Help CenterSecurityHow do I block spam form submissions on my website?

How do I block spam form submissions on my website?

Spam bots flood contact forms with fake submissions, polluting your inbox and wasting your time. Here is how to stop them without hurting real user conversions.

Why Spam Form Submissions Happen

Automated bots scan the web looking for unprotected HTML forms. Once found, they submit them thousands of times per day — flooding your inbox with fake leads, creating junk CRM entries, and sometimes using your server's email sending capacity to relay spam.

Method 1: Google reCAPTCHA v3 (Recommended)

reCAPTCHA v3 runs invisibly in the background and gives each form submission a score from 0.0 (bot) to 1.0 (human). You can reject anything below 0.5.

**Setup:**

1. Register at [google.com/recaptcha](https://www.google.com/recaptcha)

2. Choose **reCAPTCHA v3** and add your domain

3. Copy your **Site Key** and **Secret Key**

4. Add the reCAPTCHA script to your page:

```html

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

```

5. On form submit, get a token and send it to your server for verification

6. Server calls Google's API to verify the score

v3 is ideal because it never interrupts real users — no checkboxes, no image puzzles.

Method 2: Honeypot Fields

A honeypot is a hidden form field that real users never see or fill in (it is hidden with CSS). Bots, however, fill in every field.

```html

<div style="display:none; position:absolute; left:-9999px;">

<label>Leave this field empty</label>

<input type="text" name="website_url" tabindex="-1" autocomplete="off" />

</div>

```

On your server, if `website_url` has any value, reject the submission silently. This stops most simple bots with zero user impact.

Method 3: Time-Based Validation

Bots fill and submit forms instantly. Real users take at least 3–5 seconds. Record when the form page was loaded with a hidden timestamp field, and reject submissions that arrive in under 2 seconds.

```javascript

// Set on page load

document.getElementById('form_loaded_at').value = Date.now();

// Check on server

const loadedAt = parseInt(req.body.form_loaded_at);

if (Date.now() - loadedAt < 2000) {

// Reject as bot

}

```

Method 4: Cloudflare Turnstile (Free Alternative to reCAPTCHA)

Cloudflare Turnstile is a privacy-friendly alternative that works similarly to reCAPTCHA v3 but does not track users for advertising. It is free and integrates easily.

Register at [cloudflare.com/products/turnstile](https://www.cloudflare.com/products/turnstile/).

Method 5: WordPress Plugins

If you use WordPress with Contact Form 7, WPForms, or Gravity Forms:

  • **Akismet Anti-Spam** — Free, catches known spam
  • **WPForms + reCAPTCHA** — Built-in integration
  • **Antispam Bee** — Free, GDPR-friendly, no external API calls

Which Method to Use?

| Scenario | Recommendation |

|----------|---------------|

| WordPress website | Akismet + honeypot in your form plugin |

| Custom HTML form | reCAPTCHA v3 + honeypot |

| Privacy-conscious | Cloudflare Turnstile + time check |

| Maximum protection | All methods combined |

Combining honeypot + reCAPTCHA v3 stops over 99% of spam submissions without affecting real users.

Was this article helpful? Contact Support
Back to Security
Security
Related Articles
How do I protect my website from DDoS attacks?How do I enable two-factor authentication on my account?
View all articles →
Still need help?

Raise a support ticket or chat with our team.

Get Support