Securing your WordPress forms
Contact Form 7 is a free and very popular WordPress plugin that lets you create contact forms for a WordPress site without writing any code, in line with the philosophy of the Gutenberg editor. Unfortunately, because of its popularity, sites that use it are often targeted by spam. To protect myself effectively without relying on third-party services (Google reCAPTCHA, Akismet Anti-Spam), I use Honeypot for Contact Form 7, which I find lighter and more suitable for most cases.
Presentation and configuration of the plugin…
Anti-spam problems with Contact Form 7
Contact Form 7 offers two anti-spam solutions by default:
- Akismet Anti-Spam, developed by Automattic: A filtering system that analyzes submitted form entries by comparing the data with its database of known spam.
- reCAPTCHA, developed by Google: A “CAPTCHA” (Completely Automated Public Turing test to tell Computers and Humans Apart). It’s a test designed to distinguish between humans and bots.
These two services are very effective at limiting spam, but they raise two issues:
- Privacy: Data submitted in forms is sent to a third-party provider, over which you have little or no visibility. If you’re subject to the GDPR, this creates a problem, as it involves collecting and processing personal data without clear control over how that data is used.
- Performance: Akismet and Google reCAPTCHA can slow down your site. These services make external requests and, in the case of Google reCAPTCHA, add extra JavaScript files to every page load. These elements can increase page load times and consume more bandwidth for your users.
To fix these issues, I prefer an anti-spam solution that works locally on the site and does not affect the user experience.
The honeypot, a lightweight and effective anti-spam tool 🍯
We’re looking for an effective, lightweight anti-spam solution. It must provide strong protection while keeping the site fast. It should filter spam without slowing performance or complicating the user experience. The ideal solution balances security and ease of use without compromising page load speed. Finally, the plugin must be maintainable and updated regularly.
I chose Honeypot for Contact Form 7 to meet these requirements. This plugin protects your form with a honeypot 🍯. A honeypot in a form works like a trap for spambots. It adds an invisible field that only bots can detect. If this hidden field is filled out when the form is submitted, the server knows it’s likely a bot and blocks the submission to prevent spam.
How to configure Honeypot for Contact Form 7
Check that Honeypot for Contact Form 7 is installed and activated. If it is, you will see a new “Honeypot” option in the Contact Form 7 sub-menus in the sidebar.
If you haven’t already, I also recommend installing the Flamingo plugin, which lets you save your site’s form entries directly in WordPress admin dashboard.
General settings
The plugin’s general configuration page is straightforward. By default, no options are enabled.
At the bottom of the page, you will find statistics showing the number of spam messages blocked.
After extensive testing on sites of all sizes, the most effective configuration, without sacrificing form accessibility, is the following:
✅ Store Honeypot Value (if you’ve installed Flamingo).
📋 Default guide text (leave blank).
📋 Accessibility Message: “Please leave this field blank”.
✅ Use Standard Autocomplete Value.
✅ Move Inline CSS.
✅ Enable Time Check.
Integrating a Honeypot into a form
Once the global configuration is set, you need to add a honeypot to the form you want to protect. As explained earlier, this means adding an extra hidden field to your Contact Form 7 form.
To add a honeypot to your form, go to the Contact forms section under the Contact menu.
Select the form you want to configure.
A new Honeypot field is available. Click on it to configure and insert it into your form.
This opens a configuration window for your field. I recommend the following settings, which work best for me.
Note: The word “field” is deliberately misspelled.
📋 Name (leave as is)
📋 ID attribute : fieeeld
📋 Class attribute: fieeeld
📋 Wrapper ID: fieeeld-container
📋 Placeholder: fieeeld
✅ Use Standard Autocomplete Value
✅ Move inline CSS
✅ Enable Time Check
To better confuse spambots, I recommend placing the tag between two form fields. Don’t worry—this field will remain invisible to human users.
If you prefer not to go through the configuration, you can copy this small piece of code directly into your form. Make sure to insert it between the real form fields, not at the end!
<label>[honeypot adresse id:adresss class:adresss wrapper-id:adresss-container validautocomplete:true move-inline-css:true nomessage:true timecheck_enabled:true "important field"]</label>Code language: HTML, XML (xml)Monitor spam
Your form is now protected! If you check your site, you’ll see that the field you added is completely invisible.
However, if you use the Flamingo plugin mentioned earlier, you’ll soon notice that the honeypot is successfully capturing spam.
In the incoming messages interface, a new Spam category appears. Here, you’ll find all the spam messages you’ve received, which are automatically recycled regularly.
My review of the Honeypot for Contact Form 7 plugin
Securing WordPress forms is essential to prevent spam and simplify contact management. The default solutions offered with Contact Form 7—Akismet Anti-Spam and Google reCAPTCHA—raise privacy concerns and can slow down your site’s performance.
With this in mind, Honeypot for Contact Form 7 is an effective, lightweight alternative. This plugin protects against spam by adding a trap for spambots without affecting the user experience or page load speed. Its simple configuration, reliability, and popularity make it a highly relevant solution for maintaining the integrity of your forms while ensuring a smooth experience for your WordPress users.
Leave a Reply