My recommendations for stopping Contact Form 7 spam on WordPress websites
Spam is a huge issue with contact forms on WordPress websites. That’s not really an issue with WordPress per se, but rather with how easy it is for spam bots to find loopholes in many sites. Mind you, as the most popular free WordPress contact form plugin, Contact Form 7 is highly targeted. Spam contact form submissions can be a huge issue for WordPress websites with high traffic, receiving hundreds of spam emails each day. These are inconvenient and make it difficult to spot the genuine messages amongst a sea of spam.
One my clients recently complained about the amount of spam they were receiving through their Contact Form 7 contact form. I tested a range of methods to find the best solution, which I will share with you now. The best thing is, you don’t need to be a WordPress expert to use them.
Please note that I do NOT recommend you implement all of the methods suggested in this article. A WordPress website should be kept as clean and minimal as possible behind the scenes, and you shouldn’t install unnecessary plugins. Instead, I recommend using trial and error to experiment with these solutions – whether you’re a WordPress expert or a novice. Track how much contact form spam you receive after implementing one or two methods, and make changes until you’re happy.
Use Contact Form 7’s in-built anti-spam measures
You’ll find a lot of articles recommending CAPTCHA and quiz plugins that work with Contact Form 7. Most of these are actually unnecessary as it’s better to use the features already built into the Contact Form 7 plugin itself.
Simple quizzes are becoming a popular way to combat contact form spam. They work by asking the user a simple question such as “Which is bigger, 2 or 8?” (for anyone that struggles with maths, the answer is 8 by the way. I just checked). Bots won’t be able to answer this question, so the contact form can only be submitted by people who enter the correct response.
To add a quiz, edit your contact form and click the Generate Tag dropdown. Paste the shortcode that appears below into your contact form. It will look something like this:
[quiz capital-quiz “Which is bigger, 2 or 8?|8”]
Minimum Character Count
The client’s site I mentioned above received a lot of spam contact forms with 2 digit messages, usually a number. I have no idea what they were trying to achieve, but it’s obviously a popular type of spam at the moment.
If all your spam messages follow an obvious pattern, you can block them by setting up your contact form to block messages that meet this pattern. In this case, I used the Max and Min Length options in Contact Form 7 to require messages to be more than 20 characters long. Genuine enquiries will usually provide more than 20 characters, so this blocks bots without frustrating real users.
The Message/Comments field will look something like this:
[textarea* your-message minlength:20 maxlength:500]
Really Simple CAPTCHA
The Really Simple CAPTCHA WordPress plugin was created by the developer of Contact Form 7 so they work together seamlessly. The plugin allows you to add a CAPTCHA to your contact form to prevent bots from submitting forms on your WordPress website.
Once you have installed and activated Really Simple CAPTCHA, insert a CAPTCHA tag into your Contact Form 7 form (click the Generate Tag dropdown to see the available options and create a customised tag to paste into your form). It will look something like this:
Further instructions at http://contactform7.com/captcha/.
Please note that CAPTCHAs are becoming slightly old fashioned and are not great for user-experience. They also require particular features to be enabled on your server, which may not be in place for your WordPress website.
I would recommend adding a quiz first (see above), and only trying CAPTCHA if this doesn’t work. The two methods basically do the same thing – prevent automated bots from submitting your website contact form – so you shouldn’t need both.
Contact Form 7 Honeypot
Contact Form 7 Honeypot is a WordPress plugin that adds a hidden field to your contact form. Since the field is hidden, real users won’t complete it. However, spam bots won’t know this and will fill it in, allowing the website to recognise them as bots and block their submission.
After you’ve installed and activated the Contact Form 7 Honeypot WordPress plugin, use the Generate Tag option to create a honeypot shortcode to insert into your contact form. It will look something like this (Contact Form 7 recommend changing the ID to something unique, so you’d replace the example ID ‘213’ with something else):
Akismet has a reputation as the best WordPress anti-spam plugin, but not everyone knows that it works with Contact Form 7 as well as blog comments.
Once you have activated the Akismet WordPress plugin and followed the on-screen instructions to add your API key (free for non-profit-making websites, small monthly fee for business sites), you need to do a bit of extra configuration to make it talk to Contact Form 7 – see here.
In my tests, Akismet stopped about 70% of the Contact Form 7 spam but not all of it, but it worked well in conjunction with some of the other solutions mentioned in this article.
The Bad Behavior WordPress plugin uses advanced methods to block spammers from your WordPress site. While it isn’t specific to Contact Form 7, it combats spam more widely to prevent spammers from reaching your contact form. The recommendation is to use this plugin for WordPress websites with a spam problem, in conjunction with some of the other methods described in this article.
If you use this plugin then it’s particularly important to test the website after installing it. Some features, such as social login, may not work if certain elements of the Bad Behaviour plugin are activated. You may need to do some tweaking to get it right. However it can really help with Contact Form 7 spam and even more general spam.
What worked for me?
All WordPress websites receive spam in slightly different ways, so what works for one website may not work for another.
When I had to stop Contact Form 7 spam on a recent site, I immediately achieved a reduction in spam by using Akismet. The spam messages reduced from dozens per day to 2-3 per day.
I fixed the problem completely by combining Akismet with the Contact Form 7 Honeypot plugin, a quiz, and a minimum character count. If this hadn’t fixed the spam problem then I would have continued using trial and error to experiment with the other methods described in this article. You can do this whether you’re a WordPress expert or a beginner, and it can make a real difference to your contact form spam – saving you/your client a lot of headaches!