How To Stop Contact Form Spam (CAPTCHA and Alternatives)

Editorial Note: We may earn a commission when you visit links on our website.
How To Stop contact Form Spam

Do you want to stop contact form spam once and for all?

Contact forms are a user-friendly and convenient way for your users to get in touch with you. But while these forms can protect your email address from being skimmed by spammers, online forms attract spam problems of their own.

Why Stop Contact Form Spam?

Contact form spam is a common problem for many website owners when spammers use the form for malicious purposes.

Rather than using the form for genuine contact, the spammer will use it to send unsolicited sales messages, phishing emails, or links to malicious websites.

Phishing Email

In most cases, these spam messages are sent only to the email address you’ve set up to receive messages from your contact form. However, this doesn’t mean that you can safely ignore them, even if they seem harmless.

The Dangers of Contact Form Spam

Spam from your contact form is not only annoying, but it can pose a security risk to your business, potentially damage your domain reputation, and cause financial harm.

Drain on Resources

Spam emails can be a significant drain on time and staff resources if you can’t automatically filter genuine contact messages from the spam.

If spambots are targeting your web forms with hundreds or thousands of messages in a short time frame, this will also put strain on your website’s resources, potentially slowing down your site or putting it at risk of going down entirely.

If you’re using an SMTP or transactional email provider with monthly sending limits, these spam emails will eat into your allowance. If you hit your sending limits prematurely, your site could stop sending emails or you might be automatically upgraded to a more expensive plan.

Security Risks

While spam is often more annoying than truly harmful, some spam messages are sent with malicious intent. 

Cybercriminals can use your contact forms to send you malware or execute phishing attacks. In some cases, forms can be hijacked to also send these malicious emails to other users.

Damage to Domain Reputation

Spambots may use lists of purchased or scraped email addresses and submit these via your contact form. If you have automated form submission notifications set up on your form, this will then trigger an email to a real user.

Sender Reputation

When these users receive unsolicited emails from your site, they may mark them as spam, which can damage your domain reputation. Additionally, emails that are no longer in use can cause your form notifications to bounce back. Both of these factors can affect your email deliverability and could even result in your domain being blacklisted.

How To Stop Contact Form Spam 

Now you understand why it’s so important to stop contact form spam (or preferably, prevent it from the start) you’ll be relieved to hear that there are plenty of easy options for protecting your forms from spam.


Adding a CAPTCHA to your form is a quick and easy way to protect it from attacks from spambots.

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a test designed to be very easy for humans to complete but very difficult for bots.

CAPTCHAs come in various formats, including text-based puzzles and text and image recognition tasks.

Integrating CAPTCHA services into your website forms is a straightforward process, often involving just a few lines of code. Many of these services are integrated into various plugins and web platforms, making it easy for you to enhance your form security. 

Two of the most popular free CAPTCHA services are:


Google’s reCAPTCHA is one of the most widely used CAPTCHA services due to its effectiveness and ease of integration.

reCAPTCHA is currently available in various forms. reCAPTCHA v3 automatically detects bots without any human interaction. reCAPTCHA v2 (commonly known as the “I’m not a robot” checkbox) displays a checkbox for humans to tick.

In some cases, just clicking the checkbox is enough to verify but users may be asked to complete an image verification task. These tasks usually display an image in a grid to users and ask them to select the grid squares that contain items such as vehicles or street signs.


hCAPTCHA is a popular alternative to Google’s reCAPTCHA, focusing on user privacy and data protection. It functions similarly by presenting challenges that are easy for humans but difficult for automated systems to solve. 


Some anti-spam services and form plugins, such as WPForms, also provide a custom CAPTCHA option. This allows you to set up your own challenges such as math problems for visitors to solve or specific questions to answer before they can submit a form.

WPForms Custom Captcha

2. Use CloudFlare Turnstile

Turnstile by Cloudfare is an anti-spam alternative to using a CAPTCHA. Like hCAPTCHA, it has a focus on privacy but is designed to be more unobtrusive for the user.

Turnstile automatically checks for bot behavior without any input needed from the user in most cases. Because it doesn’t use visual puzzles, it eliminates some of the usability issues associated with traditional CAPTCHAs, which can be problematic for users with visual impairments.

3. Add a Honeypot Field

A honeypot is a hidden field in your form that spambots will fill out but genuine users won’t. If you receive any form submissions with a completed honeypot field, you’ll know they were submitted by an automated bot rather than a human user.

However, most modern spambots are sophisticated enough to recognize honeypot fields these days, so we don’t recommend relying on this form of spam protection.

4. Filter Spam Keywords and Email Addresses

If you’re receiving a lot of form spam with certain keywords such as pharmaceuticals, you can set up a filter on your form to block any submissions that contain these keywords.

You could also set up a filter to block email addresses from a certain domain. You should be careful with this approach as you can end up blocking genuine users, however, you can easily block repeat offenders if you’re receiving a lot of spam from overseas domains, for example.

5. Stop WordPress Form Spam With a Plugin

WordPress site owners suffer from form spam as much as any other type of website

One of the most effective and user-friendly solutions is to use a form plugin like WPForms, which offers a powerful form builder with built-in options to prevent spam submissions.

Stop contact form spam with WPForms anti-spam form builder

WPForms offers a set of spam-protection tools including:

  • Form tokens (default)
  • Akismet
  • reCAPTCHA (v2 and v3)
  • Captcha
  • Cloudflare Turnstile
  • Custom Captcha
  • Country filter
  • Keyword filter

All the anti-spam features are quick and easy to activate and configure from within the plugin settings.

Accessing WPForms spam settings

For more advice on configuring the anti-spam settings in WPForms and preventing form spam in WordPress, take a look at this guide to preventing WordPress form spam.

You can also check out our guide to protecting your site from Spam for some other WordPress and non-WordPress anti-spam plugin suggestions.


Why is my contact form getting spammed?

Your contact form is getting spammed because it’s accessible to both humans and automated bots that scour the internet looking for forms to submit. These bots are programmed to send spam for various reasons, including advertising, phishing attempts, or spreading malware. However, you can prevent this with a CAPTCHA, honeypot fields, or other spam prevention measures

How do I prevent contact form spam without CAPTCHA?

To prevent contact form spam without relying on CAPTCHA, you can use an alternative method such as a honeypot field, Cloudflare Turnstile, email and keyword filtering, or an anti-spam form plugin such as WPForms.

How can I prevent registration form spam?

To prevent registration form spam, it’s best to use multiple form protection methods such as a CAPTCHA or invisible reCAPTCHA to differentiate between human users and bots and form validation to ensure only legitimate and correctly formatted data is submitted.

What is the WordPress plugin for contact form spam?

Several WordPress plugins are specifically designed to help combat contact form spam. One of the most popular plugins is WPForms, which as well as being a comprehensive form builder, includes various anti-spam protection features including Google’s reCAPTCHA and hCAPTCHA, keyword and country filters, and form tokens. Akismet is another popular option, which offers protection for contact forms by automatically checking form submissions against its global database of spam.

What is the difference between reCAPTCHA and hCaptcha?

reCAPTCHA, developed by Google, and hCaptcha both serve as CAPTCHA systems to differentiate between humans and bots. hCaptcha has more of a focus on privacy, while Google uses data collection from its CAPTCHAs to build its AI models.

That’s it! Now you know how to stop contact form spam

Next, would you like to learn about managing your suppression list? Adding email addresses to your suppression list can prevent SendLayer from sending emails to addresses that could damage your sender reputation. See our tutorial on suppression lists for more information.

  • 200 Free Emails
  • Easy Setup
  • 5 Star Support

Ready to send your emails in the fastest and most reliable way? Get started today with the most user-friendly and powerful SMTP email delivery service. SendLayer Business includes 5,000 emails a month with unlimited mailing lists and premium support.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0 comment on "How To Stop Contact Form Spam (CAPTCHA and Alternatives)"