Stop WordPress Contact Form Submission Spam

Contact form spam is a problem almost as old as the existence of contact forms online. It’s super easy for spammers to write a script that looks for your websites contact form, automatically fills in the required fields, and triggers the submit button without a human ever visiting your website.

Laptop screen with the reCAPTCHA I'm not a robot verification.

The popularity of WordPress as a website hosting solution magnifies this problem, because it allows spammers to identify the pattern of where WordPress stores contact forms and how those contact forms are structured. A little trial and error and a spammer quickly has a recipe for searching for millions of contact forms that all look the same.

I’ve implemented a number of solutions designed to prevent this type of spam over the years. The most familiar one is likely some version of the “I am not a robot” test where you check a box or need to pick from a selection of images where it is virtually impossible to find the thing you are prompted to look for. I dislike these solutions because they penalize the real people who are trying to contact me.

There is a better contact form spam prevention tool that works 99% of the time.

The recent rise of Artificial Intelligence tools for generative content brought with it a massive increase in contact form spam promising lots of automatically generated content. Some days I was getting dozens of these messages via my contact forms. It turns out the solution was hiding in plain sight.

I use the CoBlocks plugin as part of my WordPress install, which includes a Gutenberg block for creating forms. You don’t need to use this plugin to take advantage of this solution, but if you do it’s a quick way to implement this contact spam blocking solution.

Over in the right hand Block configuration menu in any form you create with CoBlocks, is a section for Google reCAPTCHA. It looks like the screenshot below.

Screen shot of the Google reCAPTCHA settings in a form from the CoBlocks WordPress plugin

To use Google reCAPTCHA, you need set up your WordPress domain with this Google service. At the time of this writing, the link to “Generate keys” doesn’t go to the correct location. You need to go to this Google webpage.

If you don’t already have a Gmail account, you will need to create one and then sign in to the page. After that you can set up your domain to get protected from contact form spam. On the main screen, you click the ‘+’ button to add a domain to your account.

screen shot highlighting the button used to add a domain to the Google reCAPTCHA service

From there you can add your domain. Google is currently pushing Enterprise Google Cloud integration, but you don’t actually need this in most cases. Switch to creating a classic key to set up your domain.

Now you are ready to create your Google reCAPTCHA by completing all the items on the form. I recommend using reCAPTCHA v3 because it doesn’t require your real website visitors to do anything in terms of verifying that they are a real human.

Screenshot of the form required to setup a domain for using Google reCAPTCHA

After clicking the submit button, Google will provide you with the site key and secret key values required to make reCAPTCHA work with your form. Paste those two values into the correct box in the CoBlocks Form configuration, save them, and your form is now automatically protected.

If your specific contact form solution doesn’t include this automatically, there is a way to add JavaScript to your website that allows you to include reCAPTCHA on the page.

Earlier in this article, I mentioned this blocks 99% of spam. This is because I do still get a spam message from my contact form every couple of weeks, but it is extremely rare at this point.