Home Blog WordPress Management How to stop Contact Form 7 spam: protection & prevention

Contact Form 7 spam protection and prevention

How to stop Contact Form 7 spam: protection & prevention

You chose Contact Form 7 over other contact form plugins due to its great reputation and simplicity. It’s no wonder that it’s one of the most used contact form plugins around today.

But its popularity also means that its users are often faced with spam issues.

Luckily, there are plenty of ways to stop Contact Form 7 Spam, including CAPTCHA, honeypots, spam filtering, and others.

Together, we’ll dive into a number of the most effective ones in this post.

Let’s get started!

Why are spam messages so prevalent in Contact Form 7?

Contact Form 7 forms are some of the most spammed contact forms in WordPress. This might seem like there’s something wrong with the plugin, but it has more to do with its popularity than any bad security practices on the part of the team maintaining it.

Its popularity increases its exposure, meaning that as the plugin is used on more sites, more spam messages are received by its users.

It also doesn’t help that many people using the plugin don’t know how to correctly configure it to prevent spam, which is a must if you don’t want to spend your free time sifting through hundreds of spam form submissions.

In the following section, we’ll show you how to effectively prevent this influx of spam messages.

Reducing Contact Form 7 spam using a CAPTCHA/reCAPTCHA solution

When you want to stop spam submissions, there are a number of tools you have at your disposal. They’re not all built equal though, so it’s important to consider the method(s) you use carefully to ensure they’re effective for your situation.

Contact Form 7 makes it really easy for you to implement a wide range of anti-spam measures, including CAPTCHA.

CAPTCHA remains one of the best methods of stopping spam form submissions.

It works by presenting suspected bots with a challenge that’s easy for humans to complete but hard for bots. By only submitting the form if the challenge is completed successfully, bot submissions are greatly reduced. Since bots send the majority of spam online these days, this will help prevent the majority of spam form submissions you receive.

Since it’s so important, we have an entire post dedicated to explaining why you need CAPTCHA on your WordPress website – check it out!

In Contact Form 7, there are two main ways of adding CAPTCHA to your form. You can use a third-party plugin or Contact Form 7’s own reCAPTCHA integration.

Third-party plugins have the benefit of offering more features and can often be used on other forms or pages on your website, too. On the flip side, however, they also introduce added complexity to your site, so it’s vital that you stick to trusted, secure plugins.

I’ll cover both options below so you can implement the one that’s right for you.

Third-party plugin

Using a third-party plugin is a good option if you require more features for your CAPTCHA integration, like the ability to use hCAPTCHA or integrate with your WooCommerce store.

I’ll be using CAPTCHA 4WP in this post, which comes with Contact Form 7 integration out of the box. It also has the ability to use hCAPTCHA and CloudFlare Turnstile – something you can’t do with Contact Form 7’s built-in CAPTCHA solution.

Lastly, and perhaps most importantly for those planning on using reCAPTCHA, it also comes with a failover for Google reCAPTCHA v3. This handy feature ensures there’s a way to handle false positives. As such, if a real person gets flagged as a bot, they will still be able to submit the contact form.

Step 1: Get and install CAPTCHA 4WP

You’ll first need to choose the plan you want.

Each plan comes with different features and a 30-day money-back guarantee, with prices starting at just $14 per year.

Since we’ll be taking advantage of hCAPTCHA for this example, I’ll be using the business plan.

After signing up for the plan of your choice, you’ll receive an email showing you how to download the plugin files.

License Key

After downloading the plugin files, head over to your WordPress dashboard and navigate to Dashboard > Plugins > Add New Plugin.
Then, click on Upload Plugin > Choose File and upload the plugin files.

Upload Plugin

Once you’ve uploaded the plugin, click on the blue Activate Plugin button to activate it.

Activate Plugin

This will take you to the setup wizard.

Step 2: Complete the setup wizard

First, you need to enter your license key.

Complete the setup wizard

Then click Activate License.

You’ll then be shown the following prompt:

Activiate License

Click Next and choose the type of CAPTCHA you want to use on your website.

I’ll be using the hCAPTCHA option for this example.

Choose the type of CAPTCHA

You’ll be prompted to insert your hCAPTCHA keys after clicking Next.

First, you’ll need to generate the hCAPTCHA keys, though!

To do this, go to the hCAPTCHA website and click on Sign Up at the top right.

Follow the steps to create an account until you reach this page:

hCaptcha page

Click on the blue Generate button to get your secret key.

Then, go back to your WordPress dashboard, enter your site key, and click on Proceed to secret key.

Validation and saving

Then, enter your secret key and click on Validate & proceed.

Validate and proceed

You’re now ready to start using CAPTCHA on your forms!

Step 3: Implementing CAPTCHA on your Contact Form 7 forms

Head over to your contact form under Contact > Contact Forms, then click on “Edit” under the form you want to add CATPCHA to.

In the form section, you should see a button labeled Add CAPTCHA.

Form section

You should be shown a form tag to add to your form after clicking it.

Add a recaptcha field to your contact form

Click on the insert tab and then click on save underneath the form input.

Your form should now be using hCAPTCHA to protect it from spam.

Form using hCaptcha

Contact Form 7 reCAPTCHA

Contact Form 7 also has its own CAPTCHA integration, which is great for small personal/hobby websites. If you just want a very simple solution without the flexibility, added security, and extra features that third-party plugins offer, this option can work well. 

The only thing to keep in mind is that it can only protect Contact Form 7 forms, so your other forms will still be vulnerable to spammers.

It uses Google reCAPTCHA, which does a pretty good job of blocking spam.

First, generate your Google reCAPTCHA keys. The linked article will show you how.

Then head over to Contact > Integration and click on the setup integration button in the section on reCAPTCHA.

reCaptcha spam protection

Next, copy and paste the keys into the text fields, taking care to paste the correct key in each field.

After clicking Save Changes your form should now be using reCAPTCHA.

Implement a honeypot

A honeypot is an additional hidden form field that’s not visible on the screen but is visible to bots. Since the code for the input field is still there, many bots will fill this form field in automatically, resulting in the form submission being flagged as spam.

You can use a honeypot in combination with CAPTCHA as an additional measure. However, it shouldn’t be used as a replacement. This is because many honeypots are very easy to bypass. Third-party honeypot plugins will implement the same type of honeypot on each site they protect, so it’s enticing for spammers to develop bots tailored specifically to bypass these honeypots.

Nevertheless, it’s still a good idea to implement a honeypot in your form, as it does protect against various less advanced bots.

It’s also very easy to implement by simply downloading the honeypot plugin of your choice and following the installation instructions.A good place to start is Honeypot for Contact Form 7, which is both effective and easy to implement.

Use a spam filter for your contact forms

A spam filter analyzes the content submitted in the form for common indications of spam and filters spam emails out. For example, the analyzer will not submit the form if it includes words related to popular spam topics, like viagra.

Although there are a number of different providers of spam filters, the most used is Akismet. Contact Form 7 has an Akismet integration that allows you to set up spam filtering on your form. You can achieve this in just a few clicks.

The only downside to using a WordPress plugin like Akismet is that it costs money to use. If it’s just for a personal blog, Akismet is free/pay what you want. However, for regular sites, you’ll have to pay.

To implement Ankismet, follow this guide.

Spam filtering is a great way of reducing contact form spam and is also a great supplemental spam prevention control to CAPTCHA. Since some very advanced bots can bypass CAPTCHA, an additional spam filter will ensure spam emails never reach your inbox.

However, if you want a free solution that can still help filter out some of your form submissions, you can use Contact Form 7’s disallowed list.

Disallowed list

Contact Form 7 can use the disallowed list feature WordPress offers to block messages containing specific words as well as specific IP addresses. Although it’s far from the level of spam filtering you get with Akismet and other specially designed spam filters, it can be a great way to block obvious spam form submissions.

To use this, simply head over to Settings > Discussion. Fill in the keywords you want to filter for in the Disallowed Comment Keys section and Save Changes.

Disallowed list

Be careful not to go overboard. You can accidentally block real form submissions if you include words that your real visitors may use in their messages.

Form validation

Form validation can help reduce spam form submissions, especially when it comes to spam that contains just a few characters. For example, you can add a minimum and maximum number of characters that the content inside of a form field needs to include to prevent these random, short spam messages from being sent to you.

More information about text fields and how to add min/max character lengths can be found here.

Use the Contact Form 7 quiz functionality

You can add a short quiz to your contact form as an alternative to CAPTCHA using the Contact Form 7 quiz feature. This feature makes users answer a question before being able to submit the form, much like CAPTCHA does.

Although this can be reasonably effective at stopping basic bots, it’s far less effective than a real CAPTCHA solution. Therefore, it is not recommended. It also forces all users to answer the question, which creates more friction. It can also result in more false positives. If it’s just for a small website or blog, however, it can be a good fit.

You can use the quiz feature by adding a simple tag to your form.

There’s the capital quiz tag:

[quiz capital-quiz "What’s the capital of England?|London"]

And the math quiz tag:

 [quiz math-quiz "1+1=?|2"]

Frequently Asked Questions

How do I stop spam in Contact Form 7?

The best way to stop spam in Contact Form 7 is by implementing a CAPTCHA solution. This can be done using the reCAPTCHA integration built into the plugin or by using a third-party plugin like CAPTCHA 4WP, which often provides more features and customization options.
Although CAPTCHA is the most effective way of preventing contact form spam, there are other techniques you can use to reduce the amount of spam you receive. These include implementing a honeypot, using spam filtering on your contact form submissions, and using effective form validation.

Does Akismet protect Contact Form 7?

Not by default, but it’s a highly recommended integration to make sure of. Akismet offers a form of spam filtering based on the text that users input. By identifying common words, phrases, emails, and other text inputs used by spammers it helps to filter out a lot of spam.

Is Contact Form 7 secure?

Although bugs and vulnerabilities can (and often do) creep into all software, including WordPress plugins, the most up-to-date version of Contact Form 7 is considered secure. However, the same cannot be said for older versions. As such, it’s important to keep this (and other) plugin(s) updated.

Why use Contact Form 7 in WordPress?

It is one of the most-used contact form plugins in WordPress. It’s secure and offers many different integrations. It’s also very well documented and there are tonnes of tutorials online showing you how to use the plugin and how to resolve common and not-so-common issues.

How do I use reCAPTCHA in Contact Form 7?

Contact Form 7 has its own reCAPTCHA integration you can use to implement reCAPTCHA into your form. However, if you want something more granular or you want to use other forms of CAPTCHA, like hCAPTCHA or CloudFlare Turnstile, a plugin like CAPTCHA 4WP can be a good option. Not only does it offer more features and functionality, it also allows you to secure other forms/pages on your site.

Why is CAPTCHA not working in Contact Form 7?

There are a number of reasons why CAPTCHA may not be working in Contact Form 7, including incorrect installation/integration or a bug (especially if it was caused by a recent update). If you’re using CAPTCHA 4WP and you’re experiencing issues, please reach out to customer support to let us know.

Do these methods protect against spam comments as well as spam contact form submissions?

Although this post is specifically about preventing Contact Form 7 spam, the methods covered can also help protect against spam sent through other forms on your WordPress websites, including spam comments and email list registrations. For example, the Akismet plug-in automatically checks for the publishing of malicious content, and CAPTCHA 4WP can block bots from submitting this content in the first place.

Posted inWordPress Management
Bram Vergouwen
Bram Vergouwen

Bram is a freelance copywriter and (technical) SEO with experience in various web development technologies, including WordPress. When he’s not writing content or working on websites, you’ll find Bram enjoying time in nature or meeting up with friends. You can reach Bram at bram@melapress.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon