8 Easy ways to protect your WordPress website from spam

Table of Contents


For website owners, comment and message spam isn’t anything new. If your website ranks good for certain keywords, people who have put lesser effort into their SEO try to take advantage of your website’s ranking by spamming the comment section with backlinks.

Spamming contact forms, on the other hand, is more of an automated procedure performed through spamming bots. Also, backlinking isn’t their primary purpose. Instead, their objective is to find vulnerabilities in your website, which can be exploited to gain access to your digital asset and extract valuable data like email addresses.

Fortunately, WordPress regularly updates its security protocols to fix any existing vulnerabilities with every new release. However, just relying on WordPress’ security protocols to block the spam messages isn’t enough, and some other measures also need to be put in place.

Let’s have a look at following proven methods that can help you combat spam contact form submissions.

Honeypot spam fields

WordPress based websites rely on different plugins for functionality, including the contact form feature. Regrettably, only a few contact form plugins have protection against spam. But they are also quite challenging to set up and in some cases, aren’t even very reliable.

So, when selecting a contact form plugin to add to your website, act smart and look through some of the reviews of the one you chose. Opting for a plugin that comes with honeypot protection is highly recommended.

For those who don’t know, honeypot protection is an inbuilt security feature that adds an invisible input field in a contact form. The field cannot be seen by people who are genuinely trying to contact you through the form. But when a bot tries to send your website a spam message, it will find the honeypot field as part of the contact form and will fill it. The field is detected as carrying data at the time of submission, and the form is rejected and marked spam instead.

If you’re looking for a contact form plugin that provides security, the WPForms, Gravity Forms and Contact form 7 plugins comes with honeypot anti-spam feature enabled. It is also one of the most used contact form plugins for WordPress based websites and is quite easy to setup.

Enable ReCaptcha Checkbox

Another more straightforward and easier way to avoid spam is to enable the ReCaptcha checkbox on your contact form plugin. Almost all known contact form plugins have ReCaptcha which can easily be activated from the settings. To enable it on the WPForms for your website: 

  • You’ll have to go to its settings and access the ReCaptcha tab. 
  • From there you’ll select the ‘Checkbox reCaptcha v2’. You will also be asked to enter a Secret Key and a Site Key which you can find on the admin console of Google’s ReCaptcha setup page. 
  • To get them, you’ll have to register your website with Google by merely following the instruction presented on screen. 
  • After you’ve followed all the steps correctly, the Site Key and Secret Key will be displayed which you can copy and paste on the WPForms settings page.
  • Click save settings option shown at the bottom of the page then go to form builder in WPForms. 
  • As you click on the ReCaptcha field, a pop-up message will appear indicating that the ReCaptcha has been enabled.

Now, any time anyone has to contact you using the form, they’ll have to prove that they are human by clicking on the ReCaptcha checkbox before submission. Spamming bots cannot do that, so this step really eliminates a lot of potential spam from reaching your inbox.

Using The Invisible ReCaptcha

The only problem with ReCaptcha checkbox is that some of your website visitors might feel offended with a checkbox asking them to prove if they are humans. If that’s the type of visitors, you get on your website, adding invisible ReCaptcha would be a better option.

It works in a similar way, only at the time of submission, there’s no checkbox for the visitor to click. Instead, Google’s algorithms analyze the data inserted in the fields to determine if it was submitted by a human or a bot. The visitor is presented with a ReCaptcha verification.

To enable this, you need to choose the ‘Invisible ReCaptcha Badge’ when registering your website. Instead of the ‘I am not a robot’ checkbox. Next, you follow the same steps as before. Access your form builder through the dashboard and click on the Invisible ReCaptcha.

Once it is enabled, you can see the ReCaptcha logo on the bottom right of the contact form page of your website.

The Custom Captcha

Since the previous two options mentioned are powered by Google, there is a very likely chance that it collects data to improve Google’s services (or so they say). If privacy is a concern for you and your visitors or if your website handles loads of critical data of its visitors, the custom captcha option might be more suited for you.

The feature comes as a WPForms add on and is only available to Pro users. So, if you’re using WPForms lite (the free version) on your website, unfortunately, you’re only limited to Google’s ReCaptcha tool.

But if you’re using the pro version of the WPForms, you can use this add on to create custom questions as part of the form submission verification process. To get this option:

  • You need to access the WPForms from the dashboard and go to addons. 
  • From there you can find the custom captcha addon and click the installation button.
  • After it has been installed, you can add it to your contact form through the form builder. 
  • The Captcha field can be found under the Fancy Fields. From there, you can drag it onto your form, and it’ll be enabled.
  • While you can create a list of custom questions and answers for your form, it is recommended to leave it at the default math setting. 

The WPForm will randomly generate math problems that the user will have to answer to successfully submit the form.

Members-only contact forms

Perhaps, the best way you can avoid spam form submission is to make your form invisible to bots, literally.

Now, this solution may not be ideal for all websites, but if your website is membership-based and requires users to register in order to gain access, it will work for you.

You can password protect your contact page to make it visible to your website members only. The simplest way to go about it is to change the visibility settings of your contact page to ‘Password Protected’ through publishing settings. You’ll have to create a password, which will be the exact same for all your members. You can share the password with your users through email or however you see fit. Anytime someone clicks on the ‘Contact Us’ page on your website, they’ll be asked to enter the password to access it.

Another, more secure way of doing this is through one of WPForms addons. Again, this is only accessible to Pro users. Follow the same steps as you did to install Custom Captcha Addon. But this time you have to install Form Locker instead.

Now, edit your contact form and go to its settings to find Form Locker option. You’ll see a checkbox that reads ‘Enable Password Protection’. Click it, enter a password and a custom message. That’s it!

And lastly, you can use one of the many WordPress membership site plugins to hide contact form or other parts of your website and make them only visible to logged-in users.

The Antispam Plugins

WordPress developers know how heavily the platform relies on plugins to provide added functionality to websites, including protection against spam. Some of the top plugins for the purpose include the likes of Akismet, WangGuard, WordPress Zero Spam, Anti-Spam Bee, etc. While they all offer protection against spam, each of them differs somewhat in terms of functionality.

Moreover, these anti-spam plugins work much better toward keeping your website protected against spam comments than spam form submissions. However, do not consider them useless. Instead, you can treat them as an added layer of protection over the methods already mentioned above. Also, before installing any of these plugins on your website, make sure that they support your chosen contact form plugin, else all would be in vain.

The plugins might also not work if your website was designed using Elementor, Divi or any other page builder as they use require addons like elements for such functionality.

Disable Copy-Paste Function

Disabling the copy-paste function (the right-click function to be exact) is also a simple and effective way of keeping your contact form protected against spam submissions. The one drawback of this option is that it only discourages human spammers. Unfortunately, spambots will still be able to fill spam your form.

However, if you do want to pursue this method, there are two ways to go about it. 

  • First one is to add a small piece of code to your website to disable the right-click functionality on all your pages. It can be added to each post individually to disable right-click or in the theme footer to disable it throughout the website.
    <script type=”text/JavaScript”>// <![CDATA[ function killCopy(e){ return false; } function reEnable(){ return true; } document.onselectstart=new Function (“return false”); if (window.sidebar){ document.onmousedown=killCopy; document.onclick=reEnable; } // ]]></script>
  • The second one is, of course, through a plugin. Going the plugin route is easier and doesn’t require any coding know-how or technical expertise. You can use WP Content Copy Protection & No Right Click and Disable Right Click For WP.

Again, this method is not very useful, but the silver lining, if you want to see here, is that disabling right-click can save your website’s content to an extent from being copied.

Blocking IP Addresses

Finally, as a last resort, you can opt for blocking traffic from specific IPs or locations to prevent contact form spam. Before you go for this, however, make sure you screen all your spam form submissions pinpoint most common locations or IPs being used to send you spam submissions.

Once you have listed out these IPs and locations, you can blacklist them or block them using your website’s cPanel, WordPress settings, security plugins or through your web host. Bear in mind though that you will also lose any legitimate traffic from the locations that you blacklist. If you’re getting genuine heavy traffic from any suspected location, we advise that you leave that location stay active, so you don’t lose any leads.

Final Words

All of the methods shared above are foolproof and can drastically lower the number of spam messages your website may be receiving on a monthly basis. However, keep in mind that these methods will not completely eliminate spam from appearing in your inbox. If you have any questions regarding this post, feel free to reach out to us in the comments.

Share this post