Multi-layer anti-spam approach combining client-side and server-side techniques. First three layers are Free; reCAPTCHA v3 requires PRO.
Layer 1: Honeypot (Free)
Hidden field that bots auto-fill. CSS-hidden (not display:none):
<div style="position:absolute;left:-9999px;opacity:0;height:0;overflow:hidden;" aria-hidden="true">
<input type="text" name="formforge_website_url" value="" tabindex="-1" autocomplete="off">
</div>Layer 2: Time Check (Free)
Submissions arriving in less than 2 seconds are rejected.
Layer 3: Token Validation (Free)
A hashed token generated at render time prevents direct POST requests that bypass the form page.
Layer 4: reCAPTCHA v3 (PRO)
Google reCAPTCHA v3 runs invisibly, scoring visitors from 0.0 (bot) to 1.0 (human):
update_option( 'formforge_settings', [
'recaptcha_site_key' => '6Lc...',
'recaptcha_secret_key' => '6Lc...',
'recaptcha_threshold' => 0.5,
] );The server rejects a submission when Google verification fails or when the returned score is below the configured threshold. Higher thresholds are stricter. A threshold of 0 disables score-based rejection, which is useful for emergency compatibility checks. On local/dev hosts (localhost, 127.0.0.1, .local, .test) threshold 0 also allows a failed Google verification response so domain-mismatched test keys do not block local QA; production hosts still require a successful Google verification response. Stripe payment forms call the same reCAPTCHA flow before the validation preflight and again before the final submission after a successful PaymentIntent.
Layer Summary
| Layer | Plan | Technique | Catches |
|---|---|---|---|
| Honeypot | Free | Hidden field bots fill | Simple bots, scrapers |
| Time Check | Free | Minimum 2s submission time | Automated POST scripts |
| Token | Free | Server-generated hash | Direct API spammers |
| reCAPTCHA v3 | PRO | Google ML scoring | Sophisticated bots |
—