When it comes to running a WordPress website, few things are more frustrating than spam.
Unsolicited spam emails sent through contact forms not only eat into your time they also pose a security threat and waste precious resources.
Unfortunately, when it comes to the internet, spam is pretty much unavoidable.
If there’s a way to contact you, there’s a spammer who can, and likely will, take advantage. Luckily, there are many tools and strategies to shield yourself from the constant barrage of contact form spam.
In this guide, I’ll walk you through a number of actionable steps you can take to reduce or even completely stop contact form spam on your WordPress site.
Table of contents
- Step 1: CAPTCHA – The easiest way to stop contact form spam in WordPress
- Step 2: Using a honeypot
- Step 3: Awareness and training
- Step 4: Use a firewall plugin
- Step 5: Update plugins regularly
- Step 6: Block the spammer directly
- Step 7: Password protecting the form
- Step 8: Block copy/paste on the page/site
- Frequently Asked Questions
Step 1: CAPTCHA – The easiest way to stop contact form spam in WordPress
When it comes to spam, the first and often best line of defense is implementing a WordPress CAPTCHA solution.
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Not exactly the most catchy name for a spam prevention solution, but that’s exactly what it does – it tells humans and computers apart. It does this using challenges that humans can complete easily but bots can’t.
By forcing users to verify they are indeed real visitors and not automated bots, bots can no longer submit the form, and the amount of spam you receive is greatly reduced.
Some of the main benefits of CAPTCHA include:
- Blocking most automated bots, including many advanced bots, from submitting your form
- It’s very easy to implement across all your contact forms in WordPress using CAPTCHA 4WP
- It provides a fantastic user experience, as only a small group of users will have to complete the challenges, and the challenges are familiar to most users
Still not convinced? Check out our post on why you need CAPTCHA on your WordPress website!
How to implement CAPTCHA on your WordPress contact forms
Considering all of the benefits that a CAPTCHA solution offers, you might expect it to be hard to implement on your contact forms. However, you’d be wrong.
It’s actually surprisingly easy to add CAPTCHA to your contact forms in WordPress. I’ll be using CAPTCHA 4 WP in this example.
It offers access to multiple CAPTCHA service providers, including reCAPTCHA, hCAPTCHA, and Cloudflare Turnstile, allowing you to choose the right provider/version for your website. It also integrates with native WordPress forms and several third-party themes and plugins out of the box, allowing you to implement CATPCHA across different forms on your WordPress site.
Best of all, it offers many customization options and can be added to your WordPress forms in just a few clicks!
Preventing spam contact form submissions with CAPTCHA 4WP
First, you need to choose the CAPTCHA 4WP license you want.
So, for the same price as a few cups of coffee, you can save yourself hours of time sifting through spam emails. The free version gives you access to everything you need to implement CAPTCHA on native WordPress forms.
However, if you need more features, like support for 3rd party form plugins, the ability to disable CAPTCHA for certain IP addresses, or the ability to add hCAPTCHA or Cloudflare Turnsite, the premium edition might be a better fit.
All packages come with a 30-day money-back guarantee, so if, for whatever reason, you don’t like the plugin, you can get your money back.
Downloading and installing CAPTCHA 4WP
Once you’ve chosen a package, you’ll get an email with instructions on how to download the plugin.
After you’ve downloaded the plugin files, open your site’s WordPress dashboard and navigate to Plugins > Add New Plugin. Then, click on the Upload Plugin button on the top-left of your screen and select Choose File.
Once you’ve uploaded, installed, and activated the plugin, you should automatically be taken to the setup wizard after clicking on the CAPTCHA 4WP tab.
The setup wizard is pretty self-explanatory, but I’ll walk you through the steps below, just in case. First, select the type of CAPTCHA you want to use. I’ll go with Google reCAPTCHA v2 for this example.
After clicking Next, you’ll be prompted to add your Site Key.
We’ve written a separate post on our blog that shows you how to generate a Google reCAPTCHA key you can follow.
After following the steps laid out in that post, paste your site key into the site key field and click on Proceed to secret key. Then, enter your secret key in the secret key field.
After clicking Validate & proceed, you will be redirected to the main CAPTCHA 4WP dashboard.
Adding CAPTCHA to contact forms
Now that you’ve configured CAPTCHA 4WP, you can add CAPTCHA to your contact form. How exactly you go about this will depend on the form plugin you’re using. Our knowledge base covers each one in detail:
After following the steps detailed above, you should now be protected against most contact form submission bots.
Step 2: Using a honeypot
A honeypot is a hidden field added to a form. This ensures that real users don’t see the field and therefore can’t fill it in. Many bots, especially less sophisticated bots, will automatically fill in every field regardless of whether it’s visible on the page. This means that the honeypot field is also filled in, which is a clear indication that the form was filled in by a bot and not a real user.
How effective a honeypot is varies greatly depending on how it is implemented. It tends to be very effective at stopping basic bots, but more advanced bots can be programmed to spot and avoid filling in certain types of honeypots.
So, although it’s a great addition to CAPTCHA to add an extra layer of control, it’s generally considered less effective as a standalone solution.
Many form plugins have this feature built-in, including Gravity Forms and WP Forms. If not, there are many third-party honeypot plugins you can use, both paid and free.
Simply activate the honeypot functionality, and you’ve added another layer of protection against contact form spam.
Step 3: Awareness and training
When it comes to cyber security, awareness and training are vital.
Email is one of the most common attack vectors that bad actors use to infect computers with malware. It’s also the most common channel used for phishing.
Although not all spam consists of phishing emails or contains malicious links, many spam emails do. This means it’s vital that everyone who could be exposed to these messages knows how to spot spam and deal with it accordingly.
Identifying spam emails
Even if you manage to stop the bulk of the spam emails that spammers submit through your WordPress contact forms, the occasional spam email will slip through. This means that distinguishing between real messages and spam messages is important.
Some of the most common forms of spam include:
- Unsolicited marketing emails
- Phishing emails
- Malicious link spam
- Random characters/empty form submissions
Although not all spam is easy to detect, there are a few common signs to look out for:
- The email is in a different language than you normally communicate in
- The email is an unsolicited marketing email you did not subscribe to
- The email address doesn’t match what you would expect based on the email content (for example, the email content claims the email is from PayPal, but the email address is “paypal@gmail.com”
- The email includes links or attachments that seem odd or out of place
- The email content mentions porn, hacking, viagra, guest posts, or other terms commonly used by spammers
- The email uses urgent or threatening language
- Personal information or other sensitive information is requested in the email
Examples of spam emails
Examples are a great way of building your understanding of spam and what it might look like. So, to help you identify spam form submissions, here are some examples I recently received on my WordPress sites.
Quick tips for handling spam contact form submissions
This post covers spam prevention in-depth. However, there are a few important tips worth mentioning when it comes to handling those spam contact form submissions that do make it through.
Never reply to spam contact form submissions
By replying, you tell spammers that the contact form is live and you are receiving/reading their spam messages. You also give them your direct email address. Attackers can then use this to spam you further, bypassing the security measures you implement on your contact form.
Tip: This post is about contact form spam specifically and not email spam more generally. However, one thing worth mentioning is that some spammers use email tracking when sending bulk email spam. This means that they get notified if an email is opened, which is pretty much the same as you responding to it.
They can only do this when sending emails directly, so not when submitting a contact form. However, it’s important to block email tracking to ensure spammers aren’t notified if they do get hold of a direct email address.
Create a separate email folder/email address for form submissions
By keeping form submissions out of your “normal” direct email folder, you ensure users are more alert to spam. This also protects your regular inbox from being flooded with spam caused by issues with your technical controls.
Educate your team
Education is the most cost-effective cyber security measure, and this is also the case when it comes to spam. Training your team to be able to identify spam helps prevent many of the unwanted side effects that come with spam form submissions.
Step 4: Use a firewall plugin
Firewalls filter website traffic and block bots, which helps to reduce spam. A good firewall can also help protect your website from other malicious traffic. The added benefit makes it a good security control to implement regardless of whether you’re experiencing spam issues.
A WordPress firewall works at the website level instead of the form level, meaning it can help stop bots from accessing/crawling your site altogether if they behave suspiciously. This makes it a fantastic additional security measure against contact form spam since it operates on a different level from CAPTCHA and honeypots.
There are many WordPress firewall plugins available on the market today, so I won’t go into all of them in this post.
What I’ll do instead is refer you to our post on WordPress firewalls, which dives deeper into how they work and how they can help enhance your site’s security.
Step 5: Update plugins regularly
Although regularly updating your plugins might not seem like a very proactive step you can take to prevent spam, it is an important one.
Whether you’re dealing with your contact form plugin or your anti-spam plugin, it’s crucial to keep updating them to ensure they can handle the latest bots.
Updates often come in the form of bug fixes, security enhancements, or patches, which can help to improve the plugin’s security. If there’s a vulnerability that allows spammers to surpass your security plugins’ security controls, you could see an increase in spam.
Cyber security is a constant tug-of-war between bad actors and the companies and individuals trying to reduce their impact. As spammers and bad actors learn new ways of sending contact form spam, plugins need to adapt to stop them and keep their users secure. If you don’t update your plugins, the updates won’t reach you, and spam could slowly become more prevalent until you update them.
Regularly checking for updates and updating your plugins/themes can help you keep your site secure and your contact forms spam-free.
Step 6: Block the spammer directly
Blocking the culprit directly can be highly effective, but only if you have some information about the source of the spam you want to block. There are a number of ways to achieve this, including:
Restricting submissions by country
You can restrict contact form submissions from specific countries. Doing so prevents anyone accessing your website from that country from submitting your contact form. This is very beneficial if your website targets a specific region, but it’s not suitable for sites that target a broader region.
Block specific email addresses
You can choose to block specific email addresses from submitting your contact form if you observe a lot of spam originating from the same email address. While this can seem very impractical, it can actually be very useful.
For example, restriction submissions from certain well-known free email providers or emails containing certain character combinations.
Many spammers send contact form spam using fake emails, often with just a few letters or even an incomplete email address. By blocking these kinds of submissions, you can prevent them from reaching your inbox.
Block traffic by IP
If you’re encountering spam issues from specific IP addresses, then you can block this traffic on your website. This isn’t a practical solution in 99% of cases since spammers can simply use a proxy to circumvent the block. However, if you’re seeing a large quantity of spam from the same IP address(es), blocking those IPs can be very effective.
Blocking specific languages
Blocking specific languages allows you to block contact form submissions in languages commonly used for spam, like Russian and Chinese. This only works if your website doesn’t target these countries specifically, of course.
Language blocking can be a good secondary measure, especially when combined with the blocking of specific regions.
Step 7: Password protecting the form
Although it’s generally not the best option, you can password-protect contact forms. This prevents bots or spammers from having access to them. This can work well on websites with login functionality, forcing users to create an account before submitting the contact form.
Obviously, this is only an option in very specific situations. However, when it is an option, it’s generally a highly effective one.
Step 8: Block copy/paste on the page/site
Just like the last one, this isn’t the most user-friendly option for reducing contact form spam.
That said, several WordPress plugins enable you to block copy/paste on a page or across a website. This can prevent manual spammers from surpassing your bot detection/prevention measures and spamming you with copied/pasted messages.
Frequently Asked Questions
There are a number of ways to stop WordPress contact form spam, with CAPTCHA being the most effective and most commonly used.
A good reCAPTCHA/hCAPTCHA solution can prevent most bots from submitting your contact forms. This will dramatically reduce the amount of spam you receive through it.
Other ways to block contact form spam include adding a honeypot field, using an anti-spam plugin, password protecting your contact form, and blocking certain user actions on the page the contact form is on and/or across the entire website.
Contact form spam can take many forms, from unsolicited marketing emails to scams and malware. Oftentimes, spam is very easy to detect, like in the examples provided in the section “What is contact form spam?” in this post.
However, this isn’t always the case.
Sophisticated contact form spam can actually look like a real email. This can make it hard to know you’re dealing with spam. By preventing spam form submissions as much as possible, you can prevent these spam emails from ever reaching you. Thus, you reduce the risk to your website/business.
Spammers will target any communication channel they can. Therefore, live WordPress websites get spam submissions at some point, whether it’s in the form of spam comments or unwanted messages.
But don’t worry; you can avoid spam altogether. By following the steps laid out in this post, you can combat contact form spam and drastically reduce the amount of spam you receive through your contact form.
You can disable your WordPress contact form by going to the contact form plugin you use (Dashboard > Plugins > Installed plugins) and clicking on “Deactivate.”
However, you don’t have to take such drastic measures if it’s your goal to reduce spam. Implementing a CAPTCHA solution on your contact form actively prevents most spam submissions from bots. These bots typically generate the bulk of spam sent through contact forms.
WordPress doesn’t have a built-in spam blocker, but it does offer a range of plugins with various spam-prevention features. I used the Melapress CAPTCHA 4WP plugin in this blog post. It is highly effective at blocking many different types of spam.
With Contact Form 7 being one of the most used contact form plugins, it’s no surprise there are so many people looking to reduce spam specifically for this plugin. That’s why we recently wrote an article specifically focused on blocking contact form 7 spam in WordPress. Check it out!
