How to Reduce Contact Form Spam in WordPress (Gravity Forms)

Do you get spam through your website contact form? Depending on how high-profile your company is, you can receive anywhere from a daily barrage to a slow trickle of spam. Though it’s nearly impossible to completely stop spam, we can take steps to reduce it. Here’s what we suggest.

Note: This page contains affiliate links. Please see Affiliate Disclosure.

Install a Contact Form

We recommend using a contact form instead of an email address. When you put your email address anywhere on your website, regardless of whether it’s a link or plain text, spambots will harvest it. You can obfuscate your email address to make it harder for spambots to find by using a plugin such as Email Address Encoder. However, it's not likely to fool all spambots forever. Therefore, a contact form is a more effective option.

Our favorite contact form plugin for WordPress is Gravity Forms. It's a premium plugin, meaning that it costs money, but it's well worth it.

Video Instructions

Anti-Spam Plugin

The simplest way to reduce the amount of spam coming through a Gravity Forms form is installing the Gravity Forms Zero Spam plugin. Just install and activate it; it doesn't require any configuration!

Another option is to use Akismet, a service from Automattic (the company behind WordPress). It integrates with many free and paid plugins, including Gravity Forms. Akismet is free for personal sites. There are paid plans for commercial sites.

Anti-Spam Honeypot

You should enable Gravity Forms' anti-spam honeypot. According to Gravity Forms, the honeypot field is "a hidden field that tricks a spam bot into filling it out when it should really be left blank."

  1. WordPress admin menu > Forms.
  2. Hover over the form you want to edit, then hover over Settings, and click Form Settings.
  3. At the bottom, check the box for Enable Anti-Spam Honeypot.
  4. Click Update Form Settings.

Sometimes that's enough to significantly reduce the amount of spam you receive. Wait a few days after enabling it. Then, if you're still receiving too much spam, try the next step.


reCAPTCHA is an improvement over standard CAPTCHA (where you need to figure out the letters and numbers in an image). That’s because reCAPTCHA is simpler for humans. According to Google (its developer), reCAPTCHA "uses an advanced risk analysis engine and adaptive CAPTCHAs … while letting your valid users pass through with ease."

It's a bit more work to add reCAPTCHA to a form than to add a CAPTCHA. However, your site visitors will appreciate the comparative ease of reCAPTCHA.

Generate reCAPTCHA Keys

First, you need to generate your reCAPTCHA keys.

  1. Log into reCAPTCHA admin, using your Google account. We recommend using the same account that's linked to your domain, which is probably your work email.
  2. Under Register a new site, set the Label to the URL (web address) of your website, or something else descriptive.
  3. Choose reCAPTCHA V2.
  4. Under Domains, enter the domain of your website.
  5. Complete the rest of the form, then click Register.

Add reCAPTCHA Keys to Website

Next, you need to add the reCAPTCHA keys to your website. Here’s how.

  1. You'll see the Adding reCAPTCHA to your site section.
  2. Copy the Site key.
  3. Back in your website, go to WordPress admin menu > Forms > Settings. Scroll down to reCAPTCHA Settings.
  4. Paste the Site key you copied into the Site Key field.
  5. In reCAPTCHA, copy the Secret Key.
  6. Paste it into WordPress in the Secret Key field.
  7. Click Save Settings.

Add reCAPTCHA Field to Contact Form

Next, you need to add the reCAPTCHA field to your contact form. Follow these step-by-step instructions.

  1. WordPress admin menu > Forms.
  2. Click the form you want to edit.
  3. Expand Advanced Fields, and drag CAPTCHA to the bottom of your form.
  4. Click the field to edit it.
  5. Change the Field Label to something like "Please confirm your humanity."
  6. Click Update.

That's usually enough to significantly reduce the amount of spam you receive. Wait a few days after enabling it. Then, if you're still receiving too much spam, try the next step.

Increase reCAPTCHA security

By default, reCAPTCHA strikes a balance between security and user-friendliness. If you get too much spam, then increase the security. Here’s how you do it.

  1. Log into reCAPTCHA admin using the same Google account you used earlier.
  2. In the top left, select your website from the list.
  3. In the top right, click the gear icon (Settings).
  4. Under Security Preference, drag the slider to the far right (Most secure).
  5. Click Save.

Wait a few days after increasing to Most secure. Then, if you’re still receiving too much spam, try the next step.

Question Field

Frustratingly, for some sites, even reCAPTCHA set to Most secure lets too much spam through. Another option that works quite well is to add a question to your form, and only show the form’s submit button when the question is answered correctly.

Make sure the question has only one correct answer, and is easy to think of.

This reduces the amount of automated/bot spam, but, unfortunately, human spammers will still be able to get through (though this should reduce the number that do).

I don’t recommend making users complete reCAPTCHA and answer a question, so if you add a question, I recommend you delete the CAPTCHA field from your form.

  1. WordPress admin menu > Forms.
  2. Click the form you want to edit.
  3. Drag the Single Line Text field to the bottom of your form.
  4. Click the field to edit it.
  5. Change the Field Label to your question; something like “What is the opposite of up?”
  6. Check the box to make the field Required.
  7. Delete the CAPTCHA field, if there’s one in the form.
  8. Click Update.
  9. Above the form, hover over Settings, then click Form Settings.
  10. In the Form Button section, check the box for Enable Conditional Logic.
  11. Set the logic to Show this form button if All of the following match: [the question you created] is[the answer to your question].
  12. Click Update Form Settings.
Gravity Forms question
Gravity Forms button conditional logic

Spam Shields Up!

As a businessperson, you have better things to do than fight spam coming through your website. Let OptimWise handle it for you. We provide comprehensive website maintenance. Sign up for your WordPress Maintenance Plan today.

Filed Under: 

Want tips to rocket-boost your website?

Simply sign up.

4 comments on “How to Reduce Contact Form Spam in WordPress (Gravity Forms)”

  1. Another way is to outsource contact forms. I use Beep.IM as a point of contact for my clients. They create a custom url which I can give to my clients and have them contact me initially. This way, if I no longer wish to be contacted, I simply remove the link from my website.

  2. I use a contact form builder called Ivertech Spam Free Contact ( It also has reCaptcha but it doesn't require me to create a site key and secret key at Google. I simply clicked on the checkbox to enable the reCaptcha feature. The cool thing about it is that it has AI (Artificial Intelligence) built-in to detect spams. You can “train” their AI algorithm to recognize spams according to your preferences. I have been using it for a few weeks and I haven't gotten any spams so far.

    The only downside is that it’s not built as a WordPress plugin. You will need to copy their html code and paste it to your site manually.

Leave a Reply

Your email address will not be published.

Ready to Blast Off?

Let's talk.

Contact OptimWise