How to stop contact form spam in wordpress

How to Stop Contact Form Spam in WordPress

Are you facing a lot of contact form spam in WordPress?

One of the greatest threats to any website using contact forms is the possibility of form abuse and spam.

Thankfully, there are ways to effectively combat contact form spam in WordPress that don’t require you to deal with it manually.

In this post, we’ll walk explain how you can use different techniques to block contact form spam in WordPress.

Why Contact Form Spam Is Dangerous

Contact forms on WordPress have always been easy targets for malicious spam programs. Here are some ways that spambots can harm your site by abusing contact forms:

  • Submit harmful links: Spambots with malicious intent can use your contact form to submit links that may contain malware. If any user from your team clicks the link, the malware might infect your whole organization including your WordPress site.
  • Denial of Service (DoS): Some bots are highly efficient at repeatedly filling your forms to their limit. The goal of DoS bots is to overwhelm your website with tons of requests made in a short span of time. This may slow down your site, affect your form functionality for real users, and may even cause a site outage.
  • Hacking: Automated brute force attack programs can target sites with user registration and login forms with the goal of hacking users. This is extremely dangerous because it can lead to account takeovers, information leaks, and data losses.
  • Productivity losses: If your support staff has to filter through tons of spam entries, it affects their ability to respond to real users quickly. The impact on productivity may hurt your brand reputation and translate to lots of missed opportunities for conversions.

These are some of the ways that spam can cause a lot of trouble for your site.

But the good news is that blocking contact form spam is extremely easy. Below, we’ll show you the best tools and techniques you can use to get rid of contact form spam once and for all.

How to Stop Contact Form Spam in WordPress

To combat contact form spam successfully on your WordPress site, we recommend the following:

  1. Get a WordPress Form Plugin With Built-in Spam Protection
  2. Use WPForms Anti-Spam Tokens
  3. Include reCAPTCHA
  4. Use hCaptcha 
  5. Use Custom CAPTCHA
  6. Block URLs Inside Text Fields
  7. Use Antispam WordPress Plugins
  8. Block Email Addresses of Repeat Spammers
  9. Require Email Verification for New Users
  10. Blacklist Spammy IP Addresses

Let’s dive into it.

1. Get a WordPress Form Plugin With Built-in Spam Protection

The most important step you can take to prevent contact form spam in WordPress is to use a plugin that has strong built-in spam protection features.

There are a lot of WordPress form plugins out there, but many don’t support reliable anti-spam methods.

For the easiest automated spam prevention built into your contact form, we recommend using WPForms.

WPForms is a form builder that is extremely well-equipped to deal with contact form spam as we’ll show below.

WPForms home

After you install WPForms, you can choose from a number of anti-spam methods available to you.

We’ll start with the easiest option yet highly reliable option first.

2. Use WPForms Anti-Spam Tokens

WPForms uses form tokens as the default spam prevention method. It is the easiest way to block contact form spam.

WPForms adds a unique token to each form that helps differentiate real users from spambots. Due to the way spambots behave, they’re unable to see the token and attach it with their form submission.

On the other hand, the token is always automatically added to the submission of a real user.

As a result, WPForms is able to ensure a smooth, distraction-free user experience while effectively blocking spambots.

The form torm anti-spam tool is enabled by default in WPForms. You can access the settings for it by navigating to Settings » General from your WPForms visual interface.

Then, make sure that the toggle button next Enable anti-spam protection is activated.

enable anti form spam wpforms

The WPForms anti-spam protection is by the far the best spam-blocking technique because it’s more privacy-friendly than others and provides the best user experience.

3. Include reCAPTCHA

WPForms also supports third-party spam prevention tools like Google’s reCAPTCHA. This is a very powerful method of spam protection, but setting it up takes a bit longer than simply enabling form tokens as shown in the previous step.

Currently, there are 3 different types reCAPTCHA:

  • Checkbox reCAPTCHA v2: This reCAPTCHA version has a checkbox that a user must click to verify that they’re not a bot. If user activity seems suspicious, it might ask you to do a small image verification test to confirm that you’re a real user.
  • Invisible reCAPTCHA v2: With invisible reCAPTCHA, users don’t see a checkbox at all. Rather, this reCAPTCHA service analyzes user behavior to identify and block bots.
  • reCAPTCHA v3: Although both services above may occasionally show an image challenge, reCAPTCHA v3 works completely silently in the background. It’s an advanced spam prevention tool but it can be a little too sensitive and block human users sometimes.

To add reCAPTCHA to your form, open your WordPress admin area and go to WPForms » Settings.

WPForms settings

Click on the CAPTCHA tab on the horizontal bar below the WPForms logo.

WPForms CAPTCHA

This page will show the available CAPTCHA options in WPForms. Select reCAPTCHA.

WPForms recaptcha

Now, select the reCAPTCHA version that you’d like to set up. We recommend Invisible reCAPTCAH v2 for its user-friendliness, but you can decide on other options as well.

recaptcha options

To configure reCAPTCHA, you’ll now have to visit the reCAPTCHA site on a new browser tab and click on Admin Console.

admin console recaptcha

If prompted, sign in to your Google account now. After logging in, you’ll have to provide your site’s domain name to register it.

Register new site

Now, select your preferred reCAPTCHA under the reCAPTCHA type section.

Recaptcha type

Next, enter your website’s domain name under Domains. Make sure to only type part that comes after https:// in your URL.

recaptcha domain

Then, accept the reCAPTCHA Terms of Service and checkmark alerts if you’d like to receive notifications.

recaptcha settings google terms

Click on Submit to save the settings. You’ll now see a message saying that your domain has been registered, with a site key and secret key underneath.

site key and secret key

Switch to the browser tab where you have the WPForms » Settings page open and copy and paste the reCAPTCHA site and secret keys in the corresponding fields.

wpforms secret recaptcha keys

Press the Save Settings button to finish your reCAPTCHA setup.

To add the reCAPTCHA field to your form, simply use the WPForms drag and drop interface to place the field onto your form.

Form builder recaptcha field

Your form will now display a reCAPTCHA badge on the frontend, indicating that you’ve successfully added the reCAPTCHA spam prevention to your form.

recaptcha badge

Next, we’ll look at another popular spam prevention service.

4. Use hCaptcha in Your Form

hCaptcha is very similar to Google’s reCAPTCHA but it’s a more privacy-friendly spam blocking service.

To connect hCaptcha service with WPForms, head over to WPForms » Settings from your WordPress dashboard.

WPForms settings

On the settings page, click on the CAPTCHA tab located on the horizontal bar.

WPForms CAPTCHA

Select hCaptcha from the available options.

Select hcaptcha wpforms

As before, switch to a new browser tab and visit hCaptcha to sign up with the service.

Signup h captcha

Select a hCaptcha plan. The free plan works perfectly well, so we’re going to choose that.

free hcaptcha

Set up your new hCaptcha account by following the on-screen instructions. Once you’re inside your dashboard, click on +New Site on the top-right corner of the screen.

new site hcaptcha

Here, type in your domain name and press enter to proceed. Then move to the next field and type in your domain name again. Click Add new domain once you’ve added it.

Add hCaptcha domain

You should now see a Captcha difficulty slider. Depending on how strong of a spam filter you want to apply, you can move the slider to your preferred difficulty level.

In most cases, the Moderate level of difficulty is reasonably effective at spam prevention without compromising user experience.

Use the slider to select the level of difficulty (you can always come back to readjust this if needed).

hCaptcha difficulty

Next, you can choose an industry relevant to your site to filter hCaptcha puzzles by topics that are more familiar to your users. However, this is completely optional and you can skip it if you’d like to.

hCaptcha interests

Scroll back to the top and press Save. 

Now, navigate to the Active Sites section in your hCaptcha account dashboard. Click on the Settings button next to the domain that you just added.

hCaptcha active sites

You should see your site key here. Copy it and paste it into the WPForms Site Key field under hCaptcha settings.

Site key wpforms

Next, press the orange Cancel button to leave this screen.

hcaptcha sitekey settings

Click on the Settings tab on the top-left.

hCaptcha settings

Copy your Secret Key and paste it into WPForms.

hcaptcha secret key copy

Make sure to add both keys to the relevant WPForms hCaptcha settings.

wpforms hcaptcha keys

Then, click on Save to complete hCaptcha setup for WPForms.

Now, you can use the hCaptcha field when building your form using WPForms.

hCaptcha form builder

You should see the hCaptcha badge on the top of your form when it’s successfully added to it.

hcaptcha badge

Congratulations! Your form is now protected from spam by hCaptcha.

5. Use Custom CAPTCHA

We’re big fans of custom CAPTCHA because it’s very effective and doesn’t require image-based challenges that can sometimes be a bit tricky for real users.

WPForms Pro users can get the Custom CAPTCHA addon to include simple math-based quizzes in your forms for spam prevention.

To set up Custom CAPTCHA, launch the form builder interface.

Contact form builder

Then, find the Custom CAPTCHA field under the Fancy Fields section. If you don’t have the Custom CAPTCHA addon yet, this field will be semi transparent. Click on it and you’ll be prompted to install the addon.

Custom CAPTCHA field

When a popup appears, click on Yes, Install and Activate to proceed.

Activate custom captcha

The installation will take only 2-5 seconds to complete. The popup will display a success message once the Custom CAPTCHA addon is active. Click Yes, Save and Refresh to continue.

save custom captcha

Now, drag and drop the Custom CAPTCHA field into your form. Click on the field once it’s added to your form to access its settings.

Here, you can select the type of CAPTCHA (math or custom question and answer) and add a description.

Custom CAPTCHA example

If you choose Math, WPForms will automatically generate a simple arithmetic question that users must answer correctly. Spambots can’t answer these math questions, which is why this Custom CAPTCHA is a very effective contact form spam prevention technique.

Alternatively, you may choose Question and Answer as your CAPTCHA type. This allows you to create a question and set its correct answer.

set questions and answers

You can add multiple questions by using the blue (+) icon next to the question field in settings.

Make sure to Save your form after you’re done making changes.

6. Block URLs Inside Text Fields

Many spambots are designed to distribute phishing links through contact forms. Sometimes, there may even may a real person submitting malicious links using your forms. As you know, CAPTCHA and form tokens can’t stop a real human spammer.

So if you’re receiving suspicious links through your form, you might want to block URL submissions in your form fields entirely.

You can block URLs in your form fields by adding a PHP script. If you want to learn about adding code snippets to your forms, see this tutorial on adding custom PHP for WPForms.

Use the code snippet below to block URLs within the Single Line Text and Paragraph Text fields of your form.

/*
* Block URLs from inside form on Single Line Text and Paragraph Text form fields
*
* @link https://wpforms.com/developers/how-to-block-urls-inside-the-form-fields/
*/

function wpf_dev_check_for_urls( $field_id, $field_submit, $form_data ) {

if( strpos($field_submit, 'http') !== false || strpos($field_submit, 'www.') !== false ) {
wpforms()->process->errors[ $form_data['id'] ][ $field_id ] = esc_html__( 'No URLs allowed.', 'wpforms' );
return;
} 

}

add_action( 'wpforms_process_validate_textarea', 'wpf_dev_check_for_urls', 10, 3 );
add_action( 'wpforms_process_validate_text', 'wpf_dev_check_for_urls', 10, 3 );

When you have added the above code to your form, WPForms will display a “No URLs allowed” error if a user tries to submit a link into your text fields.

7. Use Antispam WordPress Plugins

There are several powerful antispam plugins available for WordPress. Most of these plugins work by scanning databases of known spam content including patterns of words that appear repeatedly in spam, common links, email addresses, and even IP addresses of users and bots.

Some popular WordPress antispam tools are Akismet and Jetpack. Remember that these plugins operate across your whole site, so they’ll not only limit contact form spam but also reduce spam comments on your blog.

Using these spam prevention WordPress plugins along with other techniques that we’ve shown above is a great combination for enhancing your overall site security.

8. Block Email Addresses of Repeat Spammers

The email address field can be quite handy when it comes to filtering human spammers. Since human spammers can easily bypass CAPTCHA and form tokens, you need extra safeguards to block them.

In cases where a website is frequently receiving spam from similar email addresses, blocking suspect email addresses is the way to go.

To block an email address, click on the Email field in WPForms. Then, select the Advanced tab on the left-hand pane.

Scroll down and click on the Allowlist / Denylist dropdown, then select Denylist.

email denylist

Now you can add email addresses that you want to block submissions from in the box under the Denylist option. You can enter multiple email addresses separated by commas.

You can use an asterisk * to block email addresses with a partial match.

For instance, using an asterisk before an email domain (such as *@domain.com) will restrict all email addresses at that domain from submitting entries.

Or you can also block an email address starting with a particular username by putting an asterisk after it (such as example*).

These rules are great when you’re receiving spam from email addresses at the same domain or username.

Make sure to Save your form after building your blocklist.

9. Require Email Verification for New Users

Real spammers and bots can use fake emails to try and sign up to your site (assuming that you allow users to register). An easy way to discourage spammers from signing up with fake emails is by requiring email verification, which is an extra step that spammers don’t have the patience for.

WPForms allows you to set up email verification before a new user can register their account.

To add email verification, click on Settings » User Registration from the left-hand pane within the WPForms interface.

Note: You’ll need the User Registration addon for WPForms to access these settings. If you don’t have it, see how to create a user registration form.

user registration

Then, click on Enable User Registration.

Enable user registration

Activate the Enable User Activation toggle button.

enable user registration

This will expand a new menu where you can select your activation type as User Email.

Now, whenever a user tries to register their account on their site, they will have to provide a valid email address to receive a registration link at. Meaning no spam from users with fake emails!

10. Blacklist Spammy IP Addresses

Blocking the IP addresses of spammers is not as efficient as other methods on this list because it’s easy to spoof an IP address using proxies and VPN services.

But if you notice a pattern of repeat spammers returning to your site, you can block their IP address to deny them access to your entire WordPress site.

To restrict users by IP address, go to Settings » Discussion from your WordPress dashboard, and enter the IP addresses that you want to block in the Disallowed Comment Keys box. If you have multiple IP addresses to block, make sure to add each IP address in a new line.

WordPress blocklist

But how are you going to find IP addresses of spammers in the first place? For this, you’ll need to add the {user_ip} smart tag in your WPForms email notifications content.

Now, when you receive an email notification for a form submission, it will include their IP address within the email content.

If you notice that spam entries are coming from similar IP addresses, simply note them down and add them to the WordPress IP blocklist as shown above.

And that’s all we have for you today! We hope this guide helped you learn useful tips fo stopping contact from spam in WordPress.

Next, Apply Password Reset Email Best Practices

If you have a password reset form on your site, you’ll need to set up a clear and secure password reset email with it. Check out our article on password reset email best practices to learn important tips.

And if you’d like to improve your email deliverability, see our post on email subdomain and why you should use one.

Fix Your WordPress Emails Now

​​Ready to fix your emails? Get started today with the best WordPress SMTP plugin. WP Mail SMTP Elite includes full White Glove Setup and offers a 14-day money-back guarantee.

If this article helped you out, please follow us on Facebook and Twitter for more WordPress tips and tutorials.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.