Stopping spam submissions in Contact Form 7

Aerial shot of Mt. Fuji with clouds around it

If you’re running a WordPress blog I’m sure you’ve seen a recent uptick in the number of spam submissions that have been coming through. Most of it seems to be Russian spam and the classic variants of “Hot singles in your area”.

The easiest way to take care of this is with a combination of two plugins. This is going to be specific to Contact Form 7 (CF7) but works with many of the different WordPress form builders.

Akismet

Akismet Anti-Spam is a great tool that you should already be using. After you install the plugin, go to their website and sign up for a free account then you’ll be ready to activate Akismet on your blog.

The issue with Akismet is it only protects two fields that are used on most forms. The name field (where the user puts their name) this is done with the akismet:author attribute [text* your-name akismet:author] and the email address field with the akismet:author_email attribute [email* your-email akismet:author_email]. The downside of this is it doesn’t protect the comment field, which is where most of the spam is going to come through. Most bots are going to enter some kind of randomly generated and email address which will get by.

WordPress Zero Spam

WordPress Zero Spam has been the silver bullet for me. This is a zero-config way to stop spam, I’ve seen blogs go from 20+ spam submissions a day to only legitimate submissions.

After installing the plugin, make sure that the checkbox for “Contact Form 7 Support” is checked, which it is by default, and you’re good to go!

This plugin was built on by an idea from David Walsh, which adds a query string field to the form submission via JavaScript then checks for the value on the server-side. The idea here is that most of these “bots” aren’t really loading the page and submitting the form. They’re just crawling all of the pages trying to find common WordPress form signatures in the markup, filling out all of the fields and hitting the form endpoint. If the bots aren’t loading the JavaScript their response will always be rejected.

Methods I don’t like

Any solution that’s going to negatively impact the form’s conversion rate. This includes but isn’t limited to…

Contact Form 7 Quiz

Most of the time adding fields to your form that the user isn’t expecting is going to turn users away. I especially despise the example quizzes that contact form 7 uses. “What is the capital of Japan?” – Really? Come on, I can guarantee you there is a good percentage of the population that doesn’t know the answer to that or will at least misspell it.

reCAPTCHA

Contact Form 7 has built-in integration for reCAPTCHA v3. Although Google has been steadily been improving this service and there’s no longer the “I’m not a robot” checkbox with a possible series of images – I think it requires too much configuration to get it working properly. Also, it’s configured on a per-site basis so if you’re running multiple sites it’s going to take longer to get it up and running as opposed to something like WordPress Zero Spam.

Contact Form 7 Honeypot

The Contact Form 7 Honeypot plugin was one of the primary bot defence tools, but over time it seems like the technique it’s using to catch bots has stopped working.


Hopefully, this was helpful for you, I’ve seen sites go from getting dozes of spam submissions a day to getting zero. I’m sure at some time in the future these methods will stop working and we’ll have to find a new way to combat this crap if so, I’ll make sure to update this post to reflect the new tools/methods to use.

If you have a question or comment drop it below.

Travis Williamson

I'm Travis Williamson—a developer, creator, blogger, designer, accessibility specalist and owner of Williamson Design.

more about me →

Leave a Reply

Your email address will not be published.
Required fields are marked *