When building forms, new WordPress sites often ignore security considerations. This is a big mistake.
I know because I learned this the hard way when the signup form on my website was attacked by a spam bot that tried signing up 60,000 times overnight…
I still carry trauma from that event. I may forget to eat, but I no longer forget to add anti-spam to important forms on any of my online projects anymore.
The good news is that the strategies for countering spam and security threats have improved considerably over the years. So even if you’re seeing spam and suspicious activity on your forms, you can effectively combat it.
And if you have no reason to believe your site is being targeted by spambots, you should still take preventive measures to keep your forms secure from future threats.
In this article, I’ll share some effective tips for creating a secure WordPress form that have helped many WPForms customers and me as well in reducing spam submissions and security threats.
Create Secure WordPress Forms Now 🔒
How to Boost Your WordPress Form Security
1. Enable CAPTCHA
CAPTCHA services are one of the most popular tools for blocking form spam. They owe their popularity to the fact that they’re powerful at preventing spambots from attacking your forms.
To add a CAPTCHA to a WordPress form, you’ll need a plugin that supports CAPTCHA services. For instance, WPForms lets you add the following CAPTCHA services to any form:
- Custom CAPTCHA
- Google reCAPTCHA
- hCaptcha
- Cloudflare Turnstile
All of these CAPTCHA services can be hugely effective at reducing spam form submissions for you.
However, if you’re continuing to see spam despite using one of these CAPTCHA services, I recommend trying a different option.
For instance, if you’re already using reCAPTCHA and still seeing high volumes of spam, you can try using hCaptcha instead.
If you’re still not happy, it’s worthwhile to try Cloudflare Turnstile.
These CAPTCHA services are all automated, and they use complex algorithms to check suspicious activity while a form is being filled.
But if you need a simpler CAPTCHA with the ability to design your own questions to ask, you can use the WPForms Custom Captcha.
This lets you ask math questions or general trivia questions that are easy for real users to answer but can pose quite a challenge for spambots.
Finally, you can also use Akismet to block spam. Akismet is different from other CAPTCHA services because it’s completely invisible and detects spam against a huge database of known spam patterns.
So if you want to enhance your WordPress form security without compromising on user experience with puzzle-based CAPTCHA, Akismet is a great option to try.
2. Set Up Email Verification
While CAPTCHA services are great at blocking most kinds of spam, they’re not perfect. There are situations where you might need to take some extra measures to keep your form secure from bots and scammers.
For instance, if you allow visitors to create an account on your site with a registration form, a simple email verification can go a long way in preventing fake registrations.
The WPForms User Registration addon not only lets you create your own custom registration forms, but also allows you to add email verification.
You can either manually activate each user registration yourself or allow users to do it on their own with an email sent directly to their provided email address.
Spammers usually use fake email addresses, so you can eliminate a lot of spam from your registration form simply by adding an email verification email in WPForms.
You can also enable email verification for any general form using the WPForms Form Locker addon. When enabled, WPForms will require a visitor to first insert a valid email address before they can access the form.
The user will then receive an email with a unique link to unlock the form, preventing any user with a fake email from accessing it.
Note: Adding an extra step leading to form access can also cause some annoyance to real users. It’s a good idea to consider the sensitivity of your audience before incorporating email verification.
Create Form With Email Verification
3. Block Submissions By Country
If you’re a local business that operates only within a single country (or just a few), you may want to consider blocking form submissions from outside countries.
WPForms has a very handy country filter that you can use to allow or block entries from specific countries.
This is a powerful strategy because you’re effectively eliminating a huge chunk of potential spammers and hackers hailing from a region outside your target market.
4. Restrict Form Visibility to Logged-in Users
If you want to accept form entries only from logged-in users, the chances of receiving spam are naturally pretty low.
That’s because it’s a big time investment for a spammer to first sign in and then fill out your form to target you with spam. Malicious users, whether real or bots, always prefer easily accessible targets.
With the WPForms Form Locker addon, you can restrict access to your form only to logged-in users.
However, it’s important to consider whether adding this restriction to your form is a good idea on a case-by-case basis.
For instance, it wouldn’t make a lot of sense to use these restrictions on a lead form. But it’d be quite relevant in a customer review form.
5. Layer Up Form Security Features
I’ve come across situations where websites continue to see high rates of spam despite having one or the other security or spam prevention solutuon in place for a web form.
Sometimes, the more advanced spambots can’t be easily tackled with a single spam-blocking technique – you need to layer it up by using multiple tactics at the same time.
Here’s an example of using a combination of protective features to ramp up your form security:
- Activate CAPTCHA: Your first line of defense needs to be some form CAPTCHA or a service like Akismet to stop the bulk of spam attacking your site.
- Enforce a minimum submission time: Spambots are programmed to be super quick. This fact can be used against them to prevent form submissions that occur before a minimum time has passed. The minimum time to submit setting in WPForms can add another important extra layer of form security.
- Enable email verification for registration: When it makes sense, use email verification to prevent users with fake emails from signing up.
- Use a country filter: For local businesses, it’s always safer to block visitors originating from countries that you don’t serve.
- Maintain an email blocklist: If you’re seeing repeat offenders on your site, you can create an email blocklist to prevent submissions with specific email addresses from being accepted.
With a multi-pronged strategy, you have a much higher chance of preventing spam and leveling up your form security.
Next, Try Some reCAPTCHA Alternatives
Google reCAPTCHA is the most popular CAPTCHA service for contact forms. But there are some great alternatives that also offer better user privacy. Our guide on reCAPTCHA alternatives discusses some other options you can use to keep your forms secure.
Also, if you’re looking for a secure way to send your WordPress form notification emails using Gmail, check out this guide to using Gmail SMTP with WP Mail SMTP.
Create Secure WordPress Forms Now 🔒
So, what are you waiting for? Get started with the most powerful WordPress forms plugin today.
And don’t forget, if you like this article, then please follow us on Facebook and Twitter.
Is the data sent via WPForms encrypted or otherwise secure while in transit?
When collecting personal information, we want to ensure our users that when they submit their data, they are doing so in a secure way. I realize storing the data is different, which is why I framed the question in a particular way.
Hey there – Great question! The most widely used option for secure data transfer is using SSL on your site. You can find more details in this article on how SSL helps to do a secure data transfer. Any data transferred by WPForms will also be secured if the site is using SSL.
I hope this info help!
Hi, is there any way to create secure, but anonymous forms in WordPress? I’ve noticed many have ‘Email Addresses’ as a required field you cannot erase. Thank you.
Hey Ruby- We do not have an inbuilt feature to create anonymous forms. However, you can absolutely achieve this with logged-in users, and then adding this custom code will help you achieve what you’ve mentioned.
Hope this helps! 🙂
Is the data encrypted and then sent to the database? What hosting offers encrypted databases?
Hi richie!
Our plugin itself doesn’t provide any data encryption features. Whether or not the data is “secure” from your user’s end as it makes its way to your site’s server is a bit of a involved matter, but generally speaking if your site has an SSL certificate active, it can be considered to be secure. There is a large number of factors involved when it comes to site security. These articles might help you get started with that question:
1 – https://wpforms.com/docs/a-complete-guide-to-wpforms-security/
2 – https://www.wpbeginner.com/wordpress-security/
I hope this helps to clarify 🙂 If you have any further questions about this, please contact us.
Thanks!
How can i secure the files in the wpforms upload folder on my webserver? Can a hacker access to those files by scanning the website?
Hey Simo – WPForms should handle the bulk of file upload security for you — we don’t allow any unapproved or unauthorized files to be uploaded. So as long as you are using a reputable web host, there should be no issues.
If you aren’t sure about what methods your web host uses to secure their servers, I would suggest consulting with their customer support to discuss what security measures are in place, how they protect your site and what are the actions steps taken by them in the unlikely event your website is compromised. Always best to know!
Additionally, we add a unique hash to the end of the file (eg: my-logo-570543445db74.png) so that a malicious user couldn’t easily open up a bunch of files that have been uploaded to your site.