Form spam is a reality of publishing forms on the internet. Bots crawl websites looking for forms to submit with junk data, fake leads, and even malicious content. Without protection, a public form can receive hundreds of spam submissions per day, drowning out real responses and wasting your time. Form Forge includes multiple layers of protection to keep your submissions clean without annoying real visitors with puzzles or challenges.
The best spam protection is invisible. Your real visitors should never know it is there. Form Forge’s approach is to layer silent detection methods so bots are caught automatically while humans breeze through without interruption.
Built-in Protection (Free)
These three methods work silently in the background with zero configuration:
| Method | How it works | What it catches |
|---|---|---|
| Honeypot | Adds an invisible field to every form. Real humans never see it, but bots fill it in automatically. Any submission with this field filled is flagged as spam. | Basic automated bots that fill every field they find |
| Time Check | If a form is submitted in under 2 seconds, it is almost certainly a bot. No human can read and fill a form that fast. These submissions are automatically rejected. | High-speed automated scripts |
| Token Validation | Each form generates a unique security token when loaded. This prevents cross-site request forgery and blocks external scripts that try to POST data directly to your form endpoint. | Direct POST attacks from external scripts |
Together, these three methods catch the vast majority of spam on most websites. Many Form Forge users never need anything beyond these built-in protections.
Advanced Protection (PRO)
For sites that get heavy, persistent bot traffic, PRO adds stronger defenses:
Google reCAPTCHA v3 runs in the background and scores each visitor on how “human” they appear based on their behavior on your site. There is no checkbox, no image puzzle — it is completely invisible to real visitors. Submissions from likely bots are automatically blocked. IP Rate Limiting prevents the same IP address from submitting a form more than a set number of times in a given period. This stops automated scripts that hammer your form repeatedly.Setting Up reCAPTCHA v3
- Go to the Google reCAPTCHA admin console at google.com/recaptcha/admin.
- Click the + button to create a new site.
- Give it a label (for example, “My Website Forms”).
- Choose reCAPTCHA v3 as the type.
- Add your domain (for example, “yourcompany.com”).
- Click Submit and copy both the Site Key and Secret Key.
- In WordPress, go to Form Forge > Settings > Anti-Spam.
- Paste the Site Key into the Site Key field.
- Paste the Secret Key into the Secret Key field.
- Set the score threshold. The default is 0.5 on a scale of 0.0 (definitely a bot) to 1.0 (definitely human). Higher values are stricter; lower values allow more visitors through. Set the threshold to 0 only when you want Form Forge to require a valid reCAPTCHA token but skip score-based blocking.
- Click Save Settings.
Choosing the Right Protection Level
| Your situation | Recommended protection |
|---|---|
| Small site, low traffic | Built-in honeypot + time check (free, no setup needed) |
| Medium site, occasional spam | Add reCAPTCHA v3 (PRO) |
| High-traffic site with persistent spam | reCAPTCHA v3 + IP rate limiting (PRO) |
| Under active spam attack | All of the above + raise the reCAPTCHA threshold above 0.5 |
What to Do If Spam Still Gets Through
- First, confirm that reCAPTCHA is active by checking Form Forge > Settings > Anti-Spam for a green status.
- Verify your reCAPTCHA keys are correct by visiting the Google reCAPTCHA admin console.
- Try raising the score threshold (for example, from 0.5 to 0.7). This blocks more borderline visitors.
- Enable IP rate limiting and set it to 3-5 submissions per IP per hour.
- Consider adding a simple custom question field (like “What is the name of our company?”) as an extra barrier that bots cannot answer.
> Tip: Check your Spam submissions occasionally. Very rarely, a legitimate submission gets flagged as spam — especially from visitors using VPNs, corporate networks, or older browsers. A quick weekly scan of the Spam filter takes one minute and ensures no real customer is lost.
> Good to know: Without PRO, the honeypot, time check, and token validation provide solid protection for most sites. reCAPTCHA v3 and rate limiting are there for sites that face heavy, persistent attacks. The free protections handle casual spam effectively.
Common Mistakes to Avoid
- Mixing up reCAPTCHA v2 and v3 keys. Form Forge uses v3, which is invisible. If you accidentally paste v2 keys (the checkbox version), it will not work.
- Setting the reCAPTCHA threshold too high (like 0.9). This blocks many real humans who browse in ways Google scores lower. Start at 0.5 and adjust.
- Setting the threshold to 0 by accident. A zero threshold disables score-based rejection, so any visitor with a valid Google token can submit even if Google returns score 0.
- Disabling honeypot protection. There is no reason to turn it off — it catches bots with zero impact on real visitors.
[Screenshot: The Anti-Spam settings page showing the Honeypot toggle (on), reCAPTCHA v3 fields for Site Key and Secret Key, and the score threshold slider]
—