Spam on your contact form can be annoying. You (or your moderator) have better things to do than spending hours filtering the submissions you receive on your contact forms. Spams not only waste your time but can also sometimes lead to security issues, such as malware and hacking attempts. Apart from a few (crazy) people who are obsessed with submitting forms with deceiving information, most spammers use automated scripts or bots to send thousands of spam messages to websites, which can be difficult to manage and filter out.

But does this mean you’re out of options when it comes to dealing with spam submissions other than filtering them manually? Not at all!  

In this article, we’ll discuss 4 effective ways that can help you prevent WordPress contact form spam. Using them together can provide you with comprehensive protection against spam. Here’s our list. 

Table of Contents
1. Enable reCAPTCHA
2. Limit form submissions
3. Use Honeypot technique
4. Use Askimet
Final thoughts on dealing with WordPress Contact Form spam

1. Enable reCAPTCHA

reCAPTCHA is a technology from Google that helps website owners verify whether a user is a human or a bot. It uses a combination of machine learning and human input to distinguish between legitimate and automated form submissions. When a user submits a form, they come across question, such as identifying objects in an image or solving simple math problems that only a human can solve. 

One of the cons of reCaptcha is that it may negatively impact user experience. People may get annoyed when they have to face ridiculous, or sometimes, hard questions (which some reCAPCHA do run) before accessing a form. As a result, they might abruptly quit the form submission process. 

Opting for silent CAPTCHA (or no CAPTCHA) is one way to avoid bad user experience that comes with reCaptcha. Unlike traditional CAPTCHAs that require users to solve a puzzle, silent CAPTCHAs use machine learning algorithms to analyse user behaviour and determine the likelihood of the user being a bot. They monitor the user’s behaviour, such as mouse movement, keystrokes, and time spent on the page to build a profile of the user, and determine whether they are likely to be a bot. If the system detects bot activity, it may require the user to complete a reCAPTCHA to prove that they are human.

How to enable reCaptcha on your WordPress site

To enable reCAPTCHA on your WordPress site, you first need to obtain an API key from Google, then install and configure a plugin (WPForms, Contact Form 7, or Gravity Forms). The plugin will handle the integration with reCAPTCHA and provide options to customise the challenge and response settings.

Check out this article to learn how to properly add captcha to WordPress Contact Form 7

2. Limit Form Submissions

Not all bot attacks are the same in nature. Spammers sometimes overwhelm your website with automated submissions with DoS attacks. DoS attacks are a type of cyber attack where the attacker floods a server with a large number of requests, causing it to crash or become unresponsive. You can combat such bots by limiting the number of form submissions you receive from the same IP address or within a specific time frame. 

How to limit form submissions in WordPress using a plugin

Several WordPress form plugins, including Gravity Forms and WordPress Contact Form 7, come with a feature to limit such submissions. You can configure them to restrict the number of submissions from the same IP address or within a certain period, and set up notification or redirection options for users who exceed the limit.

You can generally enable it by navigating to the form editor and visiting “Form Settings”. On Form settings, you usually have a “Limit Submissions” tab where you can check and specify the number of submissions you want to allow. Alternatively, you may also limit submissions by resetting the submission count at a specific time or date.

3. Use Honeypot Technique

The Honeypot technique is another method to avoid WordPress Contact Form spam. It works by adding a hidden form field that only bots will fill out. When a bot fills out the honeypot field, it triggers an action that blocks the form submission or marks it as spam. Since the honeypot field is hidden from the user’s view, it does not affect human interaction with the contact form. It can be an excellent non-intrusive way to block spam submissions.

How to implement honeypot technique on WordPress contact forms

WordPress form plugins like WPForms, Gravity Forms, and Contact Form 7, allow you to add a honeypot field to your form. Here’s a step-by-step guide to incorporate honeypot on your forms:

Step 1. Install and activate a Honeypot plugin: You can add a Honeypot field to your form through most WordPress Form plugins. Alternatively, some plugins, such as WPForms, include a built-in Honeypot feature. You just need to activate honeypot in the settings. Alternatively, you can install and activate security plugins like Antispam Bee that come with honeypot features.

Step 2. Create a Honeypot field: Once you have activated the Honeypot, create a new form or edit your existing form and add a new field to the form. Then label it as a honeypot field. Make sure the field is not visible to human users by hiding it using CSS. Don’t worry if you don’t have coding knowledge, you can copy and paste the code from Stack Overflow here

Step 3. Configure the Honeypot settings: After creating a Honeypot field, configure the Honeypot settings to make sure that the form submission is rejected if the Honeypot field is filled out. You may also configure other settings, such as the ‘time delay before the form submission is rejected’ if you wish to.

After making sure you’ve installed and activated the Honeypot correctly, don’t forget to test the form to ensure the Honeypot field is working the way you want. Alternatively, if you have coding knowledge, you can add the Honeypot code manually to your form using HTML.

4. Use Akismet

Akismet is a spam-filtering plugin from Automattic, the company behind WordPress. It uses machine learning algorithms and feedback from users to detect and block spam messages on your website. In addition to filtering contact form spam, Akismet also protects your site from other common forms of spam like comments and trackbacks.

How to install and set up Akismet on WordPress

To use Akismet, you first need to obtain an API key from Automattic. Once you have the key, you can install and activate the Akismet plugin on your WordPress site, and configure the settings to filter out spam messages on your contact forms. Here’s a step-by-step guide on how to do it:

Step 1. Install and activate the Akismet plugin: Log in to your WordPress dashboard, go to the “Plugins” section, and click “Add New”. On the search bar, search for “Akismet” and install the plugin. Once installed, activate the plugin.

Step 2. Get an API key: You need to get an API key from the Akismet website to use it. API key is free for personal use, but you need to pay for commercial use. You can get a free API key by visiting the Akismet website and signing up for an account.

Step 3. Enter the API key: Once you have an API key, go to the “Akismet” settings page in your WordPress dashboard and enter the API key in the “API key” field and click “Connect with API key”. Akismet will now connect to the Akismet servers and activate the plugin.

Step 4. Configure the settings: After you have activated Akismet, you can configure the plugin settings according to your preferences. You can choose to automatically delete spam comments, send notifications for spam comments, or manually review all comments before they are published.

Once you’ve installed and activated Akismet, note that it will automatically filter spam comments and trackbacks, and move them to the “Spam” queue. To make sure that legitimate comments are not marked as spam, you need to check the spam queue regularly.

Final thoughts on dealing with WordPress Contact Form spam

You can significantly reduce the amount of spam that your contact forms receive by implementing some or all of the techniques discussed in this article. However, keep in mind that your safety measures shouldn’t make it hard for genuine leads to fill out and submit forms. After all, forms are useless if they’re not helping you generate leads. Therefore, always make sure you test your tools and improve them based on feedback.

If you’re generating leads via WordPress forms, use Privyr to boost your conversion rates. Privyr is a mobile-first CRM that provides you with instant lead alerts and allows you to contact your leads within seconds of them submitting their details— all from the comfort of your smartphone. It also helps you streamline your sales process by helping you manage your leads, follow-ups, and so many other steps that would normally take hours if done manually. 

Try Privyr for free today!     

Want sales tips and tricks delivered to your inbox?

Subscribe to Privyr’s newsletter, trusted by over 50,000 salespeople, marketers, and small businesses.


Michael is a content writer at Privyr, a mobile CRM that helps consumer-facing sales professionals convert leads into clients from their phones. A writer from the heart and marketer from the mind, he has been helping businesses from around the world create and execute successful content marketing strategies for their brands since 2018.