Preventing contact form spam

WildPress 25th Jan 2020

Contact forms have become increasingly important in a world where people no longer have time for phone calls.

But if you don’t stop spammers, the form will not be as efficient because you might be drowning in unwanted emails.
Even if your email provider has built in spam filters, they won’t catch everything.

In this article we will discuss different methods for preventing contact form spam. We will also explain how those methods can be used with popular contact form plugins.

How to stop spammers from abusing your contact form

There are two main ways to reduce contact form spam:

  • Prevent the form from being submitted.
    • reCAPTCHA, honeypots, adding a quiz to the form.
  • Mark the form submission as spam.
    • Akismet

Combining the two methods gives the best result, but let’s look closer at the terminology used here:

reCAPTCHA

reCAPTCHA is a free tool from Google that stops spam bots. Using reCAPTCHA requires a Google account and two API keys.

If you want to use reCAPTCHA, you can register here:
https://www.google.com/recaptcha/intro/v3.html

The visitor’s IP address and the content of your form is shared with Google. If you want to use reCAPTCHA, remember to also update your privacy policy.

Version 2 lets visitors confirm that they are human. This can be a checkbox or a group of images that needs to be selected.

This means that the visitor has to go through an extra step to submit the form. That is one of the reasons to why Google has developed version 3.

Version 3 is invisible to visitors. Instead each visitor is assigned a score depending on their actions.
A low score means that the visitor is likely a bot. A score of 1.0 means that the visitor is likely a human.

By logging in to the Google dashboard, site owners can see the traffic and spam scores.

Visitors with a score of 0.5 and higher will be allowed to submit the forms.
Other visitors may be shown version 2 of reCAPTCHA and needs to manually confirm that they are human.
Developers can this change the threshold programmatically.

Honeypots

In short, a honeypot is an invisible form field. When a person uses the form, they will not see the extra field.
If a bot visits your page it will attempt to complete all fields. This way we know that if the extra field has contents, it is being used by a bot.

Honeypots are already included in many contact form plugins. You can also add it with form builders.

Form Quiz

A form quiz is a question that is added as the last item of your form. For example a simple math problem.
A bot would most likely not be able to answer the question, but a person would.

A form quiz can be added to your contact form if your plugin has a form builder.

Summary

Most of the time it is enough to only use one of these methods to prevent the form from being submitted.

A quiz is easy to set up and you won’t need a Google account. The downside is that it requires an extra step for the user to complete. This can deter visitors from using your forms.

The benefit of a honeypot is that it does not affect real visitors. There are no extra steps to complete, and no visible captcha.
But compared to Google reCAPTCHA, you do not have access to any statistics.

If you are interested in the statistics and if you have time to learn how to use the tool, use Google reCAPTCHA.

Contact form plugins with spam protection

Contact Form 7 is by far the most popular contact form plugin with over 5 million users.
The plugin lets you edit the forms, emails, and confirmation messages.
This plugin may look basic, but advanced user can take advantage of extra settings.

Contact Form 7 is compatible with GDPR. It does not save or share the information in the form. If you need to save the information in the database you can combine it with a plugin called Flamingo.

The Contact Form 7 form builder has a built in button that you can use to add a quiz to your form.
To add an invisible field, a honeypot, you can use the custom hidden form-tag type.
You can read more about the hidden field in the documentation.

For extra spam protection the plugin can be integrated with Akismet or reCAPTCHA.
These solutions shares the contents of the form with Google and Automattic respectively.

Using reCAPTCHA is a one step setup. All you need to do is save your API-Keys.
If you have activated Akismet, the integration requires making changes to your forms. Follow the instructions in the plugin documentation.

Once you have created your forms, remember to test them.
If you are seeing an error message with an orange border, it means that the message was stopped as spam. If there is a red border, it means that your email has not been set up correctly.

WPForms is a free plugin with premium addons and a drag and drop form builder.
The plugin has several settings for styling your form and customising the messages that are shown to the visitor.

Each form has an option to add a honeypot field and a reCAPTCHA field.
The honeypot field is enabled by default.
To setup reCAPTCHA, open the WPForms menu in the WordPress admin area. Select Settings and the reCAPTCHA tab. Enter and save your API-keys.

One big benefit with WPForms compared to Contact Form 7 and Ninja Forms is that you can change your reCAPTCHA score threshold.
If you notice that too few or too many messages are marked as spam, you can increase or lower the score.

Ninja Forms is another popular free plugin with premium addons.
The plugin has a large number of pre-configured forms that you can import.
Including contact forms, event registrations, job applications, GDPR data requests and more.

In the Ninja Forms form builder, you can add the following optional fields:
Hidden (This will be your honeypot), Anti-Spam (Quiz), and reCAPTCHA.
The reCAPTCHA options can be found under Settings in the Ninja Forms menu.

Spam protection plugins

Akismet is installed by default with every new WordPress installation.
To use Akismet you need a WordPress.com account.
You can use a free plan for personal blogs. For commercial websites the cost is $5 per month and site.

To be able to check the form for spam, the content is sent to Automattic. If you want to use Akismet, remember to update your privacy policy page with this information.

Akismet is mainly for comment form spam. To make it work for your contact forms you may need to customize them. Contact Form 7 is one plugin that can be integrated with Akismet.

The second most popular spam protection plugin is Antispam Bee.
Antispam Bee is a great option if you do not want to share your forms with third party services. But unfortunately it only works with default comment forms.
There are no settings to make the plugin compatible with contact forms.

There are plenty of reCAPTCHA plugins to choose from in the WordPress.org plugin directory. Some of the plugins requires premium addons to work with contact form plugins.

Getting too much spam?

We can help you review your existing forms and increase your chances of preventing spam. Send us an email if you need help with spam protection.

Contact Us

Can't find an answer to your question and need our help?

Send us an email and we'll do our best to get it answered for you.