How to Block Contact Form Spam in WordPress (9 Proven Ways)

Spam messages through contact forms can be a constant frustration for website owners. They clog up your inbox and can be a major headache as they waste your valuable time and resources.

At WPBeginner, we’ve dealt with our fair share of comment spam over the years, so we know how quickly it can spiral out of control. When left unchecked, spam can interfere with website management and even impact user experience.

The good news is that WordPress has easy and automated ways to stop contact form spam. We’ve used these methods to cut down on contact form spam so we can focus on real messages from our readers. For instance, we use WPForms, which comes with built-in anti-spam features.

In this article, we’ll share the best ways to reduce and block contact form spam in WordPress.

Why You Need to Block Contact Form Spam in WordPress

Contact form spam is usually automated by bots. This means even smaller WordPress blogs and websites are often targets.

These spambots crawl websites and look for non-secure forms so that they can email you spammy links. These links often send you to revenue-generating ad websites or phishing sites.

They may also try to break into your website’s login form using brute force attacks. If a bot does manage to log in to your WordPress account, then they could take control of your website. This is one reason why WordPress security is so important.

Sometimes, they can even look for vulnerabilities in your site’s forms and hijack them to send malware or spam to other people. Spammers can install malware, leaving your visitors and website at risk. They can even steal personal information, which is very dangerous for online stores with sensitive customer data.

On top of that, if spammers use your contact forms to send spam messages via email, they could also send spam to your email list. They often look like an email you sent.

Unaware that it could be spam, users can open these emails and click on the links inside. This would increase traffic and engagement on that site and reward the spammer in the process. Plus, it could hurt your relationship with your readers.

This means that spam isn’t just a nuisance. Those spambots can be dangerous to your website, your visitors, and your reputation.

With that in mind, let’s take a look at some proven methods for preventing contact form spam on your WordPress site. Simply use the quick links below to jump straight to the method you want to learn about first:

Ready? Here are 9 proven ways to reduce and block contact form spam in WordPress.

1. Choosing the Right WordPress Form Plugin to Combat Spam

Many WordPress contact form plugins don’t come with built-in spam protection. Even if a plugin has basic spam protection features, these often aren’t very reliable or easy to use.

The most effective way to block contact form spam is by choosing the best WordPress contact form plugin.

We recommend using WPForms because it comes with a built-in spam protection token that protects your forms without affecting the visitor experience.

WPForms also has built-in reCAPTCHA and custom CAPTCHA features that help you fight contact form spam. We will be going through the different options you can use.

You can read our complete WPForms review for more details.

First, you need to install and activate the WPForms plugin. If you are not sure how to do that, then take a look at our step-by-step guide on how to install a WordPress plugin.

Once the WPForms plugin is activated, you’ll need to create a contact form.

To get started, simply head to WPForms » Add New, where you’ll be taken to the drag-and-drop editor. Then, you can type a name for your contact form into the ‘Form Name’ field.

WPForms comes with 2000+ ready-made templates that you can use to create all kinds of forms. You can use these form templates to collect registrations, create an email newsletter, and even accept credit card payments on your WordPress website.

Since we are creating a contact form, you can go ahead and select ‘Use Template’ under the pre-made ‘Simple Contact Form’ template.

WPForms will now automatically create a basic contact form for your WordPress website.

This form template already has fields where visitors can type in their name, email address, and message.

By default, WPForms will automatically protect your forms with a secret anti-spam token. This token is unique to each form submission and invisible to both spambots and visitors.

In the past, WPForms used to use the honeypot technology, but this new anti-spam token is far superior and is one of the reasons that WPForms is the market leader.

Since spambots can’t see this secret token, they get stuck and can’t submit the form.

Some anti-spam features can hurt the visitor experience, particularly if they ask the visitor to perform some task before submitting the form. As a result, fewer people may complete your contact form.

Since the WPForms token is created and submitted automatically, it does not impact the visitor experience, which can help prevent form abandonment.

The WPForms anti-spam token is automatically enabled on each new form that you create.

Want to check that this setting is enabled on your form?

Simply head over to Settings » Spam Protection and Security. The ‘Enable anti-spam protection’ slider should already be enabled.

On top of that, you can choose to enable the Akismet anti-spam protection. It can automatically detect and block suspicious form submissions to stop fake entries.

Now, some spammers are persistent, which can lead to a few spam submissions still coming through your contact form.

If this is the case, then you can use any of the methods below to stop spammers from using your contact form.

2. Use reCAPTCHA Checkbox to Block Contact Form Spam

One straightforward way to stop the spambots from getting through is to use reCAPTCHA. This method also works with the lite version of WPForms.

reCAPTCHA is a free tool available from Google, and we use it in combination with WPForm’s built-in anti-spam token system.

To add a reCAPTCHA checkbox to your contact form, you can head over to WPForms » Settings in your WordPress dashboard.

Then, go ahead and click on the ‘CAPTCHA’ tab. Next, you need to select ‘reCAPTCHA’ by clicking on it.

Once you’ve done that, let’s scroll down to the ‘Type’ section.

Then, you can click to select the ‘Checkbox reCAPTCHA v2’ radio button.

WPForms will now ask you for a Site Key and Secret Key. To get this information, simply head over to Google’s reCAPTCHA setup page.

On the Google reCAPTCHA page, you’ll want to click on ‘v3 Admin console.’

If you’re not already logged into your Google account, then you’ll need to type in your username and password or create a new Google account.

Next, you’ll see a screen where you can register your WordPress website. To start, type in a label for your website. This is for your own reference and will not be visible to visitors.

After that, you can go ahead and give your reCAPTCHA for this site a name. Then select ‘Challenge (v2)’ and the ‘I’m not a robot’ radio button.

Next, let’s type your website’s domain name into the ‘Domain’ field.

Once you’ve done that, just click the ‘Submit’ button at the bottom of the page.

Next, you’ll see a page containing your website’s site key and secret key.

To start using reCAPTCHA, you simply need to copy this information into your WPForms’ settings page.

So, let’s copy each key separately and then paste it into the ‘Site Key’ and ‘Secret Key’ fields in your WordPress dashboard.

Once you’ve done that, don’t forget to click on the ‘Save Settings’ button at the bottom of the screen.

After that, you are ready to add the reCAPTCHA checkbox to your contact form.

To start, you can head over to WPForms » All Forms and click on the ‘Edit’ link for the form that you want to protect with reCAPTCHA.

This will open your form in the drag-and-drop form builder. In the left-hand menu, find the ‘reCAPTCHA’ field and give it a click.

You’ll now see a message that reCAPTCHA has been enabled for the form. To continue, simply click the ‘OK’ button.

Now, you’ll see the reCAPTCHA logo at the top of your form.

This means that you’ve successfully added reCAPTCHA protection to your contact form.

When you are done, remember to save your changes by clicking on the orange ‘Save’ button.

Adding Your Contact Form to Your Website

After all that, you are ready to add the contact form to your WordPress website. To do this, simply open the page or post where you want to show your form and click the ‘+’ button to add a new block.

You can then type ‘WPForms’ to find the right block. Once you click on the WPForms block, the block will be added to your page.

From here, you can click the ‘Select a Form’ dropdown to open it.

You can now choose the contact form that you just created.

WPForms will show a preview of how this form will look directly inside the WordPress block editor.

You can also preview this page by clicking on the ‘Preview’ button at the top of the page. No matter how you choose to preview the form, you’ll see a reCAPTCHA field.

This field will block all automated spam submissions, drastically reducing the amount of contact form spam you get on your website.

3. Using Google Invisible reCAPTCHA to Block Contact Form Spam

Some website owners don’t want their users to have to check a box to submit the contact form. This is where invisible reCAPTCHA comes in.

Invisible reCAPTCHA works like the regular reCAPTCHA, except there’s no checkbox.

Instead, when the form is submitted, Google will determine whether it might be a bot submitting it. If so, Google will pop up the extra reCAPTCHA verification. If you want to see how it works, Google has a demo here.

You can use invisible reCAPTCHA on your WPForms contact forms. In fact, the process is very similar to adding a reCAPTCHA checkbox, as described above.

The first difference is that you need to select a different option when setting up reCAPTCHA on the Google website.

Rather than pick the ‘I’m not a robot’ checkbox, you must select ‘Invisible reCAPTCHA badge’ instead.

You can then create the site and secret keys following the same process above.

Once you’ve done that, you can head over to WPForms » Settings in your WordPress dashboard and click the ‘CAPTCHA’ tab. However, this time, you’ll need to select ‘Invisible reCAPTCHA v2.’

Make sure to hit the ‘Save Settings’ button at the bottom of the page.

You can then add a reCAPTCHA field to your contact form, following the same process described above.

Every time someone submits a contact form, your WordPress site will use the invisible reCAPTCHA automatically.

Visitors will see the reCAPTCHA logo in the bottom corner of your form, as shown in the following image. This logo lets them know that your contact form is protected from spambots.

If the user wants to learn more about reCAPTCHA, then they simply need to click that logo. The logo will then expand to show links to Google’s privacy policy and terms of service.

It’s also a good idea to update your own site’s privacy policy with some information about how you use reCAPTCHA.

4. Using Custom CAPTCHA to Block Contact Form Spam

Some website owners don’t want to use Google’s reCAPTCHA on their sites due to privacy concerns or simply want something not branded.

The good news is that WPForms Pro comes with a custom CAPTCHA addon. This lets you create your own question-based CAPTCHA to block contact form spam without relying on Google.

To activate this addon, simply go to WPForms » Addons in your WordPress dashboard. Then, you’ll want to find the ‘Custom Captcha Addon’ box and click its ‘Install Addon’ button.

Once it’s installed, you can go to WPForms » All Forms then find your contact form and click on its ‘Edit’ link to open it in the WPForms editor.

In the left-hand menu, let’s scroll to ‘Fancy fields’ and drag the ‘Custom Captcha’ field onto your form.

We recommend placing this field just above the ‘Submit’ button. This means that visitors will have already completed the rest of the form before they realize they must complete a CAPTCHA field.

By default, this field shows a random math question. Another option is to type in a few different questions and then challenge visitors to enter the correct answers.

If you want to switch to a question-and-answer CAPTCHA, then click on the ‘CAPTCHA’ field to select it.

In the left-hand menu, simply open the ‘Type’ dropdown and select ‘Question and Answer.’

If you choose ‘Question and Answer,’ then we recommend creating a few different questions. WPForms will then rotate these questions randomly so they are harder for spambots to predict.

If you choose the ‘Math’ option, then WPForms will generate random math questions, so it’s much less predictable.

5. Prevent Spam Bots From Seeing Your Form

Don’t want to use reCAPTCHA or a custom CAPTCHA field on your form?

Another way to block contact form spam in WordPress is by stopping bots from even seeing your form. You could do this by password-protecting your contact form or by only showing it to people who have registered with your WordPress membership site.

These methods might be overkill for a standard contact form, but they could work well in other situations.

For example, if you run a monthly Q&A for your email subscribers, then you might create a private form where they can send you questions.

Password Protecting Your Form Using WordPress’ Visibility Options

You can password-protect your entire ‘Contact Us’ page using WordPress’ built-in tools.

To get started, simply open your ‘Contact Us’ page in the WordPress editor. Then, in the left-hand menu, next to ‘Visibility,’ you can click on ‘Public.’

In the popup that appears, let’s click on ‘Password protected.’

You can now type your password into the field that shows ‘Use a secure password’ by default. All visitors will use the same password to access your Contact Us page.

Once you’ve done that, you can either update or publish your page as normal.

Now, whenever someone visits your ‘Contact Us’ page, they’ll be asked to type in the password.

Once they’ve entered the password, the visitor can click on the ‘Submit’ button and use your contact form as normal.

There are a couple of drawbacks to this method.

First, your contact page will show a default message that isn’t easy to customize.

Second, this method will password-protect your entire Contact Us page and not just your form. This could be a problem if this page has some content that should be visible to all users, such as FAQs, your postal address, or your business phone number.

Password Protecting Your Form Using a WPForms Addon

If you are using the Pro version of WPForms, the Form Locker add-on lets you password-protect the form itself, not your entire ‘Contact Us’ page.

To install Form Locker, simply go to WPForms » Addons. You can then find the Form Locker Addon and click its ‘Install Addon’ button.

WPForms should install and activate this addon automatically.

Next, you can head over to WPForms » All Forms and find the form you want password-protected, and click on its ‘Edit’ link.

In the left-hand menu, you’ll want to select Settings » Form Locker. You can then turn on the ‘Enable verification’ toggle.

WPForms will now show some fields where you can type in the password you want to use and the message you’ll show visitors.

Your ‘Contact Us’ page will now be visible to all users, with just the contact form hidden.

In the following image, you can see an example of how your form will look before the visitor enters the password.

Showing Your Contact Page Only to Registered Users

You can also only let users access your contact form if they’ve registered on your site.

In the ‘Form Locker’ tab of WPForms, you can enable the ‘Logged in users only’ toggle under Form Restrictions. That way, the form can only be viewed by logged-in members.

This is a great option if you want to offer a specific service to members only. There are several great membership site plugins that you could use to do this.

6. Block Spam IP Addresses

If you notice malicious behavior from specific IP addresses, blocking them could be a necessary security measure to prevent potential spam or attacks. It’s a great way to block spammers who may have bypassed your CAPTCHA.

Every user who comments on your site automatically leaves behind an IP address. So, you may see a pattern where you repeatedly find similar IP addresses spamming your site. In that case, you can easily blacklist these IP addresses.

All you have to do is go to Settings » Discussion in your WordPress dashboard.

From there, in the ‘Disallowed Comment Keys’ field, you’ll need to type all of the IP addresses that you want to block in the text field. Make sure to include only one IP address per line. ‘

For more details, you can see our guide on how to block IP addresses in WordPress.

7. Restrict Entries By Country

If you consistently receive spam submissions from specific countries, then you can block entries from those countries. If your website operates in a specific region, restricting access from other countries will ensure you only receive relevant inquiries.

The good news is that WPForms has a country filtering feature in its advanced spam-blocking methods. Under Settings » Spam Protection and Security, you can toggle on the ‘Enable country filter.’ From there, you can choose to allow or deny specific countries.

Once you have added those countries to the deny list, you can customize the message those users will receive.

8. Block Specific Email Addresses on Your Form

Blocking spam from human visitors can be tricky since you’ll need to deploy multiple strategies to stop them in their tracks.

If you notice a common theme of specific email addresses that continually visit your contact forms, then you can manually block them.

Just head over to your contact form and click on the ‘Email’ field. Under ‘Advanced Options’ when editing the field, you can add a list of denied email addresses.

In the text box, just type in the email addresses from which you’d like to stop submissions. You can type in the complete email or use an asterisk (*) to allow for a partial match.

The feature is incredibly powerful since you can create partial matches in various formats. For example, here are several examples you can experiment with:

• spammer@spamcompany.com – This is where you block the exact match of the specified email address.
• spammer* – Using this filter will prevent submissions from emails that start with that name.
• *@spamcompany.com – This blocks all email addresses from that domain.
• a*spamcompany.com – You can block email addresses that begin with a specific letter for that given domain.
• spammer@spamcompany.com, spammer2@spamcompany.com – If you know all of the names for that email address, you can add them with a comma between each or add a new line for each email.

If you are also looking to block temporary and spammy email addresses, then see our guide on how to block disposable email addresses in WordPress.

9. Filter Out Spammy Keywords and Profanity in Your Contact Form Submissions

Human visitors may enter all kinds of keywords or phrases to promote their products or links when submitting spam through your contact form.

To deal with this, you can block spammy keywords in your contact form. All you have to do is toggle on the ‘Enable keyword filter’ setting, which is located on the Settings » Spam Protection and Security page.

Then go ahead and click on ‘Edit keyword list.’

Go ahead and enter the list of keywords that you want to be blocked from contact form entries.

You may want to consider keywords related to financial scams, adult content, or health-related scams.

Once you’ve entered your banned keywords, just click ‘Save Changes.’

We hope this article has helped you learn how to block contact form spam in WordPress. You may also want to see our complete WordPress security guide or our expert picks of the best online form builders for WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.