Spam is an enormous issue with contact forms on WordPress sites – both the sites we design and on a global scale. As the most mainstream free WordPress contact form plugin, Contact Form 7 is exceptionally focused on spammers. Spam contact structure entries can be a tremendous issue for WordPress sites with high traffic, getting many spam emails every day. These are badly arranged and make it hard to recognize the authentic messages among the spam.
The reCAPTCHA part of your contact form is where site visitors click to prove they’re human when submitting your form. It will block spam submissions by verifying that a human is filling out your forms and blocks most spam attempts. Visitors tend to feel better when they see it because they see you’re serious about security for your site, and it can increase form conversions.
It’s also simple for people to utilize as well. The first CAPTCHA security efforts were here and there hard for even people to get right, so Google switched things up in v2. Instead of typing a word or string of text, people can mouse over the checkbox, and the tool understands that it’s not an automated spam bot. If you use the v2 Invisible version, visitors are presented with an image-based question to make sure they’re not a spambot.
There’s also a reCAPTCHA v3 available, which uses a behind-the-scenes scoring system to track user behavior on your site and detect abusive traffic without asking visitors to do anything. Every user to your website is assigned a “spam score” based on what the tool considers suspicious activity (such as the user only navigating to the contact form and not looking at any other part of your website).
While using v3, there’s a chance you’ll prevent legitimate visitors from filling out your contact form, so you may want to use reCAPTCHA v2 instead to stop contact form spam.
If you don’t want to use Google’s anti-spam service, you can also add a custom CAPTCHA to your forms, where visitors will answer word-based or math questions before submitting their information.
With a custom CAPTCHA, you add custom word-based or irregular math’s inquiries to your form to battle spam form entries. Visitors should respond to your custom inquiries accurately to submit their forms. Here, visitors are asked for the answer to 2 + 8 before they can submit their form information.
A WordPress contact form plugin, you can add a few custom word questions that are cycled through randomly on the form with each page load. The irregular numerical problems may work a little better to stop spam, so you may want to consider changing these on a semi-regular basis, for example, monthly (if your site is high-traffic) or quarterly (if it’s not). It’s up to you.
Some website owners don’t want their users to have to check a box in order to submit the contact form. This is where invisible reCAPTCHA comes in.
Invisible reCAPTCHA works just like the regular reCAPTCHA, except there’s no checkbox.
Instead, when the form is submitted, Google will determine whether it might be a bot submitting it. If so, Google will pop up the extra reCAPTCHA verification. If you want to see how it works.
You can use invisible reCAPTCHA on your WPForms contact forms. It’s very similar to the process above for using a reCAPTCHA checkbox.
The first difference is that you need to select a different option when setting up reCAPTCHA with Google. Instead of picking the ‘I’m not a robot’ checkbox option, choose ‘Invisible reCAPTCHA badge’.
Next, when you go to WPForms » Settings and click the ‘reCAPTCHA’ tab, you’ll need to select the ‘Invisible reCAPTCHA v2’ option:
When you add the reCAPTCHA field to your contact form, it’ll now use the invisible reCAPTCHA. When users come to your form, it’ll look like this:
The reCAPTCHA logo will always be on the bottom right of the screen.
The honeypot method is another invisible way to protect your contact forms from spam. It hides a field in the code of your form that’s invisible to human visitors but is visible to spambots because they’re usually looking at the code of your form. These spambots are tricked into thinking it’s a valid form and so they fill it out. But your form knows that this particular field is the honeypot and rejects any submissions with it filled out (or when they’re filled out incorrectly, depending on how you’ve set it up).
Site visitors love it because it removes some of the friction they might feel when they see a challenge question, and it increases your form submission rates. There’s also the warm, secure feeling they get when they see the Google terms of service badge, which is the only thing they see when you enable this method on your form.
WPForms enables the honeypot method by default, so check your specific form builder’s settings in WordPress to make sure it’s enabled.
You can also use antispam plugins like Akismet, WordPress Zero Spam, Antispam Bee and JetPack that protect your entire site from spam entries.
These often work independently from your forms, protecting your website from spam comments and contact form submissions. (typically your comments and contact forms). They compare submissions to blacklists of words, names, and email addresses while some antispam plugins also let you add a CAPTCHA or other antispam method to your contact form. So before you start using any of these plugins, it is a good idea to go through their instructions and details.
Another way to protect your contact forms from spam is to disable right-click functionality on your WordPress site. This method will only protect your contact forms from human spammers who are copying and pasting their information into your forms. Also, you’ll have the added benefit of preventing others from stealing content from anywhere on your site.
One way is to download and install a plugin that disables right-click everywhere on your sites, such as WP Content Copy Protection & No Right Click and Disable Right Click For WP.
If you’re noticing a lot of spambot action on your site, you can also block traffic from the IP addresses they’re coming from to protect your content form. While it also adds an extra layer of security to your site, it can block legitimate traffic from these IPs, so use this one at your own risk.
Add the IPs you want to block to the Comment Blacklist field on the Discussion settings page of your WordPress admin panel. Advanced site owners can do this through their web host cPanel or security plugin like Sucuri.
We keep using fixhackedsite with all sorts of client issues, they don’t waste any time. Excellent!
Great service! We were in a bad place after having been let down by another company. Thank you fixhackedsite!