Fix Hacked Site

Here are tips to help you reduce the amount of spam you receive in your contact form

Are you getting a large number of spam messages through your contact form? This can be really annoying and time-consuming to handle.

The good news is there are automated ways to prevent spam in WordPress. In this article, we will share different ways to reduce and block contact from spam in WordPress.

Why You Need to Stop Contact Form Spam

How to Stop Contact Form Spam in WordPress (Step by Step)

Contact form spam is almost always automated. It’s a problem even for small, little-known websites as it’d be carried out by “spammers” that automatically send unwanted spam.

These spambots are bots that crawl websites and look for insecure forms, so they can send you spammy links. They may also try brute force attacks to break into your login forms. This is why it’s so important to have a strong password.

Sometimes, they can also look for vulnerabilities in your website’s forms, so they can use them to send malware or spam to other people. Spam isn’t just annoying. Those spambots can be dangerous to your website, reputation, and business.

Spam is an enormous issue with contact forms on WordPress sites – both the sites we design and on a global scale. As the most mainstream free WordPress contact form plugin, Contact Form 7 is exceptionally focused on spammers. Spam contact structure entries can be a tremendous issue for WordPress sites with high traffic, getting many spam emails every day. These are badly arranged and make it hard to recognize the authentic messages among the spam.

How To Stop Contact Form Spam?

Let’s take a look at some proven methods to prevent spam on your website.


The reCAPTCHA part of your contact form is where site visitors click to prove they’re human when submitting your form. It will block spam submissions by verifying that a human is filling out your forms and blocks most spam attempts. Visitors tend to feel better when they see it because they see you’re serious about security for your site, and it can increase form conversions.

It’s also simple for people to utilize as well. The first CAPTCHA security efforts were here and there hard for even people to get right, so Google switched things up in v2. Instead of typing a word or string of text, people can mouse over the checkbox, and the tool understands that it’s not an automated spam bot. If you use the v2 Invisible version, visitors are presented with an image-based question to make sure they’re not a spambot.

There’s also a reCAPTCHA v3 available, which uses a behind-the-scenes scoring system to track user behavior on your site and detect abusive traffic without asking visitors to do anything. Every user to your website is assigned a “spam score” based on what the tool considers suspicious activity (such as the user only navigating to the contact form and not looking at any other part of your website).

While using v3, there’s a chance you’ll prevent legitimate visitors from filling out your contact form, so you may want to use reCAPTCHA v2 instead to stop contact form spam.

If you don’t want to use Google’s anti-spam service, you can also add a custom CAPTCHA to your forms, where visitors will answer word-based or math questions before submitting their information.

2. Use A Custom CAPTCHA

With a custom CAPTCHA, you add custom word-based or irregular math inquiries to your form to battle spam form entries. Visitors should respond to your custom inquiries accurately to submit their forms. Here, visitors are asked for the answer to 2 + 8 before they can submit their form information.


With a WordPress contact form plugin, you can add a few custom word questions that are cycled through randomly on the form with each page load. The irregular numerical problems may work a little better to stop spam, so you may want to consider changing these on a semi-regular basis, for example, monthly (if your site is high-traffic) or quarterly (if it’s not). It’s up to you.

3. Use Google Invisible ReCAPTCHA

Some website owners don’t want their users to have to check a box in order to submit the contact form. This is where invisible reCAPTCHA comes in.

Invisible reCAPTCHA works just like the regular reCAPTCHA, except there’s no checkbox.

Instead, when the form is submitted, Google will determine whether it might be a bot submitting it. If so, Google will pop up the extra reCAPTCHA verification. If you want to see how it works.

You can use invisible reCAPTCHA on your WPForms contact forms. It’s very similar to the process above for using a reCAPTCHA checkbox.

The first difference is that you need to select a different option when setting up reCAPTCHA with Google. Instead of picking the ‘I’m not a robot’ checkbox option, choose ‘Invisible reCAPTCHA badge’.

Selecting the invisible reCAPTCHA option in the Google admin panel

Next, when you go to WPForms » Settings and click the ‘reCAPTCHA’ tab, you’ll need to select the ‘Invisible reCAPTCHA v2’ option:

Selecting the invisible reCAPTCHA option in WPForms

When you add the reCAPTCHA field to your contact form, it’ll now use the invisible reCAPTCHA. When users come to your form, it’ll look like this:

Contact form with the invisible reCAPTCHA active

The reCAPTCHA logo will always be on the bottom right of the screen.

If the user wants to know more about reCAPTCHA on your site, then they can click that logo. It’ll expand to show links to Google’s privacy policy and terms of service. You should also update your own site’s privacy policy.

4. Use The Honeypot Antispam Method

The honeypot method is another invisible way to protect your contact forms from spam. It hides a field in the code of your form that’s invisible to human visitors but is visible to spambots because they’re usually looking at the code of your form. These spambots are tricked into thinking it’s a valid form and so they fill it out. But your form knows that this particular field is the honeypot and rejects any submissions with it filled out (or when they’re filled out incorrectly, depending on how you’ve set it up).

Site visitors love it because it removes some of the friction they might feel when they see a challenge question, and it increases your form submission rates. There’s also the warm, secure feeling they get when they see the Google terms of service badge, which is the only thing they see when you enable this method on your form.

WPForms enables the honeypot method by default, so check your specific form builder’s settings in WordPress to make sure it’s enabled.

Honeypot Antispam Method

5. Use WordPress Antispam Plugins

You can also use antispam plugins like Akismet, WordPress Zero Spam, Antispam Bee, and JetPack that protect your entire site from spam entries.

These often work independently from your forms, protecting your website from spam comments and contact form submissions. (typically your comments and contact forms). They compare submissions to blacklists of words, names, and email addresses while some antispam plugins also let you add a CAPTCHA or other antispam method to your contact form. So before you start using any of these plugins, it is a good idea to go through their instructions and details.

6. Block Copy And Paste In Your Forms

Another way to protect your contact forms from spam is to disable right-click functionality on your WordPress site. This method will only protect your contact forms from human spammers who are copying and pasting their information into your forms. Also, you’ll have the added benefit of preventing others from stealing content from anywhere on your site.

One way is to download and install a plugin that disables right-click everywhere on your sites, such as WP Content Copy Protection & No Right Click and Disable Right Click For WP.

7. Block Traffic By IP Address

If you’re noticing a lot of spambot action on your site, you can also block traffic from the IP addresses they’re coming from to protect your content form. While it also adds an extra layer of security to your site, it can block legitimate traffic from these IPs, so use this one at your own risk.

Add the IPs you want to block to the Comment Blacklist field on the Discussion settings page of your WordPress admin panel. Advanced site owners can do this through their web host cPanel or security plugin like Sucuri.

In the end, to reduce contact form spam in WordPress, you can use a website security service like Fix Hacked Site to add security measures fields. This will help to keep your contact form spam-free and secure.