How to prevent bots from submitting your forms

How to Prevent Bots From Submitting Your Forms (4 Ways)

Do you want to prevent bots from submitting your forms?

Form spam is a huge problem in WordPress. And when it happens, it can be a huge hassle to deal with.

Fortunately, there are a few highly effective ways you can fight spam and stop bots from filling out your forms.

In this article, we’ll discuss 3 of these tools, and show you how to set them up.

Create Spam Free WordPress Forms Now

Why Do Bots Fill Out Contact Forms?

Bots fill out forms for several reasons like link spam, advertisement, attempting phishing scams, or looking for security vulnerabilities on your site.

Without protection, dangerous spambots may even cause an outage on your site or spread malware infections.

This makes it so important that you implement strong anti-spam measures on your WordPress forms.

Does CAPTCHA Stop Bots?

CAPTCHAs do block a lot of bot form submissions, but they’re not 100% effective. They will prevent simple bots from filling out your web forms. However, it’s been shown that new, more advanced bots can get around CAPTCHAs.

So, the best thing you can do is add a CAPTCHA to your website’s forms and use other anti-spam methods too. We’ll cover all these solutions in this post.

How To Prevent Bots From Submitting Your Forms

Getting Started: Install WPForms and Create a New Form

To get started, you’re going to need a WPForms installation on your website. The other two methods we’ll be discussing in this article are compatible with any WPForms license, but you can only use Custom Captcha on WPForms paid plans.

So we’ll get started by installing WPForms Pro, our most popular paid license. If you need a little help with this step, take a look at this helpful guide to installing WordPress plugins for beginners.

Once you have installed and activated WPForms, we’ll need a new form. Creating a new form is really easy to do in WPForms. The plugin allows you to create a form from scratch using the drag-and-drop form builder, or to pick from 400+ prebuilt form templates to get started.

From the WordPress dashboard, you’ll see a WPForms tab in the left sidebar. Click on this, and then on Add New.

Adding a new form in WPForms

This will take you to the WPForms template library. You can choose a suitable template here or even build a form from scratch if you’d like to.

WPForms templates

We’re going to choose the Simple Contact Form template for this guide.

Selecting the Simple Contact Form template

This will open up the form builder with additional form fields on the panel on the left.

WPForms Form Builder

Give your form a name and save it by clicking the Save button at the top right corner of the page.

Save button to save your form

Now, you can head back into the WordPress admin area where we’ll set up WPForms’ Custom Captcha, before we return to our form.

Method #1: Use WPForms Custom Captcha

WPForms offers a Custom Captcha tool that allows you to set up custom math questions to filter human users from bots. Follow these steps to set it up:

Enable the Custom Captcha Addon

First, you’ll need to enable the Custom Captcha addon. This can be done with a single click. In the WordPress admin area, head over to WPForms » Addons.

Accessing the WPForms addons screen

Scroll down till you see the Custom Captcha addon, then click activate.

activate custom captcha addon

Now, we’ll return to the form we created and add a Custom Captcha field to it.

Add a Custom Captcha Field to Your Form

Back in the form builder, you can find the Custom Captcha field in the Fancy Fields section. Drag and drop the field onto your form, and that’s it!

custom captcha field

The form will come with a maths challenge by default. But you can also customize this question. To do this, click on the Custom Captcha field, and then on the Advanced tab.

advanced tab custom captcha

Scroll down to the section labeled Type and click on the field where it says Math.

custom captcha math

This will open a dropdown with another option labelled Question and Answer.

custom question and answer

When you click on this, you’ll see that you can set up a custom test question and answer pairing. set this up with whatever question and answer you’d like to use, and you’ll be done here.

Embed the Form

Now, all that’s left to do is to embed your Custom Captcha-enabled form on a page and publish it. Go ahead and save the form, again, then click the Embed button right next to the Save button.

Embed form button

This will trigger a modal offering you the option of embedding your form on a new or existing page. For this guide, we’ll embed our form on a new page.

Embed in new page

Give your new page a name;

Embed to a Page

Then simply publish it to make your form live.

publish custom captcha

As you can see, our form now has a Custom Captcha field with a math question.

custom captcha frontend

Next, we’ll explore reCAPTCHA, showing you how to use it to protect your forms.

Method #2: Use Google reCAPTCHA

Google reCAPTCHA is the go-to tool for fighting form spam for millions of websites. Here’s how to set it up:

Create a reCAPTCHA Account

To use reCAPTCHA in WordPress, we’ll need to create a reCAPTCHA account and get a Secret Key and Site Key for your website.

To get started, log on to the reCAPTCHA admin console to register a new site and get these keys.

First, you’ll need to enter a Label. This is your domain name without the “https://www.”

recaptcha enter label

Then you’ll need to choose a reCAPTCHA type. There are two broad types of reCAPTCHA to choose from:

reCAPTCHA v3 – This version of reCAPTCHA can evaluate user behavior and filter bot activity without having to interact with users on the page. It is quite powerful but also a little invasive, as it collects tons of user data.

reCAPTCHA v2 – This version of reCAPTCHA relies on the traditional challenge-based CAPTCHA. There are actually two types of reCAPTCHA v2.

There is the Checkbox CAPTCHA and the Invisible CAPTCHA.  The Checkbox CAPTCHA requires users to simply tick a checkbox to prove they are human.

Invisible CAPTCHA, on the other hand, works in the background and only challenges users once it detects suspicious activity.

Not sure which is best for your site? We’ve got a comprehensive piece of documentation that covers this here: How to Choose a CAPTCHA in WPForms.

Once you’ve decided which version to use, tick the checkbox next to it.

For this guide, we’ll go with invisible reCAPTCHA v2. This reCAPTCHA type provides a good balance between fighting bots and offering a good user experience.

Select reCAPTCHA type to use

Something to keep in mind is that once a site key has been set up for a particular reCAPTCHA type, you can’t use it with a different reCAPTCHA version.

Next, enter the domain name where you’ll use the reCAPTCHA keys. You can enter multiple sites here. Just as before, enter the domain alone, and omit the “https//www.”

You’ll also need to accept the reCAPTCHA terms of service. Once you’ve done this, click Submit.

reCAPTCHA configuration and submit button

And you’ll have registered a new site!

You’ll now see your Site Key and Secret Key. Grab these and let’s head back into the WordPress admin dashboard.

Copy reCAPTCHA keys

Now, we’ll head into WPForms » Settings » CAPTCHA. 

You’ll see that you’ll have a choice of hCaptcha, reCAPTCHA, or none. Choose reCAPTCHA to continue with the setup.

Selecting reCAPTCHA in the CAPTCHA settings

As we mentioned, there are different versions of reCAPTCHA to choose from. We’ve gotten a site key for invisible reCAPTCHA so that’s what we’ll choose in the WPForms settings.

Add site key and secret key for reCAPTCHA

Next, enter your Site Key and Secret Key, and remember to save these settings. That will be all for this stage.

In the next step, we’ll add a reCAPTCHA field to our form.

Add reCAPTCHA to a Form

If you tried the previous method, you’ll already have a form ready for use. To find it, click through WPForms » All Forms to get to the Forms Overview page.

The WPForms Forms Overview page

Click on the form name to open it up in the form builder. If the form already had a WPForms Custom Captcha field, you’ll want to remove this to make way for the reCAPTCHA field.

Click on the form to open it in the form builder. We’ll then head into the standard fields section of the form builder and click on the reCAPTCHA field to enable it.

Adding reCAPTCHA to a contact form

And that’s it.

In the form builder, you’ll now see that reCAPTCHA has been enabled.

recaptcha enabled

Remember, we chose invisible CAPTCHA, so don’t expect to see the CAPTCHA field on the frontend, until it is triggered by suspicious behavior.

simple form frontend

And that will be all for adding reCAPTCHA to a WordPress form.

We’ll now discuss using hCaptcha to prevent bots from filling your forms, and then we’ll wrap things up with some additional anti-spam tools.

Here we go!

Method #3: Use hCaptcha

hCaptcha is a popular alternative to Google reCAPTCHA.

Unlike reCAPTCHA, there’s only one version of hCaptcha, but you can adjust the difficulty levels of the image challenges to be displayed to users.

To use hCaptcha on your WordPress forms, first you’ll need a hCaptcha account. Here’s how to set one up:

Create a hCaptcha Account

To get started, navigate to the hCaptcha website and click Signup.

signup hcaptcha

You’ll be given a range of plans to choose from.

We recommend choosing the free plan for companies or websites. This plan is labeled Add hCaptcha for Publishers to my website or app.

hcaptcha plans

The next step would be to get your hCaptcha Site Key and Secret Key.

Get Your hCaptcha Site Key and Secret Key

hCaptcha will generate these for you. All you have to do is grab them and enter them correctly in the WPForms settings.

dashboard hcaptcha

But first, there are a few steps to take in configuring your site key.

In the hCaptcha admin dashboard, click on Sites. You’ll see your site key on the new page.

hcaptcha default sitekey

Click on Settings.

hcaptcha settings

The main thing you need to do here is to add your domain name to the Site Key.

In the section labeled Hostnames, paste in your domain name (again, don’t add the https://www), then click Add new domain.

hcaptcha add domain

There are a few other settings to play around with, such as the difficulty level, but none of these are essential.

For more details, check out our complete guide to setting up hCaptcha in WordPress. Now, we’ll head back into WordPress to set up WPForms with your hCaptcha Site Key and Secret Key.

Configure WPForms and hCaptcha

Back in the WordPress dashboard, click on WPForms from the left sidebar, then click Settings » CAPTCHA.

wpforms captcha

We’ve been here before, when we set up reCAPTCHA. This time we’ll choose hCaptcha.

Selecting hCaptcha in the CAPTCHA settings

Enter your Site Key and Secret Key and save these settings.

wpforms hcaptcha keys

hCaptcha will now be ready for use with your WPForms forms. Next, we’ll show you how to add a hCaptcha field to a form.

Add a hCaptcha Field to Your Form

Back in the form builder, look for the hCaptcha field in the Standard Fields section. Just like before, we’ll first remove any other CAPTCHA type that we’ve added to our form.

To disable reCAPTCHA, simply click on the reCAPTCHA field back in the form builder, just as you did to enable it.

This is also true for hCaptcha. Go ahead and enable the hCaptcha field by clicking on it.

WPForms hcaptcha field

You won’t see a hCaptcha field appear on your form but you should see a notice in the top right corner of the form builder, showing that hCaptcha has been enabled.

wpforms captcha enabled

You can now embed your form on a page on your website following the instructions we shared previously.

Here’s what your hCaptcha-enabled form looks like on the frontend:

hcaptcha frontend

Method #4: Use Cloudflare Turnstile

Cloudflare Turnstile is a privacy-focused, CAPTCHA-life service. You can sign up for a Cloudflare account and use it for free, making it a highly affordable reCAPTCHA alternative.

To set it up, you’ll first need to either log in to your Cloudflare account or sign up for a new one.

Access Cloudflare Turnstile Site and Secret Keys

If you don’t already have a Cloudflare account, create one.

Signing up for a Cloudflare Turnstile account

Once you’ve set up your account, go to your dashboard and find the Turnstile page. Here, you’ll need to add your site.

Adding a site for Cloudflare TurnstileEnter your website’s information on the next screen. Then choose your widget type. This will determine how Cloudflare processes your CAPTCHA requests.

Selecting a widget type for Cloudflare TurnstileThen click Create.

Create Cloudflare Turnstile siteYour Cloudflare Turnstile site and secret keys will be generated.

Cloudflare Turnstile site and secret keys Enable Cloudflare Turnstile in WPForms

In your WordPress dashboard, go to WPForms » Settings » CAPTCHA and select the Turnstile option.

WPForms Captcha settings

Enter your site and secret keys in the fields provided.

Entering your Cloudflare Turnstile site and secret keys

There are a few other options here you can configure as well. See our guide to setting up Cloudflare Turnstile for more details.

Make sure to save your settings. Now you’re ready to add Turnstile to a form.

Add Cloudflare Turnstile to a Form

Open your form in the form builder and click on the Settings tab on the left side of the screen. Then select the Spam Protection and Security settings.

Opening the form spam and security settings

Under CAPTCHA, toggle on Enable Cloudflare Turnstile.

Enabling Couldflare Turnstile

Or if you prefer, you can add a Turnstile field to your form instead.

Adding a Turnstile field to your form

When Turnstile is enabled, your form will have a badge showing that it’s protected.

Cloudflare Turnstile badge

And that’s it! We’ve shown you how to prevent bots from filling out your forms using 4 different CAPTCHA tools.

Wondering if there are other ways to fight form spam? We’ll discuss this next.

Bonus: Other Ways of Filtering Spam With WPForms

WPForms takes form spam very seriously which is why it supports various bot spam prevention methods.

You can use these extra form prevention tools along with the main methods mentioned above if you’d like to add an extra layer of security.


Akismet is the most widely-used spam-filtering tool for WordPress. It not only blocks comment spam, but it also integrates very well with top form builder plugins like WPForms.

All versions of WPForms (including Lite) come with a native Akismet integration that helps to filter bots. You can find this setting in the Spam Protection and Security section of the form builder.

Enabling Akismet protection for a form

Akismet uses its vast databases of known spam entries to filter spam when it’s entered into your forms. It can also analyze user behavior to distinguish between bots and real human users.

Anti-Spam Form Tokens

Another thing you can do is enable WPForms form tokens. This setting is also found in the Spam Protection and Security section of the form builder.

Enable anti-spam protection in WPForms

WPForms form tokens are cryptographic, time-sensitive strings that are submitted when real users submit a form.  Bots aren’t able to detect or mimic WPForms anti-spam tokens effectively, so enabling these tokens is a smart anti-spam tactic.

Country and Keyword Filters

Bot spam often follows certain patterns. If you’re receiving a lot of spam submissions to your forms, you might notice that they tend to come from a certain country or include specific words or phrases.

You can block form submissions that include these suspicious elements using the WPForms country and keyword filters in the Spam Protection and Security section of the form builder.

WPForms custom spam filters

And that’s it for our guide to preventing bots from filling your forms!

Next, Apply Web Form Design Best Practices

Looking to improve conversion on your site? Form design is crucial. Here’s all you need to know about effective form design, covered in our guide to web form design best practices.

Now that we’ve shown you some ways to stop bots filling out your forms, it would be a good idea to take a look at some of the best WordPress plugins for fighting spam.

And if you’re new to form-building, check out our guide to embedding a form on your website. You might also be interested in our tutorial on creating a WordPress registration form with PayPal enabled.

Create Spam Free WordPress Forms Now

Ready to build your web form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.

Using WordPress and want to get WPForms for free?

Enter the URL to your WordPress website to install.


  1. Thank you for this informative post on stopping spam entries via wpforms. I notice that you’ve not mentioned the honeypot method that works very well in stopping bots. I wondered if there is a reason for not mentioning this? I use the WP Armour plugin which seems to work very well with WPFORMS…

    1. Hi Richard,

      Thanks for sharing the great insights here. However, WPForms used honeypot spam field in the older version.It has now been replaced with Anti- Spam Protection. Please see the guide for more information.

      Hope this helps 🙂

    1. Hey Andrew, Currently our forms do not have the ability to add Cloudflare Turnstile as an option alongside ReCaptcha and hCaptcha. I do agree it would be super helpful, though, and it’s certainly on our radar as we plan out our roadmap for the future. I’ve added your email to this request, as well.


  2. And another item I use it to disallow URL’s in comments fields. It’s custom code but would be a great option too if built in.

    1. Hey Tom- Yes, you got that correct! You can restrict the URL from getting entered in the form fields using the custom code. Here is a Developer guide to achieve the same.

      Hope this helps 🙂

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.