Simple WordPress spam protection for Contact Form 7 without reCAPTCHA

With the Contact Form 7 Honeypot plugin, you can retrofit a simple WordPress spam protection for Contact Form 7 and protect your forms from spambots - without annoying captchas or external loading of JavaScript through Google's reCAPTCHA function.

Since the beginning of my time with WordPress, I have been using Contact Form 7 to create forms. The plugin always did a good job and since I only use a single contact form on my theme shop, I never had to switch to Gravity Forms or any other form plugin.

Spam protection for WordPress forms

However, anti-spam measures have changed over the years. At the very beginning Contact Form 7 did not have its own spam protection, but there were several additional add-ons such as Really Simple CAPTCHA to equip the plugin with classic captchas for spam protection.

The original captchas were terrible from a usability and accessibility point of view. Usually the user had to recognize certain strings of letters, which were difficult to read due to distorted texts and background patterns.

Only Google's reCAPTCHA v2 managed to remedy this, with which in most cases only a simple checkbox had to be confirmed, which was a problem for spambots. Later, with Invisible reCaptcha, the captcha took a back seat.

Contact Form 7 integrated reCAPTCHA with version 4.3, so that no additional plugins were required. Due to the convenient implementation and improved usability, I had used the process for many years as a spam defense.

Google reCAPTCHA and data protection

Due to the GDPR, data protection is currently coming back into focus. Since the protection of the personal data of my visitors and customers is very important to me, I try to improve my websites step-by-step, initially regardless of whether it is also legally required for the GDPR.

True to the motto of data economy, I think it makes sense to use alternative solutions if they are available. I recently removed Google Fonts from all of my themes . All fonts are now integrated locally and no longer loaded externally from Google's Font API.

Google's reCAPTCHA is basically the same. Instead of fonts, some JavaScript is loaded from Google's servers, which is responsible for spam protection of the form. Here too, Google receives the IP addresses of website visitors.

It was therefore time to switch to an alternative solution.

Contact Form 7 Honeypot

Contact Form 7 Honeypot is a simple extension for CF7, which retrofits the plugin with anti-spam functionality. The add-on is available for download from the official WordPress plugin directory and is active on over 200,000 websites.

Honeypot for Contact Form 7 - Adds honeypot anti-spam functionality to CF7 forms.

From: Nocean

(84 )
Last updated: 3 weeks ago
300,000+ active installs
Compatible up to: 5.6

On the one hand, it was important for me to find a solution without complicated captchas, which from a usability point of view would only have been a step backwards from reCAPTCHA. On the other hand, the spam protection must of course also work reliably and ward off all spambots if possible.

How honeypot works

Defense against spam with honeypot sounded like the ideal solution. The plugin description on provides a very nice explanation of how it works, which I would therefore only like to quote at this point:

The principle of a honeypot is simple - bots are stupid . While some spam is generated by hand, the vast majority of bots come from bots that are written in a special (large-scale) way to send spam through most of the known types of forms. In this way, they fill out fields blindly, regardless of whether they are mandatory or not. This is how a honeypot catches the bot - it introduces an additional field that, once filled out, makes the form invalid.


Configure WordPress spam protection for Contact Form 7

The plugin works very simply.

After the installation, a new button is available in Contact Form 7 to insert a honeypot field. In the front end, the field is hidden with CSS. Spambots fall into the trap and fill in the field incorrectly, whereby the bot is recognized and the request is rejected.

Contact Form 7 Honeypot

When generating the honeypot field, it is recommended to use a name other than the standard name “honeypot” to make it more difficult for bots to recognize the trap. A typical text such as email, first name or website is better.

Honeypot field generator

In the plugin's support forum, it is also recommended, if necessary, to simply install two honeypot fields to make life even more difficult for the bots.

How reliably does the plugin protect against spam?

In the end, Contact Form 7 Honeypot only works with hidden fields. The plugin therefore doesn't even promise to be able to really prevent all spam. Google's reCAPTCHA procedure will probably offer even better protection for very intelligent spambots.

For my own website, the protection level seems to be sufficient. While the first spam arrives very quickly without spam protection, the switch to honeypot has not led to any increased spam volume. At least you're not now 🙂

Spambots are constantly adapting and the plugin may not work forever. Until then, however, it's a very good alternative to captchas.