You chose Contact Form 7 over other contact form plugins due to its great reputation and simplicity. It’s no wonder that it’s one of the most used contact form plugins around today.
But its popularity also means that its users are often faced with spam issues.
Luckily, there are plenty of ways to stop Contact Form 7 Spam, including CAPTCHA, honeypots, spam filtering, and others.
Together, we’ll dive into a number of the most effective ones in this post.
Let’s get started!
Table of contents
Why are spam messages so prevalent in Contact Form 7?
Contact Form 7 forms are some of the most spammed contact forms in WordPress. This might seem like there’s something wrong with the plugin, but it has more to do with its popularity than any bad security practices on the part of the team maintaining it.
Its popularity increases its exposure, meaning that as the plugin is used on more sites, more spam messages are received by its users.
It also doesn’t help that many people using the plugin don’t know how to correctly configure it to prevent spam, which is a must if you don’t want to spend your free time sifting through hundreds of spam form submissions.
In the following section, we’ll show you how to effectively prevent this influx of spam messages.
Reducing Contact Form 7 spam using a CAPTCHA/reCAPTCHA solution
When you want to stop spam submissions, there are a number of tools you have at your disposal. They’re not all built equal though, so it’s important to consider the method(s) you use carefully to ensure they’re effective for your situation.
Contact Form 7 makes it really easy for you to implement a wide range of anti-spam measures, including CAPTCHA.
CAPTCHA remains one of the best methods of stopping spam form submissions.
It works by presenting suspected bots with a challenge that’s easy for humans to complete but hard for bots. By only submitting the form if the challenge is completed successfully, bot submissions are greatly reduced. Since bots send the majority of spam online these days, this will help prevent the majority of spam form submissions you receive.
Since it’s so important, we have an entire post dedicated to explaining why you need CAPTCHA on your WordPress website – check it out!
In Contact Form 7, there are two main ways of adding CAPTCHA to your form. You can use a third-party plugin or Contact Form 7’s own reCAPTCHA integration.
Third-party plugins have the benefit of offering more features and can often be used on other forms or pages on your website, too. On the flip side, however, they also introduce added complexity to your site, so it’s vital that you stick to trusted, secure plugins.
I’ll cover both options below so you can implement the one that’s right for you.
Third-party plugin
Using a third-party plugin is a good option if you require more features for your CAPTCHA integration, like the ability to use hCAPTCHA or integrate with your WooCommerce store.
I’ll be using CAPTCHA 4WP in this post, which comes with Contact Form 7 integration out of the box. It also has the ability to use hCAPTCHA and CloudFlare Turnstile – something you can’t do with Contact Form 7’s built-in CAPTCHA solution.
Stop spam with multiple CAPTCHA services & support for 3rd party plugins.
Lastly, and perhaps most importantly for those planning on using reCAPTCHA, it also comes with a failover for Google reCAPTCHA v3. This handy feature ensures there’s a way to handle false positives. As such, if a real person gets flagged as a bot, they will still be able to submit the contact form.
Step 1: Get and install CAPTCHA 4WP
You’ll first need to choose the plan you want.
Each plan comes with different features and a 30-day money-back guarantee, with prices starting at just $14 per year.
Since we’ll be taking advantage of hCAPTCHA for this example, I’ll be using the business plan.
After signing up for the plan of your choice, you’ll receive an email showing you how to download the plugin files.
After downloading the plugin files, head over to your WordPress dashboard and navigate to Dashboard > Plugins > Add New Plugin.
Then, click on Upload Plugin > Choose File and upload the plugin files.
Once you’ve uploaded the plugin, click on the blue Activate Plugin button to activate it.
This will take you to the setup wizard.
Step 2: Complete the setup wizard
First, you need to enter your license key.
Then click Activate License.
You’ll then be shown the following prompt:
Click Next and choose the type of CAPTCHA you want to use on your website.
I’ll be using the hCAPTCHA option for this example.
You’ll be prompted to insert your hCAPTCHA keys after clicking Next.
First, you’ll need to generate the hCAPTCHA keys, though!
To do this, go to the hCAPTCHA website and click on Sign Up at the top right.
Follow the steps to create an account until you reach this page:
Click on the blue Generate button to get your secret key.
Then, go back to your WordPress dashboard, enter your site key, and click on Proceed to secret key.
Then, enter your secret key and click on Validate & proceed.
You’re now ready to start using CAPTCHA on your forms!
Step 3: Implementing CAPTCHA on your Contact Form 7 forms
Head over to your contact form under Contact > Contact Forms, then click on “Edit” under the form you want to add CATPCHA to.
In the form section, you should see a button labeled Add CAPTCHA.
You should be shown a form tag to add to your form after clicking it.
Click on the insert tab and then click on save underneath the form input.
Your form should now be using hCAPTCHA to protect it from spam.
Contact Form 7 reCAPTCHA
Contact Form 7 also has its own CAPTCHA integration, which is great for small personal/hobby websites. If you just want a very simple solution without the flexibility, added security, and extra features that third-party plugins offer, this option can work well.
The only thing to keep in mind is that it can only protect Contact Form 7 forms, so your other forms will still be vulnerable to spammers.
It uses Google reCAPTCHA, which does a pretty good job of blocking spam.
First, generate your Google reCAPTCHA keys. The linked article will show you how.
Then head over to Contact > Integration and click on the setup integration button in the section on reCAPTCHA.
Next, copy and paste the keys into the text fields, taking care to paste the correct key in each field.
After clicking Save Changes your form should now be using reCAPTCHA.
Implement a honeypot
A honeypot is an additional hidden form field that’s not visible on the screen but is visible to bots. Since the code for the input field is still there, many bots will fill this form field in automatically, resulting in the form submission being flagged as spam.
You can use a honeypot in combination with CAPTCHA as an additional measure. However, it shouldn’t be used as a replacement. This is because many honeypots are very easy to bypass. Third-party honeypot plugins will implement the same type of honeypot on each site they protect, so it’s enticing for spammers to develop bots tailored specifically to bypass these honeypots.
Nevertheless, it’s still a good idea to implement a honeypot in your form, as it does protect against various less advanced bots.
It’s also very easy to implement by simply downloading the honeypot plugin of your choice and following the installation instructions.A good place to start is Honeypot for Contact Form 7, which is both effective and easy to implement.
Use a spam filter for your contact forms
A spam filter analyzes the content submitted in the form for common indications of spam and filters spam emails out. For example, the analyzer will not submit the form if it includes words related to popular spam topics, like viagra.
Although there are a number of different providers of spam filters, the most used is Akismet. Contact Form 7 has an Akismet integration that allows you to set up spam filtering on your form. You can achieve this in just a few clicks.
The only downside to using a WordPress plugin like Akismet is that it costs money to use. If it’s just for a personal blog, Akismet is free/pay what you want. However, for regular sites, you’ll have to pay.
To implement Ankismet, follow this guide.
Spam filtering is a great way of reducing contact form spam and is also a great supplemental spam prevention control to CAPTCHA. Since some very advanced bots can bypass CAPTCHA, an additional spam filter will ensure spam emails never reach your inbox.
However, if you want a free solution that can still help filter out some of your form submissions, you can use Contact Form 7’s disallowed list.
Disallowed list
Contact Form 7 can use the disallowed list feature WordPress offers to block messages containing specific words as well as specific IP addresses. Although it’s far from the level of spam filtering you get with Akismet and other specially designed spam filters, it can be a great way to block obvious spam form submissions.
To use this, simply head over to Settings > Discussion. Fill in the keywords you want to filter for in the Disallowed Comment Keys section and Save Changes.
Be careful not to go overboard. You can accidentally block real form submissions if you include words that your real visitors may use in their messages.
Form validation
Form validation can help reduce spam form submissions, especially when it comes to spam that contains just a few characters. For example, you can add a minimum and maximum number of characters that the content inside of a form field needs to include to prevent these random, short spam messages from being sent to you.
More information about text fields and how to add min/max character lengths can be found here.
Use the Contact Form 7 quiz functionality
You can add a short quiz to your contact form as an alternative to CAPTCHA using the Contact Form 7 quiz feature. This feature makes users answer a question before being able to submit the form, much like CAPTCHA does.
Although this can be reasonably effective at stopping basic bots, it’s far less effective than a real CAPTCHA solution. Therefore, it is not recommended. It also forces all users to answer the question, which creates more friction. It can also result in more false positives. If it’s just for a small website or blog, however, it can be a good fit.
You can use the quiz feature by adding a simple tag to your form.
There’s the capital quiz tag:
[quiz capital-quiz "What’s the capital of England?|London"]
And the math quiz tag:
[quiz math-quiz "1+1=?|2"]
Frequently Asked Questions
The best way to stop spam in Contact Form 7 is by implementing a CAPTCHA solution. This can be done using the reCAPTCHA integration built into the plugin or by using a third-party plugin like CAPTCHA 4WP, which often provides more features and customization options.
Although CAPTCHA is the most effective way of preventing contact form spam, there are other techniques you can use to reduce the amount of spam you receive. These include implementing a honeypot, using spam filtering on your contact form submissions, and using effective form validation.
Not by default, but it’s a highly recommended integration to make sure of. Akismet offers a form of spam filtering based on the text that users input. By identifying common words, phrases, emails, and other text inputs used by spammers it helps to filter out a lot of spam.
Although bugs and vulnerabilities can (and often do) creep into all software, including WordPress plugins, the most up-to-date version of Contact Form 7 is considered secure. However, the same cannot be said for older versions. As such, it’s important to keep this (and other) plugin(s) updated.
It is one of the most-used contact form plugins in WordPress. It’s secure and offers many different integrations. It’s also very well documented and there are tonnes of tutorials online showing you how to use the plugin and how to resolve common and not-so-common issues.
Contact Form 7 has its own reCAPTCHA integration you can use to implement reCAPTCHA into your form. However, if you want something more granular or you want to use other forms of CAPTCHA, like hCAPTCHA or CloudFlare Turnstile, a plugin like CAPTCHA 4WP can be a good option. Not only does it offer more features and functionality, it also allows you to secure other forms/pages on your site.
There are a number of reasons why CAPTCHA may not be working in Contact Form 7, including incorrect installation/integration or a bug (especially if it was caused by a recent update). If you’re using CAPTCHA 4WP and you’re experiencing issues, please reach out to customer support to let us know.
Although this post is specifically about preventing Contact Form 7 spam, the methods covered can also help protect against spam sent through other forms on your WordPress websites, including spam comments and email list registrations. For example, the Akismet plug-in automatically checks for the publishing of malicious content, and CAPTCHA 4WP can block bots from submitting this content in the first place.