Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Block Contact Form Spam in WordPress (5 Proven Ways)

Are you getting a lot of spam messages through your website contact form? This can be really frustrating and time consuming to deal with.

The good news is that there are automated ways to stop contact form spam in WordPress.

In this article, we will share 5 ways to reduce and block contact form spam in WordPress.

How to block contact form spam in WordPress

Why You Need to Block Contact Form Spam in WordPress

Contact form spam is usually automated by bots. This means even smaller WordPress blogs and websites are often targets of contact form spam.

These spambots crawl websites and look for non-secure forms, so they can email you spammy links.

They may also try to break into your website’s login form by using brute force attacks. If a bot does manage to log into your WordPress account, then they could take control over your website, which is one reason why WordPress security is so important.

Sometimes, they can even look for vulnerabilities in your site’s forms, so they can hijack them to send malware or spam to other people.

This means that spam isn’t just a nuisance. Those spambots can be dangerous to your website, your visitors, and your reputation.

That being said, let’s take a look at some proven methods for preventing contact form spam on your WordPress site. Simply use the quick links below to jump straight to the method you want to learn about first.

1. Choosing the Right WordPress Form Plugin to Combat Spam

Many WordPress contact form plugins don’t come with built-in spam protection. Even if a plugin has basic spam protection features, these often aren’t very reliable or easy to use.

The most effective way to block contact form spam is by choosing the best WordPress contact form plugin.

We recommend using WPForms, because it comes with a built-in spam protection token that protects your forms without affecting the visitor experience.

WPForms also has built-in reCAPTCHA and custom CAPTCHA features that help you fight contact form spam. We’ll be going through the different options you can use.

First, you need to install and activate the WPForms plugin. If you’re not sure how to do that, then take a look at our step by step guide on how to install a WordPress plugin.

Note: 3 out of the other 4 tips in this article also work on the free WPForms lite version as well.

Once WPForms plugin is activated, you’ll need to create a contact form.

To get started, simply head to WPForms » Add New and type in a name for your contact form in the ‘Form Name’ field.

WPForms comes with lots of ready-made templates that you can use to create all kinds of forms. You can use these form templates to collect registrations, create an email newsletter, and even accept credit card payments on your WordPress website.

Since we’re creating a contact form, you can go ahead and select the pre-made ‘Simple Contact Form’ template.

A WPForms contact template

WPForms will now automatically create a basic contact form for your WordPress website.

This form template already has fields where the visitor can type in their name, email address, and message.

The default Simple Contact Form

By default, WPForms will automatically protect your forms with a secret anti-spam token. This token is unique to each form submission, and invisible to both spambots and visitors.

In the past, WPForms used to use the honeypot technology, but this new anti-spam token is far superior and is one of the reasons that makes WPForms the market leader.

Since spambots can’t see this secret token, they get stuck and can’t submit the form.

Some anti-spam features can hurt the visitor experience, particularly if they ask the visitor to perform some task before submitting the form. As a result, less people may complete your contact form.

Since WPForms’ token is created and submitted automatically it has no impact on the visitor experience, which is great for your form conversion rates.

The WPForms anti-spam token is automatically enabled on each new form that you create.

Want to check that this setting is enabled on your form?

Simply head over Settings » General. The ‘Enable anti-spam protection’ slider should already be enabled.

The WPForms anti-spam token

If you created this form using an earlier version of WPForms, then the anti-spam setting may not be enabled by default. If this is the case, then you can simply enable it with a click. Your contact form is now protected by a powerful anti-spam token.

Now some spammers are persistent which can lead to few spam submissions still coming through your contact form.

If this is the case, then you can use any of the methods below to to stop spammers from using your contact form.

2. Use ReCAPTCHA Checkbox to Block Contact Form Spam

One straightforward way to stop the spambots getting through is to use ReCAPTCHA. This method also works with the lite version of WPForms.

ReCAPTCHA is a free tool available from Google, and we use it in combination with WPForms built-in anti-spam token system.

To add a reCAPTCHA checkbox to your contact form, head over to WPForms » Settings in your WordPress dashboard.

Then, go ahead and click on the ‘CAPTCHA’ tab.

The WPForms CAPTCHA tab

Next, you need to select ‘reCAPTCHA’ by clicking on it.

Once you’ve done that, scroll to the ‘Type’ section and click to select the ‘Checkbox reCAPTCHA v2’ radio button.

WPForms' anti-spam features

WPForms will now ask you for a Site Key and Secret Key. To get this information, simply head over to Google’s reCAPTCHA setup page.

On the Google reCAPTCHA page, click on ‘v3 Admin console.’

The Google reCAPTCHA admin console

If you’re not already logged into your Google account, then you’ll need to type in your username and password, or create a new Google account.

Next, you’ll see a screen where you can register your WordPress website. To start, type in a label for your website. This is for your own reference and will not be visible to visitors.

After that you can go ahead and select ‘reCAPTCHA v2’, and the ‘I’m not a robot’ radio button.

Selecting the 'reCAPTCHA v2' and 'I'm not a robot' checkbox

Next, type your website’s domain name into the ‘Domain’ field.

Since you’re already logged into your Google account, your email address will be filled in automatically. However, you can enter additional email addresses if you want by typing into the field that shows ‘Enter email addresses’ by default.

Adding emails in the Google admin console

After that, make sure you read the terms of service carefully. If you’re happy with these terms, then check the ‘Accept the reCAPTCHA Terms of Service’ box.

Once you’ve done that, click the ‘Submit’ button at the bottom of the page.

Filling in your site's details for Google reCAPTCHA

Next, you’ll see a page containing the site key and secret key for your website.

To start using reCAPTCHA, you simply need to copy this information into your WPForms’ settings page.

Your site key and secret key from Google reCAPTCHA

Simply copy each key separately and then paste it into the ‘Site Key’ and ‘Secret Key’ fields in your WordPress dashboard.

Once you’ve done that, click on the ‘Save Settings’ button at the bottom of the screen.

Entering your site key and secret key into WPForms

After that, you’re ready to add the reCAPTCHA checkbox to your contact form.

To start, head over to WPForms » All Forms and click on the ‘Edit’ link for the form that you want to protect with reCAPTCHA.

Editing a WPForms form

This will open your form in the drag and drop form builder. In the left-hand menu, find the ‘reCAPTCHA’ field and give it a click.

You’ll now see a message telling you that reCAPTCHA has been enabled for the form. To continue, simply click the ‘OK’ button.

The message saying that reCAPTCHA has been enabled

Now, you’ll see the reCAPTCHA logo at the top of your form.

This means that you’ve successfully added reCAPTCHA protection to your contact form.

The contact form with reCAPTCHA logo

Note: If you decide to remove reCAPTCHA from the form at any point, you simply need to click on the ‘reCAPTCHA’ field in WPForms’ left-hand menu. You’ll then see a message asking you to confirm that you want to remove reCAPTCHA.

When you’re done, remember to save your changes by clicking on the orange ‘Save’ button.

Adding Your Contact Form to Your Website

After all that, you’re ready to add the contact form to your WordPress website. To do this, simply open the page or post where you want to show your form and click the + button to add a new block.

You can then type ‘WPForms’ to find the right block. Once you click on the WPForms block, it will add the block to your page.

Adding your form to your contact page

Next, open the ‘Select a Form’ dropdown.

You can now choose the contact form that you just created, to add it to your page.

Selecting the correct form from the dropdown list

WPForms will show a preview of how this form will look, directly inside the WordPress block editor.

You can also preview this page as normal, by clicking on the ‘Preview’ button at the top of the page. No matter how you choose to preview the form, you’ll see a reCAPTCHA field.

Contact form with reCAPTCHA box

This field will block all automated spam submissions, which will drastically reduce the amount of contact form spam you get on your website.

3. Using Google Invisible reCAPTCHA to Block Contact Form Spam

Some website owners don’t want their users to have to check a box in order to submit the contact form. This is where invisible reCAPTCHA comes in.

Invisible reCAPTCHA works just like the regular reCAPTCHA, except there’s no checkbox.

Instead, when the form is submitted, Google will determine whether it might be a bot submitting it. If so, Google will pop up the extra reCAPTCHA verification. If you want to see how it works, Google has a demo here.

You can use invisible reCAPTCHA on your WPForms contact forms. In fact, the process is very similar to adding a reCAPTCHA checkbox, as described above.

The first difference is that you need to select a different option when setting up reCAPTCHA on the Google website.

Rather than pick the ‘I’m not a robot’ checkbox, you need to select ‘Invisible reCAPTCHA badge’ instead.

Selecting the invisible reCAPTCHA option in the Google admin panel

You can then create the site key and secret key following the same process above.

Once you’ve done that, head over to WPForms » Settings in your WordPress dashboard and click the ‘CAPTCHA’ tab. However, this time you’ll need to select ‘Invisible reCAPTCHA v2.’

WPForms' invisible reCAPTCHA settings

You can then go ahead and add a reCAPTCHA field to your contact form, following the same process described above.

Now every time someone submits a contact form, your WordPress site will use the invisible reCAPTCHA automatically.

Visitors will see the reCAPTCHA logo in your form’s bottom corner, as you can see in the following image. This lets them know that your contact form is protected from spambots.

Contact form with the invisible reCAPTCHA active

If the user wants to learn more about reCAPTCHA, then they simply need to click that logo. The logo will then expand to show links to Google’s privacy policy and terms of service.

It’s also a good idea to update your own site’s privacy policy with some information about how you use reCAPTCHA.

Note: in the screenshot, you’ll see the option for reCAPTCHA v3, but we’re specifically not covering that since it has a lot of false positives and can block real users. We use and recommend reCAPTCHA v2 Checkbox option that we showed in our step 2 of the article.

4. Using Custom CAPTCHA to Block Contact Form Spam

Some website owners don’t want to use Google’s reCAPTCHA on their site due to privacy concerns, or they simply want something not branded.

The good news is that WPForms Pro comes with a custom CAPTCHA addon. This lets you create your own question-based CAPTCHA that you can use to block contact form spam, without having to rely on Google.

To activate this addon, simply go to WPForms » Addons in your WordPress dashboard. Then, find the Custom Captcha Addon, and click its ‘Install Addon’ button.

Installing the Custom Captcha addon

Once it’s installed, go to WPForms » All Forms. You can then find your contact form and click on its ‘Edit’ link to open it in the WPForms editor.

In the left-hand menu, scroll to ‘Fancy fields’ and drag the ‘Captcha’ field onto your form.

We recommend placing this field just above the ‘Submit’ button. This means that visitors will have already filled out the rest of the form before they realize they need to complete a CAPTCHA field.

Adding a custom captcha field to your form

By default, this field shows a random math question. Another option is to type in a few different questions, and then challenge visitors to enter the correct answers.

If you want to switch to a question and answer CAPTCHA, then click on the CAPTCHA field to select it.

In the left-hand menu, simply open the ‘Type’ dropdown and select ‘Question and Answer.’

Changing the custom captcha question in WPForms

If you choose ‘Question and Answer,’ then we recommend creating a few different questions. WPForms will then rotate these questions randomly, so it’s harder for spambots to predict.

If you choose the ‘Math’ option, then WPForms will generate random math questions, so it’s much less predictable.

When you’re happy with your form, don’t forget to save your changes. You can then add this contact form to your WordPress website by creating a ‘WPForms’ block, as shown in the reCAPTCHA checkbox method.

5. Prevent Spam Bots From Seeing Your Form

Don’t want to use reCAPTCHA or a custom CAPTCHA field on your form?

Another way to block contact form spam in WordPress is by stopping bots from seeing your form. You could do this by password protecting your contact form, or by only showing it to people who have registered with your WordPress membership site.

These methods might be overkill for a standard contact form, but they could work well in other situations.

For example, if you run a monthly Q&A for your email subscribers, then you might create a private form where they can send you questions.

Password Protecting Your Form Using WordPress’ Visibility Options

You can password protect your entire Contact Us page using WordPress’ built-in tools.

To get started, simply open your Contact Us page in the WordPress editor. Then, in the left-hand menu, click to expand the ‘Status & Visibility’ settings.

Once you’ve done that, click on the ‘Public’ link that appears next to ‘Visibility.’

Password protecting the Contact Us page

In the popup that appears, click on Password Protected.

You can now type your password into the field that shows ‘Use a secure password’ by default. All visitors will use the same password to access your Contact Us page.

Password protecting a WordPress page

Once you’ve done that, you can either update or publish your page as normal.

Now, whenever some visits you Contact Us page they’ll be asked to type in the password.

The contact page now shows 'Protected: Contact Us' as the title and requires a password

Once they’ve entered the password, the visitor can click on the ‘Submit’ button and use your contact form as normal.

There are a couple of drawbacks to this method.

First, your contact page will show a default message that isn’t easy to customize.

Second, this method will password protect your entire Contact Us page, and not just your form. This could be a problem if this page has some content that should be visible to all users, such as FAQs, your business phone number, or postal address.

Password Protecting Your Form Using a WPForms Addon

If you’re using the Pro version of WPForms, then the Form Locker addon lets you password protect the form itself, and not your entire Contact Us page.

To install Form Locker, simply go to WPForms » Addons. You can then find the Form Locker Addon and click its ‘Install Addon’ button.

WPForms should install and activate this addon automatically.

Installing the Form Locker addon for WPForms

Next, head over to WPForms » All Forms. You can then find the form that you want to password protect, and click on its ‘Edit’ link.

In the left-hand menu, select Settings » Form Locker. You can then check the ‘Enable Password Protection’ box.

WPForms will now show some fields where you can type in the password that you want to use, and the message that you’ll show to visitors.

Enabling password protecting using Form Locker

Your Contact Us page will now be visible to all users, with just the contact form hidden.

In the following image, you can see an example of how your form will look before the visitor enters the password.

How your contact form looks to users before they enter the password

Showing Your Contact Page Only to Registered Users

A final method is to only let users access your contact form if they’ve registered on your site. You could use a membership site plugin and protect your contact page so it can only be viewed by logged-in members.

This is a great option if you want to offer a specific service to members only. There are several great membership site plugins that you could use to do this.

We hope this article has helped you learn how to block contact form spam in WordPress. You may also want to see our guide on how to get a free domain name or our expert pick of the best business phone services for small businesses.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

14 CommentsLeave a Reply

  1. Thanks!! Hopefully this will stop the bots which started targeting my new site! Step by step instructions were a god send – much appreciated!!

  2. The tip on the honeypot for contact forms was helpful. We were getting one or two spams per day.

    I’ve created websites in raw HTML since 1995 but jumping into current WordPress has been quite an experience for me.

  3. Can your form block messages by not allowing certain content. I simply want a form that will NOT go through if let’s say they enter “Joe Miller”. I’m going nuts trying to find a simple contact form that can do that.

    • There are tools for blocking certain submissions. If you reach out to the support for the plugin directly they can help set up certain blocking.


  4. I am using WPForms lite. I do not see honeypot anywhere. What am I missing. Do I need to upgrade?

    Last question, if we select, GDPR, do we still receive the form data, or is it deleted after a specific time? Or are we obligated to delete it? Would we include on our website’s privacy page how long the data will exist in our hands before it is deleted?

  5. Excellent tutorial, really helping me a lot. Special thanks to you all from the bottom of the heart . Thanks.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.