Spam Protection

Lesson 11 of 25 4 min read
  • JNext lesson
  • KPrevious lesson
  • FSearch lessons
  • EscClear search

WordPress form spam protection is an arms race, which is why Core Forms ships five built-in methods plus Akismet integration instead of betting everything on one. Honeypot fields catch dumb bots for free, Math CAPTCHA stops them without third-party scripts, and reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile cover the sophisticated end. You can run several at once.

On my own site, honeypot plus Turnstile catches effectively everything: the Forms dashboard counter shows 56 submissions caught as spam, and manual cleanup is a thing of the past.

Core Forms spam protection screen with honeypot, Math CAPTCHA, reCAPTCHA v3, hCaptcha, Turnstile and Akismet options

Honeypot Field

Every form automatically includes a hidden honeypot field. This is an invisible text input that legitimate users never see or fill in (it is hidden with display: none and aria-hidden="true"). Bots that fill in every field will populate the honeypot, causing the submission to be silently ignored.

The honeypot is always active. There is no setting to disable it. It provides a baseline level of spam protection with zero friction for real users.

Math CAPTCHA

Math CAPTCHA adds a simple arithmetic problem to the form (e.g., “12 + 8 = ?”). Users must solve it correctly to submit the form. This is a lightweight alternative to external CAPTCHA services.

Enabling Math CAPTCHA

  1. Edit your form.
  2. Go to the Settings tab.
  3. Check Enable Math CAPTCHA.
  4. Save the form.

How It Works

The plugin generates a random math problem using addition, subtraction, or multiplication with small numbers. The correct answer is hashed and stored in a hidden field. When the form is submitted, the user’s answer is hashed and compared.

The math problem is rendered directly in the form markup. No external scripts or API calls are needed.

Custom Error Message

The default error message is “Incorrect answer to the math problem. Please try again.” You can customize this in the Messages tab under the math_captcha_failed message.

Google reCAPTCHA v3

reCAPTCHA v3 runs in the background without any user interaction. It assigns a score to each submission based on how likely it is to be from a human. Suspicious submissions are blocked.

Setup

  1. Get a reCAPTCHA v3 site key and secret key from Google’s reCAPTCHA admin.
  2. Go to Core Forms > Settings.
  3. Enter the Site Key and Secret Key in the reCAPTCHA section.
  4. Save settings.

Per-Form Configuration

After configuring the global keys, enable reCAPTCHA on individual forms:

  1. Edit the form.
  2. Go to the Settings tab.
  3. Check Enable reCAPTCHA.
  4. Save the form.

Score Threshold

reCAPTCHA v3 returns a score between 0.0 (likely bot) and 1.0 (likely human). The default threshold is 0.5. Submissions with a score below the threshold are rejected.

Error Messages

Two reCAPTCHA-specific messages can be customized in the Messages tab:

  • recaptcha_failed – Shown when the reCAPTCHA verification request fails entirely.
  • recaptcha_low_score – Shown when the submission scores below the threshold.

Badge Visibility

The reCAPTCHA badge is automatically hidden on mobile screens to avoid layout issues.

Cloudflare Turnstile

Turnstile is a privacy-focused CAPTCHA alternative from Cloudflare. It does not track users and often completes verification without any user interaction.

Setup

  1. Get a Turnstile site key and secret key from the Cloudflare dashboard.
  2. Go to Core Forms > Settings.
  3. Enter the Site Key and Secret Key in the Turnstile section.
  4. Save settings.

Per-Form Configuration

After configuring the global keys, enable Turnstile on individual forms:

  1. Edit the form.
  2. Go to the Settings tab.
  3. Check Enable Turnstile.
  4. Save the form.

Theme and Size

Turnstile supports light and dark themes, and normal or compact sizes. These can be configured in the global settings.

hCaptcha

If the hCaptcha WordPress plugin is installed and active, Core Forms integrates with it automatically. The integration works similarly to Turnstile with per-form enable/disable controls.

Akismet Integration

If the Akismet plugin is installed, active, and has a valid API key, Core Forms automatically checks submissions against Akismet’s spam database.

How It Works

  1. When a form is submitted and passes initial validation, the submission data is sent to Akismet for analysis.
  2. Akismet checks the content, IP address, user agent, and other signals against its spam database.
  3. If Akismet flags the submission as spam, it is saved with is_spam = 1 but the user sees a success message (to avoid tipping off bots).

Who Gets Checked

Akismet skips the spam check for logged-in users who have the edit_posts capability. This prevents administrators and editors from having their test submissions flagged.

No Configuration Needed

As long as Akismet is active with a valid API key, the integration works automatically. There is no per-form toggle for Akismet.

Spam Submission Handling

When a submission is flagged as spam by any method:

  1. The submission is saved to the database with is_spam = 1 (if save_submissions is enabled).
  2. The user sees the normal success message. This is intentional. Returning an error tells bots to try again with different content. A success response makes them move on.
  3. No form actions (email, webhooks, etc.) are executed.
  4. Spam submissions can be viewed and managed from Core Forms > Spam.

Combining Methods

You can enable multiple spam protection methods on the same form. They are evaluated in this order:

  1. Honeypot (always active, checked first)
  2. Math CAPTCHA (priority 15)
  3. reCAPTCHA / Turnstile / hCaptcha (during validation)
  4. Akismet (priority 20, runs after other validation)

If any method flags the submission, subsequent checks may still run depending on the method. The first definitive rejection stops form action processing.

Spam that still gets through lands in a quarantine view covered in the submissions lesson, so a false positive never costs you a real lead.