WordPress Contact Form 7 Without Captcha

When this blog moved to wordpress, we added a contact form into the footer, which was available on every page. This seems awesome until you see the sheer volume of spam I got from it in the first day or two. I hate captchas, not least because I usually fail them at least once myself, so I was in search of alternatives and found two: akismet and the honeypot plugin.

Akismet is the first plugin I install on any wordpress site (in fact, doesn’t it come enabled by default these days?) – it does a great job of catching comment spam without me having to moderate every message. It was pretty clear however that it wasn’t checking the forms from the Contact Form 7 plugin by default. On closer inspection it turns out that:

  • there is good documentation on akismet and contact form 7
  • when you mark any field to be checked by akismet, then you get the additional feature that all the fields in your form are concatenated together and checked as “content” by akismet as well
  • the ordering of the directives in the contact form tags does matter, I needed mine before the watermark

At this point, things improved and akismet caught quite a lot of the spam – but not all. The things it couldn’t catch were one-word clear nonsense entries – so I kept on looking and found the contact form 7 honeypot plugin.

The honeypot is a field which is designed to catch bots – they will typically fill in any field they see, regardless of whether they should do so or not! When you generate a honeypot field for your form, you get a field which is hidden and has the instruction “leave this field blank” in it. Humans can either not see it, or can read the instructions – but a spamming machine will fill it in. For better results, rename the field something other than “honeypot”; if you view the source on the contact form on the bottom of this page, you can see mine is called “country” – and that seems to work pretty well.

Given the ugliness and sheer unusability of the captcha, I am all in favour of other solutions and these worked well on my own site so I thought I’d share!

5 thoughts on “WordPress Contact Form 7 Without Captcha

  1. Hi Lorna,

    Great article, thanks for sharing. I feel the same about captcha’s. With other contact forms (home-brew), I found that simply checking for a valid session was enough to filter out the bots. The only downside is that people that do not allow cookies (and so not the session cookie) will be treated as bots just the same, especially because I used to redirect them to the ‘Thank you’ page while destroying the message.

    • I used to have a comment form that needed a session, the problem was that people clicking through from their feed readers to comment on a post would get an error and then go away :(

  2. Hi Lorna.

    Well isn’t that a CAPTCHA also? Just one without an image. What i really like though, is that it’s one the user needs not to interact with. The ones I’ve seen so far all had a field where you had to type in the answer to a simple question (Like what is 2+2). Thanks for sharing.

  3. I also like the numeric ones, we have them on joind.in for example, and they are MUCH easier for a normal person than the image ones, but they are still quite a good human test. I think my favourite was one I saw which said something like “Please type the name of my youngest daughter Laura into the box below” – now that is a good human test :)

  4. Thanks for this recommendation. A lot more straightforward than going down the GD / FreeType PHP libraries route….

Leave a Reply

Please use [code] and [/code] around any source code you wish to share.

This site uses Akismet to reduce spam. Learn how your comment data is processed.