Skip to content

Fight Contact Form 7 Spam

On this other WordPress-powered site of mine, I’ve been using the following Akismet alternative to effectively fight Contact Form 7 spam: a combination of a honeypot and WordPress’s built-in blocklist.

  • A honeypot is a form field that’s normally hidden and should be left blank. Bots will often fill it out, though. Honeypot for Contact Form 7 is a plugin that’ll add a form tag generator to CF7’s editor and otherwise just works.
  • Contact Form 7 supports the comments blocklist in WordPress’s Discussion settings—something I didn’t know until recently. Using only a few keywords, I’ve been able to drastically reduce manual spam entries, or those by “smarter” bots that are able to bypass the honeypot.

If you’re also using Flamingo to (temporarily) store submissions in the database—you know, in case of email deliverability issues— submissions that match any of the blocklisted terms end up in “Spam.” Emails will not be sent.

Some notes:

  • Akismet is probably more effective, still, and can be used free of charge on personal sites.
  • In WP Admin, the blocklist can be found under Settings > Discussion.
  • I’m kinda waiting for Antispam Bee to start supporting 3rd-party contact form plugins.
  • Ever more bots, I think, like headless Chromium, are able to parse CSS and JavaScript, so I wasn’t too surprised when the honeypot itself turned out insufficient.
  • My next blog post might explain how to automatically delete old Flamingo submissions. Or deal with email deliverability problems.