1. Using Contact Form 7’s in-built anti-spam measures
You’ll find a lot of articles recommending CAPTCHA and quiz plugins that work with Contact Form 7. Most of these are unnecessary as it’s better to use the features already built into the Contact Form 7 WordPress plugin.
Simple quizzes are becoming a popular way to combat contact form spam. They work by asking the user a simple question such as “Which is bigger, 2 or 8?” Bots can’t answer this question. As a result, only people who enter the correct response can submit the contact form.
To add a quiz, edit your contact form and click the Generate Tag dropdown. Paste the shortcode that appears below into your contact form. It will look something like this:
[quiz capital-quiz "Which is bigger, 2 or 8?|8"]
3. Minimum character count
The WordPress website featured in this article received a lot of spam contact forms with 2-digit messages – usually a number. I have no idea what they were trying to achieve, but it’s obviously a popular type of spam at the moment.
If all your spam messages follow an obvious pattern, you can block them by setting up your contact form to block messages that meet this pattern. In this case, I used the Max and Min Length options in Contact Form 7 to require messages to be more than 20 characters long. Genuine enquiries will usually provide more than 20 characters, so this blocks bots without frustrating real users.
The Message/Comments field will look something like this:
[textarea* your-message minlength:20 maxlength:500]
Akismet has a reputation as the best WordPress anti-spam plugin. Not everyone knows that it works with Contact Form 7 as well as blog comments.
Once you have activated the Akismet WordPress plugin and followed the on-screen instructions to add your API key (free for non-profit-making website, small monthly fee for business sites), you need to do a bit of extra config to make it talk to Contact Form 7 – see https://contactform7.com/spam-filtering-with-akismet/.
In my tests, Akismet stopped about 70% of the Contact Form 7 spam but not all of it. It worked well in conjunction with some of the other solutions mentioned in this article.
5. Contact Form 7 Honeypot
Contact Form 7 Honeypot is a WordPress plugin that adds a hidden field to your contact form. Real users won’t complete it because the field is invisible. However bots won’t know this and will fill it in. This allows the plugin to recognise them as bots and block their submission.
After you have installed and activated the Contact Form 7 Honeypot WordPress plugin, use the Generate Tag option to create a honeypot shortcode to insert into your contact form. It will look something like this (Contact Form 7 recommend changing the ID to something unique, so replace 827 with something else):
6. Really Simple CAPTCHA
The Really Simple CAPTCHA WordPress plugin was created by the developer of Contact Form 7 so they work together seamlessly. The plugin allows you to add a CAPTCHA to your contact form. It’s designed to prevent bots from submitting forms on your WordPress website.
Once you have installed and activated Really Simple CAPTCHA, insert a CAPTCHA tag into your Contact Form 7 form. (Click the Generate Tag dropdown to see the available options and create a customized tag to paste into your form.) It will look something like this:
Further instructions at https://contactform7.com/captcha/.
Please note that CAPTCHAs are becoming slightly old fashioned and are not great for user-experience. They also require particular features to be enabled on your server, which may not be in place for your WordPress website.
I would recommend adding a quiz first (see above), and only trying CAPTCHA if this doesn’t work. The two methods basically do the same thing. They prevent automated bots from submitting your website contact form – so you shouldn’t need both.