Stop WordPress Contact Form Spam [6 Easy Methods + Cloudways Solution]

Key Takeaways

• Invisible tools like honeypot fields and Cloudflare Turnstile block automated scripts without frustrating your real visitors.
• Dedicated anti-spam plugins and keyword filters automatically reject known malicious IPs and disposable email domains.
• Deploying a Web Application Firewall stops aggressive botnets at the network edge before they consume your server resources.

Setting up a basic contact page is an easy task. Keeping it secure is an entirely different challenge. Within hours of going live, automated scripts start targeting your input fields with fake URLs and promotional text.

This automated activity creates real problems for website owners. Your server wastes resources processing the junk data. Your email provider flags the incoming garbage. Eventually, sorting out genuine client messages from the fake ones becomes a daily chore.

The solution is building a filter that blocks scripts without annoying your actual visitors. You need tools that confirm a user is a real person in the background.

In this guide, we will explain how to reduce contact form spam in WordPress. We will look at multiple methods to protect your site, ranging from hidden form fields to the security solutions Cloudways offers.

Let’s get started…

What is Contact Form Spam?

Contact form spam is fake submissions through your website’s input fields. Bots send most of it, occasionally it’s a person. The content is usually promotional links, phishing URLs, or gibberish, whatever the script was set up to dump in.

The bots aren’t after you specifically. They scan the web for unprotected fields and hit everything they find, which means your contact page, comment section, and registration forms are all fair game. It’s the same automated noise hitting millions of sites.

For you, that means junk in your database, fake inquiries buried in your inbox, and comment sections that need babysitting. Manageable at low volume, genuinely tedious once it picks up.

Stop Bot Attacks From Crashing Your Server

Switch to a highly available WordPress setup that automatically absorbs bot traffic and secures your endpoints using free, built-in Cloudflare Enterprise.

Try Today

Why You Need Form Spam Protection

An unprotected input field causes more trouble than a cluttered inbox.

The obvious risk is security. Bots probe your forms for vulnerabilities, looking for ways to inject malicious code or push phishing links through. It’s rarely sophisticated, but it doesn’t need to be. Volume is the strategy, which is exactly why strong form protection matters early on.

Email deliverability is the quieter problem. When your server forwards hundreds of junk submissions to your inbox, Gmail and Outlook start forming opinions about your sending reputation. Eventually your legitimate emails, replies to clients, order confirmations, start landing in spam. That’s a hard hole to dig out of.

Then there’s the operational drag. Your database fills with garbage entries that skew your analytics. Someone on your team ends up manually clearing fake leads instead of following up with real ones. None of it is dramatic, but it compounds.

Good spam filtering stops all three. It’s less about the inbox and more about keeping the rest of your site from quietly degrading around it.

How to Stop Contact Form Spam in WordPress (Tested Methods)

The methods below range from simple hidden fields to plugins that filter bad traffic automatically. None of them require making your form harder for real people to use.

Method 1: Honeypot Fields

First up, let’s check out the honeypot method which adds a hidden field to your form. Visitors never see it, so they leave it blank. Bots fill out every field they find in the page code, so when one touches the hidden field, the submission gets blocked automatically.

No puzzles, no image clicks, no friction for your users.

To show you how this method works, we’ll use WPForms:

• Log into your WordPress admin dashboard
• Head to WPForms and open All Forms

• Find the form you want to protect, hover over it, and click Edit

• Once inside the builder, go to Settings and look for the Spam Protection and Security tab

• Switch on Enable modern anti-spam protection

• Save your changes

If you’re using Gravity Forms or Contact Form 7, both have honeypot options built in. Check the form settings panel under security or spam prevention, It should be there, either native or as a free addon.

Method 2: Minimum Submission Time

Bots fill out forms in milliseconds. A real person on the other hand, takes a few seconds to read the fields, type a message, and hit send.

Setting a minimum time threshold uses that difference to filter out automated scripts. Anything submitted too fast gets blocked before it reaches your database.

While we’re in WPForms, here’s how to set a time limit:

• Open your form and go to Settings, then Spam Protection and Security
• Toggle on Enable minimum time to submit
• Set the threshold to 3 or 4 seconds
• Save

Any submission sent before that time limit is reached gets flagged and rejected automatically.

Method 3: Add CAPTCHA Verification

Visual CAPTCHAs that force visitors to identify crosswalks or decipher distorted letters actively hurt conversion rates. The most effective contact form spam prevention relies on verification processes that run entirely in the background.

If you are configuring how to stop spam from wordpress contact form submissions, invisible challenges are the industry standard.

Cloudflare Turnstile

Cloudflare Turnstile is a privacy focused alternative to traditional verification services. It runs a series of lightweight, non-interactive challenges in the browser to confirm a visitor is human.

This process happens automatically as the user interacts with your page, eliminating friction while strictly blocking automated scripts.

To integrate Turnstile into your existing forms:

• Log in to your Cloudflare dashboard and generate a new Turnstile Site Key and Secret Key for your domain. If you don’t know how to do this, go ahead and check out our how to add Cloudflare Turnstile to WordPress guide.

• Open your WordPress admin panel and navigate to your form builder’s global settings. We’re using WPForms as an example.

• Locate the CAPTCHA integration menu, select the Turnstile option, and paste your keys.

• Open the specific form you want to protect, insert the Turnstile field block, and save your layout.

Google reCAPTCHA v3

While older versions relied on manual checkbox clicks, Google invisible reCAPTCHA for WordPress (version 3) operates without any user interaction. It assigns a risk score to every visitor based on their background behavior across your site.

Submissions from users with a high bot probability score are automatically blocked or flagged for review.

To set up version 3:

• Register your website in the Google reCAPTCHA admin console and select the v3 option.

• Copy the generated Site Key and Secret Key.

• Go to the CAPTCHA settings of your WordPress form plugin and paste the keys into the v3 fields.

• Apply the reCAPTCHA setting to your individual forms and save the changes.

Method 4: Install a Dedicated Anti-Spam Plugin

Hidden fields and time limits will only get you so far. Scripts adapt, and when they do, your comment sections and registration pages are just as exposed as your contact form. Configuring individual rules for every input field on your site isn’t a sustainable fix either.

A dedicated plugin takes a different approach altogether. It connects your site to external databases that track malicious activity across millions of websites, routing all incoming submissions through one central filter instead of scattered form-by-form settings.

1. Akismet Anti-Spam

• Active Installations: 5+ Million
• Rating: 4.7/5

Chances are Akismet is already sitting in your plugins folder. It cross-references every submission against a global record of known spam, then either bins the match or parks it somewhere you can look through later. Simple to set up, and it covers a lot of ground out of the box.

• Activate Akismet from your WordPress dashboard

• Register an account when prompted and copy the API key

• Paste the key into the plugin settings

• Switch on the Akismet integration inside your form builder (we’re using WPForms)

2. Anti-Spam by CleanTalk

• Active Installations: 200,000+
• Rating: 4.8/5

When bots are hitting your site in volume, your server takes the hit processing requests that go nowhere. CleanTalk sidesteps that by screening submissions remotely before they reach your database. Your server stays out of it entirely.

• Install and activate Anti-Spam by CleanTalk

• Check the box to accept the license agreement, then click the blue GET ACCESS KEY button. The plugin automatically generates and applies the key using your admin email.

• Once the key populates, verify that the green checkmarks appear indicating protection is active across your forms, and click Save Changes.

3. Antispam Bee

• Active Installations: 700,000+
• Rating: 4.8/5

Most spam tools send user data to outside servers to run their checks, which gets complicated fast if you’re operating under GDPR. Antispam Bee keeps everything local, using submission timing and IP validation to catch bots without passing anything externally.

• Install and activate Antispam Bee

• Go to Settings and open the plugin

• Under the Antispam filter section, check Trust approved commenters and Look in the local spam database.

• Under the Advanced section, select the option to Delete existing spam after [X] days (e.g., set it to 15 or 30 days to keep your database clean).

• Click Save Changes.

Block Form Bots at the Server Level

Stop relying on local plugins. Move your WordPress site to Cloudways and automatically drop malicious connections using our built-in Imunify360 firewall and Fail2Ban.

TRY FREE

Method 5: Filter Spam Keywords

Spam submissions tend to follow predictable patterns. Promotional phrases, explicit language, URLs dropped into message fields. Rather than analyzing visitor behavior, you can just block entries that contain specific words or links outright.

Most form plugins tie into WordPress’s built-in moderation system to handle this automatically.

For WordPress’s native filter:

• Go to Settings, then Discussion in your dashboard

• Scroll down to the Disallowed Comment Keys box
• Add the words, URLs, or IP addresses you want blocked, one per line. Common ones include things like “cryptocurrency” or “SEO services”

• Save changes

If you use a builder like WPForms, this functionality is applied per form rather than globally:

• Open your form and go to Settings, then Spam Protection and Security
• Switch on the Keyword Filter toggle (you will need to upgrade to Pro version)

• Type in the words you want blocked, separated by commas
• Click Save to apply the rule

Method 6: Block Disposable Email Addresses

Bots regularly get around standard email validation by using disposable domains like @mail.ru or @yopmail.com. These are throwaway addresses that exist purely to pass the “valid email” check without leaving a real trail.

Blocking them at the field level stops those submissions before they go anywhere.

Here’s how to set it up in WPForms:

• Click on the Email field inside your form builder

• Open the Advanced tab in the left panel
• Find the Allowlist / Denylist dropdown and select Denylist
• Add the domains you want blocked, one per line, using an asterisk as a wildcard (for example, *@mail.ru or *@yopmail.com)
• Save

Any submission using a blocked domain will hit a validation error and won’t go through.

Use Cloudways Bot Mitigation to Protect Your Contact Forms

Relying only on plugins means your server still does the heavy lifting for every fake request. If a botnet hits your site hard, processing all that junk traffic eats up your resources and slows things down for actual customers.

A better approach moves that defense off your WordPress installation entirely. Cloudways includes built-in tools that block malicious scripts at the server level, long before they even reach your contact form.

Server-Level Firewall and Fail2Ban

Every server on Cloudways comes with an Imunify360 firewall. Instead of waiting for a bot to load a specific page, it inspects traffic as it hits the server and automatically drops connections from known bad IPs.

Fail2Ban runs right alongside it. It watches your server logs for anything suspicious.

• How it works: If an IP address tries to force its way in with rapid, repeated connections, Fail2Ban steps in and blocks it immediately.
• The result: Automated scripts lose their ability to scrape your site or blast your endpoints with spam.

Cloudways Cloudflare Enterprise Add-on

For maximum protection, we have integrated Cloudflare Enterprise directly in the Cloudways dashboard. This add-on functions as a Web Application Firewall (WAF) sitting between your server and the rest of the internet. It catches traffic at the network edge so bots never consume your bandwidth.

Going directly to Cloudflare for their Enterprise tier usually means signing a custom contract starting at thousands of dollars a month. Cloudways users get access to that exact same network starting at just $4.99 per month per domain.

Once activated, you gain access to a dedicated settings tab inside your Cloudways dashboard to control specific security thresholds. The Enterprise integration relies on several key features to stop spam:

• Web Application Firewall: The WAF uses threat intelligence and machine learning to block emerging threats and zero-day vulnerabilities before they hit your forms.
• Browser Integrity Check: It looks for missing or suspicious HTTP headers. This allows the system to easily block complex headless browser scripts built to bypass normal CAPTCHAs.
• Rate Limiting: Proper rate limiting stops bots from overwhelming your endpoints. Cloudflare monitors IP requests continuously, giving you detailed control over WAF and rate limiting. If an IP exceeds 200 requests in 60 seconds, the system automatically applies challenges to stop aggressive form scraping.
• ScrapeShield: This feature obfuscates email addresses on your website, preventing bots from harvesting them for future spam campaigns.

This setup neutralizes aggressive scrapers completely without annoying your real customers.

Vulnerability Scanning With Patchstack

Sometimes bots completely ignore your form fields and just exploit poorly written code instead. Outdated plugins are massive targets for script injection. Older versions of Contact Form 7 are famous for this.

To close these backdoors, Cloudways includes a WordPress vulnerability scanner powered by Patchstack.

• Active Monitoring: This tool constantly checks your WordPress core, themes, and plugins against a live database of security flaws.
• Instant Alerts: If a vulnerability pops up in your form builder, the scanner pings you right away inside your dashboard.

This gives you a critical head start to patch the software before an automated attack exploits it.

Wrapping Up!

Stopping contact form spam requires more than just hiding a field. While local plugin settings catch the most basic bots, automated scripts constantly evolve to bypass simple barriers.

The most effective approach combines form level validation with robust server side defenses.

By configuring honeypots and invisible CAPTCHAs alongside a Web Application Firewall on Cloudways, you block malicious traffic at the network edge before it ever impacts your database or clutters your inbox.