Spam Protection

Lesson 11 of 25 4 min read
  • JNext lesson
  • KPrevious lesson
  • FSearch lessons
  • EscClear search

Core Forms includes multiple layers of spam protection. You can use any combination of these methods.

Honeypot Field

Every form automatically includes a hidden honeypot field. This is an invisible text input that legitimate users never see or fill in (it is hidden with display: none and aria-hidden="true"). Bots that fill in every field will populate the honeypot, causing the submission to be silently ignored.

The honeypot is always active. There is no setting to disable it. It provides a baseline level of spam protection with zero friction for real users.

Math CAPTCHA

Math CAPTCHA adds a simple arithmetic problem to the form (e.g., “12 + 8 = ?”). Users must solve it correctly to submit the form. This is a lightweight alternative to external CAPTCHA services.

Enabling Math CAPTCHA

  1. Edit your form.
  2. Go to the Settings tab.
  3. Check Enable Math CAPTCHA.
  4. Save the form.

How It Works

The plugin generates a random math problem using addition, subtraction, or multiplication with small numbers. The correct answer is hashed and stored in a hidden field. When the form is submitted, the user’s answer is hashed and compared.

The math problem is rendered directly in the form markup. No external scripts or API calls are needed.

Custom Error Message

The default error message is “Incorrect answer to the math problem. Please try again.” You can customize this in the Messages tab under the math_captcha_failed message.

Google reCAPTCHA v3

reCAPTCHA v3 runs in the background without any user interaction. It assigns a score to each submission based on how likely it is to be from a human. Suspicious submissions are blocked.

Setup

  1. Get a reCAPTCHA v3 site key and secret key from Google’s reCAPTCHA admin.
  2. Go to Core Forms > Settings.
  3. Enter the Site Key and Secret Key in the reCAPTCHA section.
  4. Save settings.

Per-Form Configuration

After configuring the global keys, enable reCAPTCHA on individual forms:

  1. Edit the form.
  2. Go to the Settings tab.
  3. Check Enable reCAPTCHA.
  4. Save the form.

Score Threshold

reCAPTCHA v3 returns a score between 0.0 (likely bot) and 1.0 (likely human). The default threshold is 0.5. Submissions with a score below the threshold are rejected.

Error Messages

Two reCAPTCHA-specific messages can be customized in the Messages tab:

  • recaptcha_failed – Shown when the reCAPTCHA verification request fails entirely.
  • recaptcha_low_score – Shown when the submission scores below the threshold.

Badge Visibility

The reCAPTCHA badge is automatically hidden on mobile screens to avoid layout issues.

Cloudflare Turnstile

Turnstile is a privacy-focused CAPTCHA alternative from Cloudflare. It does not track users and often completes verification without any user interaction.

Setup

  1. Get a Turnstile site key and secret key from the Cloudflare dashboard.
  2. Go to Core Forms > Settings.
  3. Enter the Site Key and Secret Key in the Turnstile section.
  4. Save settings.

Per-Form Configuration

After configuring the global keys, enable Turnstile on individual forms:

  1. Edit the form.
  2. Go to the Settings tab.
  3. Check Enable Turnstile.
  4. Save the form.

Theme and Size

Turnstile supports light and dark themes, and normal or compact sizes. These can be configured in the global settings.

hCaptcha

If the hCaptcha WordPress plugin is installed and active, Core Forms integrates with it automatically. The integration works similarly to Turnstile with per-form enable/disable controls.

Akismet Integration

If the Akismet plugin is installed, active, and has a valid API key, Core Forms automatically checks submissions against Akismet’s spam database.

How It Works

  1. When a form is submitted and passes initial validation, the submission data is sent to Akismet for analysis.
  2. Akismet checks the content, IP address, user agent, and other signals against its spam database.
  3. If Akismet flags the submission as spam, it is saved with is_spam = 1 but the user sees a success message (to avoid tipping off bots).

Who Gets Checked

Akismet skips the spam check for logged-in users who have the edit_posts capability. This prevents administrators and editors from having their test submissions flagged.

No Configuration Needed

As long as Akismet is active with a valid API key, the integration works automatically. There is no per-form toggle for Akismet.

Spam Submission Handling

When a submission is flagged as spam by any method:

  1. The submission is saved to the database with is_spam = 1 (if save_submissions is enabled).
  2. The user sees the normal success message. This is intentional. Returning an error tells bots to try again with different content. A success response makes them move on.
  3. No form actions (email, webhooks, etc.) are executed.
  4. Spam submissions can be viewed and managed from Core Forms > Spam.

Combining Methods

You can enable multiple spam protection methods on the same form. They are evaluated in this order:

  1. Honeypot (always active, checked first)
  2. Math CAPTCHA (priority 15)
  3. reCAPTCHA / Turnstile / hCaptcha (during validation)
  4. Akismet (priority 20, runs after other validation)

If any method flags the submission, subsequent checks may still run depending on the method. The first definitive rejection stops form action processing.