms settings.
But first, there are a few steps to take in configuring your site key.
In the hCaptcha admin dashboard, click on Sites. You’ll see your site key on the new page.
Click on Settings.
The main thing you need to do here is to add your domain name to the Site Key.
In the section labeled Hostnames, paste in your domain name (again, don’t add the https://www), then click Add new domain.
There are a few other settings to play around with, such as the difficulty level, but none of these are essential.
For more details, check out our complete guide to setting up hCaptcha in WordPress. Now, we’ll head back into WordPress to set up WPForms with your hCaptcha Site Key and Secret Key.
Configure WPForms and hCaptcha
Back in the WordPress dashboard, click on WPForms from the left sidebar, then click Settings » CAPTCHA.
We’ve been here before, when we set up reCAPTCHA. This time we’ll choose hCaptcha.
Enter your Site Key and Secret Key and save these settings.
hCaptcha will now be ready for use with your WPForms forms. Next, we’ll show you how to add a hCaptcha field to a form.
Add a hCaptcha Field to Your Form
Back in the form builder, look for the hCaptcha field in the Standard Fields section. Just like before, we’ll first remove any other CAPTCHA type that we’ve added to our form.
To disable reCAPTCHA, simply click on the reCAPTCHA field back in the form builder, just as you did to enable it.
This is also true for hCaptcha. Go ahead and enable the hCaptcha field by clicking on it.
You won’t see a hCaptcha field appear on your form but you should see a notice in the top right corner of the form builder, showing that hCaptcha has been enabled.
You can now embed your form on a page on your website following the instructions we shared previously.
Here’s what your hCaptcha-enabled form looks like on the frontend:
And that’s it! We’ve shown you how to prevent bots from filling out your forms using CAPTCHAs and CAPTCHA alternatives. One or two of these methods should help to reduce bot attacks on your site.
Next, Apply Web Form Design Best Practices
Now that we’ve shown you some ways to stop bots filling out your forms, it would be a good idea to take a look at some of the best WordPress plugins for fighting spam.
Ready to build your web form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.