Spam Hell: How to stop spam on WordPress contact forms

The problem faced by many WordPress websites using contact forms is spam messages. It is frustrating and time-consuming to deal with. Spamming happens when malicious entities enter unwanted data into your site through online forms without you knowing.

Why the need to block Contact Form Spam

Form spamming is hazardous because messages can land in your customer’s or visitor’s email inboxes. Spammers look for loopholes in a website’s form to hijack the email service and plague it with spam messages that can look like genuine messages coming from your website, which your visitors supposedly trust. In turn, people unknowingly open and click on links contained in the email, which redirects them to something other than your website. To achieve this, they use spambots which are malicious computer programs designed to collect email addresses and users’ personal information from different websites to send unsolicited emails.

Spamming isn’t just a nuisance to your users; it is also dangerous to your website and your website’s reputation.

Let’s take a closer look at how to combat contact form spam with the following proven methods.

For this example we have chosen to work with WPForms.

Choosing the right contact form plugin

It is obvious to start here, the first step to solving this problem is to choose wisely. Many Contact Form plugins do not come with spam protection. 

We recommend WPForms; because it is anti-spam ready, giving you the option to use Honeypot, Google reCAPTCHA, or a custom captcha to prevent spam.


Honeypot Antispam is an invisible way to protect your contact form from spam. Honeypot hides form fields from the human eye and are only visible to spambots. These bots are then tricked into filling out the hidden fields and when they do Honeypot kicks in and rejects the submission automatically, preventing your website from receiving unwanted messages.


reCAPTCHA, by Google, is used to prove that the user is a real human and not a spambot when submitting a form. Spam submissions are automatically rejected if the reCAPTCHA is not verified.

reCAPTCHA may present itself to a user as a single confirmation tickbox or a popup window that asks the user to click on images that match a certain object or word before allowing the user to hit the submit button.

With Google reCAPTCHA V3, website owners can also select an invisible mode. Invisible reCaptcha analyses activity on a form (e.g. mouse movements and typing patterns) to determine if a user is a robot. With invisible reCAPTCHA V3, a logo will appear at the bottom right corner of your browser that tells users that the form is protected by Google reCAPTCHA.

Custom Captcha

Custom CAPTCHA is used as a word-based question or a mathematical question chosen randomly. The visitor must copy a particular text or solve a simple mathematical question and input the answer. With WPForms, you can use several custom word questions that are cycled randomly each time the page loads.

Although we have only recommended using WPForms, other great WordPress contact forms such as Contact Form 7 and Gravity Forms also have the option for you to easily integrate Google reCAPTCHA to prevent contact form spam.

WordPress Maintenance from £25.99/month

Experience unparalleled WordPress support and maintenance with our exceptional service plans. Entrust us with all your WordPress needs, guaranteeing the seamless operation and upkeep of your website.

Get Started