Simple WordPress spam protection for Contact Form 7 without reCAPTCHA
With the Contact Form 7 Honeypot plugin, you can retrofit a simple WordPress spam protection for Contact Form 7 and protect your forms from spambots - without annoying captchas or external loading of JavaScript through Google's reCAPTCHA function.
Since the beginning of my time with WordPress, I have been using Contact Form 7 to create forms. The plugin always did a good job and since I only use a single contact form on my theme shop, I never had to switch to Gravity Forms or any other form plugin.
Spam protection for WordPress forms
However, anti-spam measures have changed over the years. At the very beginning Contact Form 7 did not have its own spam protection, but there were several additional add-ons such as Really Simple CAPTCHA to equip the plugin with classic captchas for spam protection.
The original captchas were terrible from a usability and accessibility point of view. Usually the user had to recognize certain strings of letters, which were difficult to read due to distorted texts and background patterns.
Only Google's reCAPTCHA v2 managed to remedy this, with which in most cases only a simple checkbox had to be confirmed, which was a problem for spambots. Later, with Invisible reCaptcha, the captcha took a back seat.
Contact Form 7 integrated reCAPTCHA with version 4.3, so that no additional plugins were required. Due to the convenient implementation and improved usability, I had used the process for many years as a spam defense.
Google reCAPTCHA and data protection
Due to the GDPR, data protection is currently coming back into focus. Since the protection of the personal data of my visitors and customers is very important to me, I try to improve my websites step-by-step, initially regardless of whether it is also legally required for the GDPR.
True to the motto of data economy, I think it makes sense to use alternative solutions if they are available. I recently removed Google Fonts from all of my themes . All fonts are now integrated locally and no longer loaded externally from Google's Font API.
Google's reCAPTCHA is basically the same. Instead of fonts, some JavaScript is loaded from Google's servers, which is responsible for spam protection of the form. Here too, Google receives the IP addresses of website visitors.
It was therefore time to switch to an alternative solution.
Contact Form 7 Honeypot
Contact Form 7 Honeypot is a simple extension for CF7, which retrofits the plugin with anti-spam functionality. The add-on is available for download from the official WordPress plugin directory and is active on over 200,000 websites.
Honeypot for Contact Form 7 - Adds honeypot anti-spam functionality to CF7 forms.
On the one hand, it was important for me to find a solution without complicated captchas, which from a usability point of view would only have been a step backwards from reCAPTCHA. On the other hand, the spam protection must of course also work reliably and ward off all spambots if possible.
How honeypot works
Defense against spam with honeypot sounded like the ideal solution. The plugin description on WordPress.org provides a very nice explanation of how it works, which I would therefore only like to quote at this point:
The principle of a honeypot is simple - bots are stupid . While some spam is generated by hand, the vast majority of bots come from bots that are written in a special (large-scale) way to send spam through most of the known types of forms. In this way, they fill out fields blindly, regardless of whether they are mandatory or not. This is how a honeypot catches the bot - it introduces an additional field that, once filled out, makes the form invalid.
Source: WordPress.org
Configure WordPress spam protection for Contact Form 7
The plugin works very simply.
After the installation, a new button is available in Contact Form 7 to insert a honeypot field. In the front end, the field is hidden with CSS. Spambots fall into the trap and fill in the field incorrectly, whereby the bot is recognized and the request is rejected.
When generating the honeypot field, it is recommended to use a name other than the standard name “honeypot” to make it more difficult for bots to recognize the trap. A typical text such as email, first name or website is better.
In the plugin's support forum, it is also recommended, if necessary, to simply install two honeypot fields to make life even more difficult for the bots.
How reliably does the plugin protect against spam?
In the end, Contact Form 7 Honeypot only works with hidden fields. The plugin therefore doesn't even promise to be able to really prevent all spam. Google's reCAPTCHA procedure will probably offer even better protection for very intelligent spambots.
For my own website, the protection level seems to be sufficient. While the first spam arrives very quickly without spam protection, the switch to honeypot has not led to any increased spam volume. At least you're not now 🙂
Spambots are constantly adapting and the plugin may not work forever. Until then, however, it's a very good alternative to captchas.
Hello, with which plugin did you display the privacy policy? Would like to have such a fade-in. many Greetings
Hello AxL,
I have displayed the Cookie Notice with the now outdated Simple Cookie Notification Bar plugin: https://wordpress.org/plugins/simple-cookie-notification-bar/
So there are probably newer / better solutions for this.
In principle, the plugin only indicated that cookies were being used. But just a few hours ago I switched to a new plugin that enables tracking to be opt-in and is therefore better for the GDPR.
Is a premium plugin and available at https://soulsites.de/facebook-pixel-plugin-wordpress-opt-out-dsgvo/ . At the moment I'm not entirely satisfied with it, but it has been the best solution so far.
Many Greetings,
Brian
Very helpful, thank you! 🙂
Very happy 🙂
Hello Brian,
Thank you for your contribution. But what do you think of the Stop Spammers plugin
https://de.wordpress.org/plugins/stop-spammer-registrations-plugin
and the project behind it, stopforumspam.com?
Hello Christian,
Unfortunately, I don't know the plugin, so I can't comment on it. With the description on WordPress.org, it is also not clear whether it also offers spam protection for Contact Form 7.
I generally prefer to use plugins that are specialized for one purpose. For comment spam, for example, Antispam Bee is still used here in the blog: https://de.wordpress.org/plugins/antispam-bee/
Many Greetings,
Brian
Many thanks for your response. So there is almost nowhere more comprehensive information on the functionality and effectiveness of StopSpammers at stopforumspam.com.
Doesn't the DSVGO problem arise at Antispam Bee and has been classified as rather problematic from the start?
https://simon.blog/2018/euer-datenschutz-kotzt-mich-an/
Okay, start over before we mix things up here.
stopforumspam.com is a public spam database that reports and collects known spam. Plugins can then use this database to detect spam and compare comments or form entries, for example.
In terms of data protection, the use of an external spam database is problematic. Usually the IP addresses (personal data) of the comments / forms are sent there for review. The well-known Akismet plug-in has the same problem, the data is also passed on to external servers in the USA.
Antispam Bee had a setting to enable IP matching with the public spam database. In the background, stopforumspam.com was actually used for this. With the option, however, data protection has always been pointed out and it was deactivated by default.
With the new version 2.8 of Antispam Bee, the setting has been completely removed, so that incorrect configuration is no longer possible and the option was activated by mistake. See the changelog at https://wordpress.org/plugins/antispam-bee/#developers
All other functions in Antispam Bee were never a problem under data protection law, as Simon explains in the linked post from you.
With the removal of the public spam database, Antispam Bee 2.8 is now fully compliant with the GDPR.
If the Stop Spammers plugin continues to use the public database, it is likely not 100% compliant with the GDPR. A change to a different plugin should therefore be made here.
Many Greetings,
Brian
Hello Brian,
Super thank you. That is a very good indication. 😉
Send you many greetings,
Very happy 🙂
I tried it weeks ago because I received several emails from Russian spammers every day via CF7. But honeypot did nothing, there were just as many spam emails as before. Too bad. I then replaced CF7 with a simple statement of my e-mail and now I no longer receive spam.
Hello Adrian,
Thank you for your feedback.
The anti-spam fields are determined to be recognized by some spambots. However, a second honeypot field and renaming the fields with common names may really help.
Otherwise, only stronger measures such as captchas or possibly not using a contact form help.
Many Greetings,
Brian
Thank you for the very informative article.
I now have two honeypot fields and I'm excited to see how it works.
Very happy 🙂
Recognizing the honeypot fields is relatively easy. The bot only has to read the CSS style and recognizes that it does not have to enter anything for "visibility: hidden". It would be a shame if I really had to spend $ 60 a month on Akismet. But there doesn't seem to be an alternative that works with CF7.