Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Block Contact Form Spam in WordPress (9 Proven Ways)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you getting a lot of spam messages through your website contact form? This can be really frustrating and time-consuming to deal with.

The good news is that there are easy and automated ways to stop contact form spam in WordPress.

In this article, we will share the best ways to reduce and block contact form spam in WordPress.

How to block contact form spam in WordPress

Why You Need to Block Contact Form Spam in WordPress

Contact form spam is usually automated by bots. This means even smaller WordPress blogs and websites are often targets.

These spambots crawl websites and look for non-secure forms so that they can email you spammy links. These links often send you to revenue-generating ad websites or phishing sites.

They may also try to break into your website’s login form using brute force attacks. If a bot does manage to log in to your WordPress account, then they could take control of your website. This is one reason why WordPress security is so important.

Sometimes, they can even look for vulnerabilities in your site’s forms and hijack them to send malware or spam to other people. Spammers can install malware, leaving your visitors and website at risk. They can even steal personal information, which is very dangerous for online stores with sensitive customer data.

On top of that, if spammers use your contact forms to send spam messages via email, they could also send spam to your email list. They often look like an email you sent.

Unaware that it could be spam, users can open these emails and click on the links inside. This would increase traffic and engagement on that site and reward the spammer in the process. Plus, it could hurt your relationship with your readers.

This means that spam isn’t just a nuisance. Those spambots can be dangerous to your website, your visitors, and your reputation.

That being said, let’s take a look at some proven methods for preventing contact form spam on your WordPress site. Simply use the quick links below to jump straight to the method you want to learn about first:

1. Choosing the Right WordPress Form Plugin to Combat Spam

Many WordPress contact form plugins don’t come with built-in spam protection. Even if a plugin has basic spam protection features, these often aren’t very reliable or easy to use.

The most effective way to block contact form spam is by choosing the best WordPress contact form plugin.

We recommend using WPForms because it comes with a built-in spam protection token that protects your forms without affecting the visitor experience.


WPForms also has built-in reCAPTCHA and custom CAPTCHA features that help you fight contact form spam. We will be going through the different options you can use.

You can read our complete WPForms review for more details.

First, you need to install and activate the WPForms plugin. If you are not sure how to do that, then take a look at our step-by-step guide on how to install a WordPress plugin.

Note: Some of these tips in this article also work on the free WPForms lite version as well.

Once the WPForms plugin is activated, you’ll need to create a contact form.

To get started, simply head to WPForms » Add New, where you’ll be taken to the drag-and-drop editor. Then type a name for your contact form into the ‘Form Name’ field.

no spam contact form

WPForms comes with 1300+ ready-made templates that you can use to create all kinds of forms. You can use these form templates to collect registrations, create an email newsletter, and even accept credit card payments on your WordPress website.

Since we are creating a contact form, you can go ahead and select ‘Use Template’ under the pre-made ‘Simple Contact Form’ template.

simple contact form

WPForms will now automatically create a basic contact form for your WordPress website.

This form template already has fields where the visitor can type in their name, email address, and message.

no spam contact form fields

By default, WPForms will automatically protect your forms with a secret anti-spam token. This token is unique to each form submission and invisible to both spambots and visitors.

In the past, WPForms used to use the honeypot technology, but this new anti-spam token is far superior and is one of the reasons that WPForms is the market leader.

Since spambots can’t see this secret token, they get stuck and can’t submit the form.

Some anti-spam features can hurt the visitor experience, particularly if they ask the visitor to perform some task before submitting the form. As a result, fewer people may complete your contact form.

Since the WPForms token is created and submitted automatically, it does not impact the visitor experience, which is great for your form conversion rates.

The WPForms anti-spam token is automatically enabled on each new form that you create.

Want to check that this setting is enabled on your form?

Simply head over to Settings » Spam Protection and Security. The ‘Enable anti-spam protection’ slider should already be enabled.

On top of that, you can choose to enable the Akismet anti-spam protection. It can automatically detect and block suspicious form submissions to stop fake entries.

Enable anti spam protection

Note: You’ll need the Akismet anti-spam plugin in order to enable this feature in WPForms. To learn more, check out our blog post on what is Akismet and why you should start using it right away.

Now, some spammers are persistent, which can lead to a few spam submissions still coming through your contact form.

If this is the case, then you can use any of the methods below to stop spammers from using your contact form.

2. Use reCAPTCHA Checkbox to Block Contact Form Spam

One straightforward way to stop the spambots from getting through is to use reCAPTCHA. This method also works with the lite version of WPForms.

reCAPTCHA is a free tool available from Google, and we use it in combination with WPForm’s built-in anti-spam token system.

To add a reCAPTCHA checkbox to your contact form, head over to WPForms » Settings in your WordPress dashboard.

Then, go ahead and click on the ‘CAPTCHA’ tab. Next, you need to select ‘reCAPTCHA’ by clicking on it.

Captcha tab

Once you’ve done that, scroll to the ‘Type’ section.

Then click to select the ‘Checkbox reCAPTCHA v2’ radio button.

checkbox recaptcha

WPForms will now ask you for a Site Key and Secret Key. To get this information, simply head over to Google’s reCAPTCHA setup page.

On the Google reCAPTCHA page, click on ‘v3 Admin console.’

v3 admin console

If you’re not already logged into your Google account, then you’ll need to type in your username and password or create a new Google account.

Next, you’ll see a screen where you can register your WordPress website. To start, type in a label for your website. This is for your own reference and will not be visible to visitors.

After that, you can go ahead and give your reCAPTCHA for this site a name. Then select ‘Challenge (v2)’ and the ‘I’m not a robot’ radio button.

recaptcha v2

Next, type your website’s domain name into the ‘Domain’ field.

Once you’ve done that, click the ‘Submit’ button at the bottom of the page.

add domain

Next, you’ll see a page containing the site key and secret key for your website.

To start using reCAPTCHA, you simply need to copy this information into your WPForms’ settings page.

copy site key and secret key in google console

Simply copy each key separately and then paste it into the ‘Site Key’ and ‘Secret Key’ fields in your WordPress dashboard.

Once you’ve done that, click on the ‘Save Settings’ button at the bottom of the screen.

save settings

After that, you are ready to add the reCAPTCHA checkbox to your contact form.

To start, head over to WPForms » All Forms and click on the ‘Edit’ link for the form that you want to protect with reCAPTCHA.

Edit contact form

This will open your form in the drag-and-drop form builder. In the left-hand menu, find the ‘reCAPTCHA’ field and give it a click.

You’ll now see a message that reCAPTCHA has been enabled for the form. To continue, simply click the ‘OK’ button.

google checkbox recaptcha v2

Now, you’ll see the reCAPTCHA logo at the top of your form.

This means that you’ve successfully added reCAPTCHA protection to your contact form.

reCaptcha enabled

Note: If you decide to remove reCAPTCHA from the form at any point, then you simply need to click on the ‘reCAPTCHA’ field in WPForms’ left-hand menu. You’ll then see a message asking you to confirm that you want to remove reCAPTCHA.

When you are done, remember to save your changes by clicking on the orange ‘Save’ button.

Adding Your Contact Form to Your Website

After all that, you are ready to add the contact form to your WordPress website. To do this, simply open the page or post where you want to show your form and click the ‘+’ button to add a new block.

You can then type ‘WPForms’ to find the right block. Once you click on the WPForms block, it will add the block to your page.

add wpforms widget

Next, open the ‘Select a Form’ dropdown.

You can now choose the contact form that you just created.

select a form

WPForms will show a preview of how this form will look directly inside the WordPress block editor.

You can also preview this page as normal by clicking on the ‘Preview’ button at the top of the page. No matter how you choose to preview the form, you’ll see a reCAPTCHA field.

Im not a robot

This field will block all automated spam submissions, drastically reducing the amount of contact form spam you get on your website.

3. Using Google Invisible reCAPTCHA to Block Contact Form Spam

Some website owners don’t want their users to have to check a box to submit the contact form. This is where invisible reCAPTCHA comes in.

Invisible reCAPTCHA works like the regular reCAPTCHA, except there’s no checkbox.

Instead, when the form is submitted, Google will determine whether it might be a bot submitting it. If so, Google will pop up the extra reCAPTCHA verification. If you want to see how it works, Google has a demo here.

You can use invisible reCAPTCHA on your WPForms contact forms. In fact, the process is very similar to adding a reCAPTCHA checkbox, as described above.

The first difference is that you need to select a different option when setting up reCAPTCHA on the Google website.

Rather than pick the ‘I’m not a robot’ checkbox, you must select ‘Invisible reCAPTCHA badge’ instead.

invisible recaptcha

You can then create the site key and secret key following the same process above.

Once you’ve done that, head over to WPForms » Settings in your WordPress dashboard and click the ‘CAPTCHA’ tab. However, this time, you’ll need to select ‘Invisible reCAPTCHA v2.’

invisible recaptcha wpforms

Make sure to hit the ‘Save Settings’ button at the bottom of the page.

You can then go ahead and add a reCAPTCHA field to your contact form, following the same process described above.

Every time someone submits a contact form, your WordPress site will use the invisible reCAPTCHA automatically.

Visitors will see the reCAPTCHA logo in the bottom corner of your form, as you can see in the following image. This lets them know that your contact form is protected from spambots.

Inivisible recaptcha example

If the user wants to learn more about reCAPTCHA, then they simply need to click that logo. The logo will then expand to show links to Google’s privacy policy and terms of service.

It’s also a good idea to update your own site’s privacy policy with some information about how you use reCAPTCHA.

4. Using Custom CAPTCHA to Block Contact Form Spam

Some website owners don’t want to use Google’s reCAPTCHA on their sites due to privacy concerns or simply want something not branded.

The good news is that WPForms Pro comes with a custom CAPTCHA addon. This lets you create your own question-based CAPTCHA to block contact form spam without relying on Google.

To activate this addon, simply go to WPForms » Addons in your WordPress dashboard. Then, find the Custom Captcha Addon, and click its ‘Install Addon’ button.

Custom captcha addon wpforms

Once it’s installed, go to WPForms » All Forms. You can then find your contact form and click on its ‘Edit’ link to open it in the WPForms editor.

In the left-hand menu, scroll to ‘Fancy fields’ and drag the ‘Custom Captcha’ field onto your form.

We recommend placing this field just above the ‘Submit’ button. This means that visitors will have already completed the rest of the form before they realize they must complete a CAPTCHA field.

Custom captcha field

By default, this field shows a random math question. Another option is to type in a few different questions and then challenge visitors to enter the correct answers.

If you want to switch to a question-and-answer CAPTCHA, then click on the ‘CAPTCHA’ field to select it.

In the left-hand menu, simply open the ‘Type’ dropdown and select ‘Question and Answer.’

question and answer captcha

If you choose ‘Question and Answer,’ then we recommend creating a few different questions. WPForms will then rotate these questions randomly so they are harder for spambots to predict.

If you choose the ‘Math’ option, then WPForms will generate random math questions, so it’s much less predictable.

5. Prevent Spam Bots From Seeing Your Form

Don’t want to use reCAPTCHA or a custom CAPTCHA field on your form?

Another way to block contact form spam in WordPress is by stopping bots from even seeing your form. You could do this by password-protecting your contact form or by only showing it to people who have registered with your WordPress membership site.

These methods might be overkill for a standard contact form, but they could work well in other situations.

For example, if you run a monthly Q&A for your email subscribers, then you might create a private form where they can send you questions.

Password Protecting Your Form Using WordPress’ Visibility Options

You can password-protect your entire Contact Us page using WordPress’ built-in tools.

To get started, simply open your Contact Us page in the WordPress editor. Then, in the left-hand menu, next to ‘Visibility,’ click on ‘Public.’

In the popup that appears, click on ‘Password protected.’

You can now type your password into the field that shows ‘Use a secure password’ by default. All visitors will use the same password to access your Contact Us page.

Password protected

Once you’ve done that, you can either update or publish your page as normal.

Now, whenever someone visits your Contact Us page, they’ll be asked to type in the password.

Protected contact us page

Once they’ve entered the password, the visitor can click on the ‘Submit’ button and use your contact form as normal.

There are a couple of drawbacks to this method.

First, your contact page will show a default message that isn’t easy to customize.

Second, this method will password-protect your entire Contact Us page and not just your form. This could be a problem if this page has some content that should be visible to all users, such as FAQs, your business phone number, or postal address.

Password Protecting Your Form Using a WPForms Addon

If you are using the Pro version of WPForms, then the Form Locker addon lets you password-protect the form itself and not your entire Contact Us page.

To install Form Locker, simply go to WPForms » Addons. You can then find the Form Locker Addon and click its ‘Install Addon’ button.

WPForms should install and activate this addon automatically.

form locker addon

Next, head over to WPForms » All Forms. You can then find the form you want password-protected, and click on its ‘Edit’ link.

In the left-hand menu, select Settings » Form Locker. You can then turn on the ‘Enable verification’ toggle.

WPForms will now show some fields where you can type in the password you want to use and the message you’ll show visitors.

enable password protection in WPForms

Your Contact Us page will now be visible to all users, with just the contact form hidden.

In the following image, you can see an example of how your form will look before the visitor enters the password.

contact form password

Showing Your Contact Page Only to Registered Users

You can also only let users access your contact form if they’ve registered on your site.

In the Form Locker tab of WPForms, you can enable the ‘Logged in users only’ toggle under Form Restrictions. That way, the form can only be viewed by logged-in members.

logged in users only in wpforms

This is a great option if you want to offer a specific service to members only. There are several great membership site plugins that you could use to do this.

6. Block Spam IP Addresses

If you notice malicious behavior from specific IP addresses, blocking them could be a necessary security measure to prevent potential spam or attacks. It’s a great way to block spammers who may have bypassed your CAPTCHA.

Every user who comments on your site automatically leaves behind an IP address. So, you may see a pattern where you are repeatedly finding similar IP addresses spamming your site. In that case, you can easily blacklist these IP addresses.

All you have to do is go to Settings » Discussion in your WordPress dashboard.

From there, in the ‘Disallowed Comment Keys’ field, you’ll need to type all of the IP addresses that you want to block in the text field. Make sure to only include one IP address per line. ‘

disallowed comment keys

For more details, you can see our guide on how to block IP addresses in WordPress.

7. Restrict Entries By Country

If you are consistently experiencing spam submissions from specific countries, then you can also block entries from those countries. Also, if your website operates in a specific region, then restricting access from other countries will ensure you only receive relevant inquiries.

The good news is that WPForms has a country filtering feature in its advanced spam-blocking methods. Under Settings » Spam Protection and Security you can toggle on the ‘Enable country filter.’ From there, you can choose to allow or deny specific countries.

Once you are done adding those countries to the deny list, you can also customize the message those users will receive.

Country filter in WPForms

8. Block Specific Email Addresses on Your Form

Blocking spam from human visitors can be tricky since you’ll need to deploy multiple strategies to stop them in their tracks.

If you notice a common theme of specific email addresses that continually visit your contact forms, then you can manually block them.

Just head over to your contact form and click on the ‘Email’ field. Under ‘Advanced Options’ when editing the field, you can add a list of denied email addresses.

In the text box, just type in the email addresses that you’d like to stop submissions from. You can type in the complete email or use an asterisk * to allow for a partial match.

advanced email filtering in wpforms

The feature is incredibly powerful since you can create partial matches in many different formats. For example, here are several examples you can experiment with:

  • – This is where you block the exact match of the specified email address.
  • spammer* – Using this filter will prevent submissions from emails that start with that name.
  • * – This blocks all email addresses from that domain.
  • a* – You can block email addresses that begin with a specific letter for that given domain.
  •, – If you know all of the names for that email address, you can add them with a comma between each or add a new line for each email.

If you are also looking to block temporary and spammy email addresses, then see our guide on how to block disposable email addresses in WordPress.

9. Filter Out Spammy Keywords and Profanity in Your Contact Form Submissions

Human visitors may enter all kinds of keywords or phrases to promote their products or links when submitting spam through your contact form.

To deal with this, you can block spammy keywords in your contact form. All you have to do is toggle on the ‘Enable keyword filter’ setting, which is located on the Settings » Spam Protection and Security page.

Then go ahead and click on ‘Edit keyword list.’

edit keyword list

Go ahead and enter the list of keywords that you want to be blocked from contact form entries.

You may want to consider keywords related to financial scams, adult content, or health-related scams.

Once you’ve entered your banned keywords, just click ‘Save Changes.’

banned keywords

We hope this article has helped you learn how to block contact form spam in WordPress. You may also want to see our complete WordPress security guide or our expert pick of the best business phone services for small businesses.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

20 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk says

    Thank you for a very informative article. I have been using the WP Armour plugin on my website to block spam. Unfortunately, after the latest update, it began letting spam through onto the discussion forum. Therefore, I started looking for a better solution. I would like to ask about implementing Google reCAPTCHA. I have read on various forums that it may not be the best anti-spam solution. What is your opinion on reCAPTCHA from the perspective of WordPress professionals?

    Does it make sense to use multiple spam solutions simultaneously, such as WP Armour along with reCAPTCHA? Or is that not advisable?

    • WPBeginner Support says

      You would want to check with WP Armor for if there is any issue with using reCAPTCHA with their plugin. For reCAPCHA in general it will not catch everything but if you’re having trouble with spam at the moment then it is a good option to have available to you to try and see what your users think.


  3. Hajjalah says

    I really found this guide very useful because it enabled me stop all bad bots from using my contact forms. I just used the Google reCAPTCHA method and this fixed the entire problem. Your guides are really very useful for addressing different WordPress issues. Thanks Indeed.

  4. Mrteesurez says

    By implementing all these, atleast couples of it, It will really helpful in combating spams but I have a question on that password protected page. Can those password protected pages show on search engines ?

    • WPBeginner Comments says

      The content of the form itself is not visible to search engines if the page is password-protected.

  5. Lizzie W says

    Thanks!! Hopefully this will stop the bots which started targeting my new site! Step by step instructions were a god send – much appreciated!!

  6. Laurence Marks says

    The tip on the honeypot for contact forms was helpful. We were getting one or two spams per day.

    I’ve created websites in raw HTML since 1995 but jumping into current WordPress has been quite an experience for me.

  7. Steve Biese says

    Can your form block messages by not allowing certain content. I simply want a form that will NOT go through if let’s say they enter “Joe Miller”. I’m going nuts trying to find a simple contact form that can do that.

    • WPBeginner Support says

      There are tools for blocking certain submissions. If you reach out to the support for the plugin directly they can help set up certain blocking.


  8. Amanda says

    I am using WPForms lite. I do not see honeypot anywhere. What am I missing. Do I need to upgrade?

    Last question, if we select, GDPR, do we still receive the form data, or is it deleted after a specific time? Or are we obligated to delete it? Would we include on our website’s privacy page how long the data will exist in our hands before it is deleted?

  9. Raj R Agrawal says

    Excellent tutorial, really helping me a lot. Special thanks to you all from the bottom of the heart . Thanks.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.