Home Blog WordPress Management How to stop Contact Form 7 spam: protection & prevention

Contact Form 7 spam protection and prevention

How to stop Contact Form 7 spam: protection & prevention

You chose Contact Form 7 over other contact form plugins due to its great reputation and simplicity. It’s no wonder that it’s one of the most used contact form plugins around today.

But its popularity also means that its users are often faced with spam issues.

Luckily, there are plenty of ways to stop Contact Form 7 Spam, including CAPTCHA, honeypots, spam filtering, and others.

Together, we’ll dive into a number of the most effective ones in this post.

Let’s get started!

Why are spam messages so prevalent in Contact Form 7?

Contact Form 7 forms are some of the most spammed contact forms in WordPress. This might seem like there’s something wrong with the plugin, but it has more to do with its popularity than any bad security practices on the part of the team maintaining it.

Its popularity increases its exposure, meaning that as the plugin is used on more sites, more spam messages are received by its users.

It also doesn’t help that many people using the plugin don’t know how to correctly configure it to prevent spam, which is a must if you don’t want to spend your free time sifting through hundreds of spam form submissions.

In the following section, we’ll show you how to effectively prevent this influx of spam messages.

Reducing Contact Form 7 spam using a CAPTCHA/reCAPTCHA solution

When you want to stop spam submissions, there are a number of tools you have at your disposal. They’re not all built equal though, so it’s important to consider the method(s) you use carefully to ensure they’re effective for your situation.

Contact Form 7 makes it really easy for you to implement a wide range of anti-spam measures, including CAPTCHA.

CAPTCHA remains one of the best methods of stopping spam form submissions.

It works by presenting suspected bots with a challenge that’s easy for humans to complete but hard for bots. By only submitting the form if the challenge is completed successfully, bot submissions are greatly reduced. Since bots send the majority of spam online these days, this will help prevent the majority of spam form submissions you receive.

Since it’s so important, we have an entire post dedicated to explaining why you need CAPTCHA on your WordPress website – check it out!

In Contact Form 7, there are two main ways of adding CAPTCHA to your form. You can use a third-party plugin or Contact Form 7’s own reCAPTCHA integration.

Third-party plugins have the benefit of offering more features and can often be used on other forms or pages on your website, too. On the flip side, however, they also introduce added complexity to your site, so it’s vital that you stick to trusted, secure plugins.

I’ll cover both options below so you can implement the one that’s right for you.

Third-party plugin

Using a third-party plugin is a good option if you require more features for your CAPTCHA integration, like the ability to use hCAPTCHA or integrate with your WooCommerce store.

I’ll be using CAPTCHA 4WP in this post, which comes with Contact Form 7 integration out of the box. It also has the ability to use hCAPTCHA and CloudFlare Turnstile – something you can’t do with Contact Form 7’s built-in CAPTCHA solution.

Lastly, and perhaps most importantly for those planning on using reCAPTCHA, it also comes with a failover for Google reCAPTCHA v3. This handy feature ensures there’s a way to handle false positives. As such, if a real person gets flagged as a bot, they will still be able to submit the contact form.

Step 1: Get and install CAPTCHA 4WP

You’ll first need to choose the plan you want.

Each plan comes with different features and a 30-day money-back guarantee, with prices starting at just $14 per year.

Since we’ll be taking advantage of hCAPTCHA for this example, I’ll be using the business plan.

After signing up for the plan of your choice, you’ll receive an email showing you how to download the plugin files.

After downloading the plugin files, head over to your WordPress dashboard and navigate to Dashboard > Plugins > Add New Plugin.
Then, click on Upload Plugin > Choose File and upload the plugin files.

Once you’ve uploaded the plugin, click on the blue Activate Plugin button to activate it.

This will take you to the setup wizard.

Step 2: Complete the setup wizard

First, you need to enter your license key.

Then click Activate License.

You’ll then be shown the following prompt:

Click Next and choose the type of CAPTCHA you want to use on your website.

I’ll be using the hCAPTCHA option for this example.

You’ll be prompted to insert your hCAPTCHA keys after clicking Next.

First, you’ll need to generate the hCAPTCHA keys, though!

To do this, go to the hCAPTCHA website and click on Sign Up at the top right.

Follow the steps to create an account until you reach this page:

Click on the blue Generate button to get your secret key.

Then, go back to your WordPress dashboard, enter your site key, and click on Proceed to secret key.

Then, enter your secret key and click on Validate & proceed.

You’re now ready to start using CAPTCHA on your forms!

Step 3: Implementing CAPTCHA on your Contact Form 7 forms

Head over to your contact form under Contact > Contact Forms, then click on “Edit” under the form you want to add CATPCHA to.

In the form section, you should see a button labeled Add CAPTCHA.

You should be shown a form tag to add to your form after clicking it.

Click on the insert tab and then click on save underneath the form input.

Your form should now be using hCAPTCHA to protect it from spam.

Form using hCaptcha

Contact Form 7 reCAPTCHA

Contact Form 7 also has its own CAPTCHA integration, which is great for small personal/hobby websites. If you just want a very simple solution without the flexibility, added security, and extra features that third-party plugins offer, this option can work well. 

The only thing to keep in mind is that it can only protect Contact Form 7 forms, so your other forms will still be vulnerable to spammers.

It uses Google reCAPTCHA, which does a pretty good job of blocking spam.

First, generate your Google reCAPTCHA keys. The linked article will show you how.

Then head over to Contact > Integration and click on the setup integration button in the section on reCAPTCHA.

Next, copy and paste the keys into the text fields, taking care to paste the correct key in each field.

After clicking Save Changes your form should now be using reCAPTCHA.

Implement a honeypot

A honeypot is an additional hidden form field that’s not visible on the screen but is visible to bots. Since the code for the input field is still there, many bots will fill this form field in automatically, resulting in the form submission being flagged as spam.

You can use a honeypot in combination with CAPTCHA as an additional measure. However, it shouldn’t be used as a replacement. This is because many honeypots are very easy to bypass. Third-party honeypot plugins will implement the same type of honeypot on each site they protect, so it’s enticing for spammers to develop bots tailored specifically to bypass these honeypots.

Nevertheless, it’s still a good idea to implement a honeypot in your form, as it does protect against various less advanced bots.

It’s also very easy to implement by simply downloading the honeypot plugin of your choice and following the installation instructions.A good place to start is Honeypot for Contact Form 7, which is both effective and easy to implement.

Use a spam filter for your contact forms

A spam filter analyzes the content submitted in the form for common indications of spam and filters spam emails out. For example, the analyzer will not submit the form if it includes words related to popular spam topics, like viagra.

Although there are a number of different providers of spam filters, the most used is Akismet. Contact Form 7 has an Akismet integration that allows you to set up spam filtering on your form. You can achieve this in just a few clicks.

The only downside to using a WordPress plugin like Akismet is that it costs money to use. If it’s just for a personal blog, Akismet is free/pay what you want. However, for regular sites, you’ll have to pay.

To implement Ankismet, follow this guide.

Spam filtering is a great way of reducing contact form spam and is also a great supplemental spam prevention control to CAPTCHA. Since some very advanced bots can bypass CAPTCHA, an additional spam filter will ensure spam emails never reach your inbox.

However, if you want a free solution that can still help filter out some of your form submissions, you can use Contact Form 7’s disallowed list.

Disallowed list

Contact Form 7 can use the disallowed list feature WordPress offers to block messages containing specific words as well as specific IP addresses. Although it’s far from the level of spam filtering you get with Akismet and other specially designed spam filters, it can be a great way to block obvious spam form submissions.

To use this, simply head over to Settings > Discussion. Fill in the keywords you want to filter for in the Disallowed Comment Keys section and Save Changes.

Be careful not to go overboard. You can accidentally block real form submissions if you include words that your real visitors may use in their messages.

Form validation

Form validation can help reduce spam form submissions, especially when it comes to spam that contains just a few characters. For example, you can add a minimum and maximum number of characters that the content inside of a form field needs to include to prevent these random, short spam messages from being sent to you.

More information about text fields and how to add min/max character lengths can be found here.

Use the Contact Form 7 quiz functionality

You can add a short quiz to your contact form as an alternative to CAPTCHA using the Contact Form 7 quiz feature. This feature makes users answer a question before being able to submit the form, much like CAPTCHA does.

Although this can be reasonably effective at stopping basic bots, it’s far less effective than a real CAPTCHA solution. Therefore, it is not recommended. It also forces all users to answer the question, which creates more friction. It can also result in more false positives. If it’s just for a small website or blog, however, it can be a good fit.

You can use the quiz feature by adding a simple tag to your form.

There’s the capital quiz tag:

[quiz capital-quiz "What’s the capital of England?|London"]

And the math quiz tag:

 [quiz math-quiz "1+1=?|2"]

Frequently Asked Questions

How do I stop spam in Contact Form 7?

The best way to stop spam in Contact Form 7 is by implementing a CAPTCHA solution. This can be done using the reCAPTCHA integration built into the plugin or by using a third-party plugin like CAPTCHA 4WP, which often provides more features and customization options.
 
Although CAPTCHA is the most effective way of preventing contact form spam, there are other techniques you can use to reduce the amount of spam you receive. These include implementing a honeypot, using spam filtering on your contact form submissions, and using effective form validation.

Does Akismet protect Contact Form 7?

Not by default, but it’s a highly recommended integration to make sure of. Akismet offers a form of spam filtering based on the text that users input. By identifying common words, phrases, emails, and other text inputs used by spammers it helps to filter out a lot of spam.

Is Contact Form 7 secure?

Although bugs and vulnerabilities can (and often do) creep into all software, including WordPress plugins, the most up-to-date version of Contact Form 7 is considered secure. However, the same cannot be said for older versions. As such, it’s important to keep this (and other) plugin(s) updated.

Why use Contact Form 7 in WordPress?

It is one of the most-used contact form plugins in WordPress. It’s secure and offers many different integrations. It’s also very well documented and there are tonnes of tutorials online showing you how to use the plugin and how to resolve common and not-so-common issues.

How do I use reCAPTCHA in Contact Form 7?

Contact Form 7 has its own reCAPTCHA integration you can use to implement reCAPTCHA into your form. However, if you want something more granular or you want to use other forms of CAPTCHA, like hCAPTCHA or CloudFlare Turnstile, a plugin like CAPTCHA 4WP can be a good option. Not only does it offer more features and functionality, it also allows you to secure other forms/pages on your site.

Why is CAPTCHA not working in Contact Form 7?

There are a number of reasons why CAPTCHA may not be working in Contact Form 7, including incorrect installation/integration or a bug (especially if it was caused by a recent update). If you’re using CAPTCHA 4WP and you’re experiencing issues, please reach out to customer support to let us know.

Do these methods protect against spam comments as well as spam contact form submissions?

Although this post is specifically about preventing Contact Form 7 spam, the methods covered can also help protect against spam sent through other forms on your WordPress websites, including spam comments and email list registrations. For example, the Akismet plug-in automatically checks for the publishing of malicious content, and CAPTCHA 4WP can block bots from submitting this content in the first place.

Posted inWordPress Management
Bram Vergouwen
Bram Vergouwen

Bram is a freelance copywriter and (technical) SEO with experience in various web development technologies, including WordPress. When he’s not writing content or working on websites, you’ll find Bram enjoying time in nature or meeting up with friends. You can reach Bram at bram@melapress.com


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon
Uploading WP 2FA as a zip file in WordPress
WP 2FA in the WordPress plugin repository
Close

Installing WP 2FA Free

Congratulations on taking the first step towards enhancing your WordPress site's security with WP 2FA Free! You're now on your way to protecting your valuable data and ensuring peace of mind. No coding or technical knowledge is required.

 

Below are two ways to install WP 2FA on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for WP 2FA.

Download the WP 2FA plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading CAPTCHA 4WP as a zip file in WordPress
CAPTCHA 4WP in the WordPress plugin repository
Close

Installing CAPTCHA 4WP Free

Well done you. You're one step closer to safeguarding your WordPress website from spam and automated attacks with CAPTCHA 4WP. You'll be able to effortlessly integrate CAPTCHA into your forms and enjoy a website with enhanced security.

 

Below are two ways to install CAPTCHA 4WP on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for CAPTCHA 4WP.

Download the CAPTCHA 4WP plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP Activity Log as a zip file in WordPress
WP Activity Log in the WordPress plugin repository
Close

Installing WP Activity Log Free on your website

You deserve a pat on the back for choosing to record user actions and changes on your website. That is the first step towards better user accountability, easier troubleshooting of website security, and many other benefits of issues.

 

Below are the two ways to install WP Activity Log on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for WP Activity Log.

Download the WP Activity Log plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading Melapress Login Security as a zip file in WordPress
Melapress Login Security in the WordPress plugin repository
Close

Installing Melapress Login Security Free

Congratulations on taking control of your WordPress website's security by implementing robust login and password policies with Melapress Login Security. You can change your login page URL, limit failed login attempts, and reset passwords.

 

Below are two ways to install Melapress Login Security on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for Melapress Login Security.

Download the Melapress Login Security plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2