Onar Alili
Engineer
9 minutes to read
5 effective ways to protect your Formidable Forms from spam
- OOPSpam WordPress plugin
- Honeypot
- Token-based spam protection
- Using WordPress’s Comment Moderation
- reCAPTCHA
- Final thoughts
Formidable Forms is one of the most popular contact form builder out there with over 13M downloads. It has everything you need to build a complex form from payment gateway integrating (Stripe etc.) to conditional logic and more. Formidable Forms Lite is available in the WordPress plugin directory and comes with basic fields and built-it spam filtering options. The Pro version adds advanced fields and many more features. Check out official comparison between Lite & Pro.
Now we have talked about what Formidable Forms is. So let’s focus on what you can do about the spam you get through your Formidable Forms.
OOPSpam WordPress plugin
OOPSpam WordPress plugin (that’s us 👋) is one way to stop spam in Formidable Forms and WordPress comments. The plugin works with OOPSpam API that protects over 3.5M websites daily. While other spam filtering methods listed below are free, OOPSpam is a premium service and comes with 40 spam checks/month to test and see the difference.
It’s likely you have already tried the below options, and they didn’t work for you. It could be a slow website from reCAPTCHA or overwhelming spam you are still getting despite implementing the below alternatives. These are benefits OOPSpam has over other alternative:
- Doesn’t slow down your website
- Keeps your site accessible to all users
- Stops both human spammers and bots
On the plugin’s settings page, you could also adjust how sensitive you want your spam filter to be. Even keeping (recommended) default Sensitivity level setting will help you cut down spam to zero.
In addition, the plugin allows you to set up a filter to accept submissions only from certain countries and languages.
✨ Since then, we have also added the Block messages from these countries feature.
Here are a few steps to activate spam protection for Formidable Forms:
-
Subscribe to get an API key then copy-paste the API key to the plugin’s appropriate field under Settings->OOPSpam Anti-Spam on your WordPress Admin Dashboard.
ℹ️ Make sure to select OOPSpam Dashboard on the setting page
-
If you have Formidable Forms installed then a special section will appear on the OOPSpam Anti-Spam plugin’s settings page.
-
On this page, you need to activate the spam filtering for Formidable Forms by checking the Activate Spam Protection checkbox. You don’t have to do anything on your form. Once you activate spam protection on the OOPSpam plugin settings, you are good to go.
-
Don’t forget to enter a short message to display when a spam form entry is submitted. Your message will appear at the bottom of the message field.
Honeypot
We wrote extensively about the honeypot technique and how it works. While it’s not as effective as it used to be, it still prevents some bots from spamming your contact forms. Here is a short description of what the honeypot method is:
📌 A honeypot field is a hidden field that is meant to be filled only by bots. Bots scan a website and fill all the fields, including the hidden field in your form. Formidable Forms will automatically dismiss every submission with an entry in a honeypot field.
Formidable Forms comes with the honeypot feature and it’s enabled by default. If you getting spammed, first make sure this honeypot is still enabled.
Unlike other contact form solutions like Fluent Forms, Formidable Forms allows you to configure honeypot in three different modes: Off, Basic, and Strict. This is a great way to harden spam protection.
- Off: This is the obvious one. We don’t recommend turning the honeypot technique off.
- Basic: The default value and enabled for all the forms. Adds a hidden text field to your contact form.
- Strict: Improvement over Basic mode. Adds a hidden email field that tricks bots to fill it but you may see more false positives.
Always make sure the honeypot is enabled for all your forms. Switch from Basic to Strict mode, if you start getting spammed. This method is the less expensive and simplest way to stop spam. Once you start getting spam despite having a honeypot, look into other options.
Token-based spam protection
Formidable Forms also provides Javascript-based (aka token-based) spam filtering. As this method relies on JavaScript, JavaScript needs to be enabled in the visitors’ browser for this to work. This technique prevents automated spam bots from submitting multiple entries.
This anti-spam measurement comes built-in and isn’t enabled by default. Here is how it works: Each time a form loads, a unique token is created and stored on the page and passed along with the form submission. On the backend, Formidable validates this token to make sure it is not being reused. If the token expired, is invalid, or doesn’t exist then the submission will be halted.
Token-based spam prevention is effective against basic bots. Unfortunately, they are ineffective against targeted spam, manual spam, and headless browser-based bots. Give a shot this option if you are getting spammed despite honeypot.
It’s worth mentioning that in some cases caching (if you are using one) could be a problem with this technique as a token stored in the page’s DOM. Formidable Forms points out this issue in their official docs. You can avoid this by increasing token expiration time. Formidable Forms recommends using either frm_form_token_check_after_today or frm_form_token_check_before_today hooks to do so.
Using WordPress’s Comment Moderation
Formidable Forms did a great job by incorporating already available comment moderation into their forms. I’m talking about a feature that comes with every WordPress and accessible under WordPress Settings -> Discussion page -> Disallowed Comment Keys. This is a quick way to block surge of spam by adding URLs, IP or any spam words (per line) into this field. Formidable Forms then will check every submission against this list and block if matched.
reCAPTCHA
Up to this point, we saw technics that don’t require third-party solutions. reCAPTCHA is a popular CAPTCHA solution that many websites use. Formidable Forms has built-in integration with reCAPTCHA. Unfortunately, unlike other similar contact form builders, Formidable Forms doesn’t have hCAPTCHA integration.
Formidable Forms supports both reCAPTCHA v2 and v3 (Invisible reCAPTCHA). reCAPTCHA is available both for free and paid versions. Enabling reCAPTCHA is pretty straightforward through the plugin’s settings. It involves creating Google Account then grabbing Site Key, and Secret Key and pasting them to appropriate fields under Global Settings -> reCAPTCHA in Formidable Forms. They provide a step-by-step tutorial on how to set up reCAPTCHA in Formidable Forms.
Should I use reCAPTCHA v2 or v3?
v3 came after many people complained about accessibility and usability issues with v2. v2 asks visitors to solve a challenge before submitting a form. To address this issue, Google removed the “challenge” part of reCAPTCHA. As a result, with v3, users don’t solve any challenges. Instead, it tracks the user’s behavior on your website and scores the user from 0 (bot) to 1 (human). It is up to the website owner to determine the threshold. In Formidable Forms, you don’t have control over this threshold.
Many people are happy with reCAPTCHA. It is effective against simple bots, however, advanced bots can bypass reCAPTCHA. There are also “captcha farms” where people get paid to solve reCAPTCHA. It will also slow down your website as it loads extra JavaScript files into your website.
If you are looking for a free solution, reCAPTCHA is a good option.
Final thoughts
All websites eventually get hit by spammers. As a website grows and gets more traffic it attracts more serious spammers with advanced bots. The CAPTCHA solutions will protect your website to a certain degree but they are not enough for targeted spam attacks, manual spam, and sophisticated bots. I hope this article helps you find a solution to your spam problem.
That is all! Go on and create your forms.
Happy spam-free day!
