Your contact form was getting two or three enquiries a week. Then last Tuesday it started getting thirty messages a day, all signed by people called Anna offering a free SEO audit, and your inbox is now unusable. Welcome to 2026 contact form spam.

This isn’t the spam from five years ago. The bots filling out forms now run on AI, which means the submissions read like real enquiries until you look closely. They use plausible names, plausible companies, plausible reasons for getting in touch. They tick the GDPR consent box. Some write follow-up paragraphs that almost make grammatical sense. And the protection most WordPress sites are still relying on, Google’s reCAPTCHA v2 with its tick-the-box widget, has been getting solved by automated services since 2023.

The other thing that’s changed is the scale of the bot networks behind it. What used to be a handful of obvious offenders is now a long tail of low-volume sources that each look almost legitimate, which is why simple IP blocks and email-domain blacklists have stopped working as a first line of defence. Filtering at the inbox no longer cuts it. The fix has to happen at the form.

The good news is the fix is smaller and cheaper than the marketing on most WordPress security suite plugins would suggest. You don’t need to buy anything heavy. You don’t need to slow your site down. You need a honeypot field, an invisible challenge, and the right form plugin underneath it.

Here’s how we’d work through it.

First, check it’s actually spam

Before you change anything, rule out the obvious. If your form has gone quiet, it might not be spam at all. It might be that the form itself stopped working when a plugin updated, and you’ve been missing real enquiries for a fortnight. We’ve covered this in detail in our piece on the signs your website is costing you sales, where the silent-form problem sits alongside the spam-flood problem as two sides of the same diagnostic question.

The diagnostic takes thirty seconds. Submit a test enquiry from a personal email address you don’t use elsewhere, write something an automated filter wouldn’t flag, and check the message arrives. If it doesn’t, you have a delivery problem, not a spam problem. If it does, move on to the actual fixes below.

It’s worth doing this first because every fix-the-spam guide online assumes the form is working. If it isn’t, you’ll spend an afternoon installing plugins to no effect.

Five fixes, ranked by effort and effect

We’ll go in the order we’d do them. Each fix builds on the last. You don’t need all five, but the first two between them solve the problem on most sites.

1. Add a honeypot field

Free. Ten minutes. Catches 60 to 70 per cent of bot traffic.

A honeypot is a hidden form field that real users can’t see and won’t fill in, but bots filling out every input on the page will. If the honeypot has anything in it, the submission gets binned. It’s invisible to genuine visitors, requires no clicking, and costs nothing.

The setup takes about ten minutes. In Contact Form 7 you’ll need the Honeypot add-on plugin. In Gravity Forms, WPForms and Fluent Forms it’s built in, you just turn it on in the form settings. The trick is to hide the field with CSS rather than the HTML hidden attribute, because the better bots will skip true hidden fields.

On its own, a honeypot blocks somewhere between 60 and 70 per cent of automated form spam in 2026. Worth doing. Not enough by itself.

2. Add Cloudflare Turnstile

Free. Thirty minutes. Catches most of what the honeypot misses, invisibly.

Cloudflare Turnstile is an invisible CAPTCHA replacement. It runs a passive challenge in the background, working out whether the visitor is a human without making them tick a box or pick out traffic lights. If it’s confident the visitor is human, the form submits. If not, it blocks the submission silently.

It’s free for any volume of traffic. You don’t need to be using Cloudflare’s CDN for it to work, and it integrates with the major form plugins. Gravity Forms, WPForms and Fluent Forms have official add-ons. Contact Form 7 needs a third-party plugin, but there are two or three reliable ones to choose from.

Honeypot plus Turnstile blocks roughly 95 per cent of form spam on a typical site, with no impact on user experience and no monthly cost. This is the combination we’d reach for first on any site we’re brought in to fix.

3. Use hCaptcha if Cloudflare isn’t your stack

hCaptcha does the same job as Turnstile and works with the same form plugins. It’s a sensible alternative if your site doesn’t already have any Cloudflare presence and you’d rather not add one, or if you have a privacy-focused audience and prefer hCaptcha’s approach to data handling.

We don’t have a strong preference between the two. Pick the one that fits the rest of your stack.

4. Add a time-based submission check

Real humans don’t fill out a contact form in under three seconds. Bots do. A simple JavaScript timer that records when the form loaded and when it was submitted, and rejects anything sent in under three seconds, is a useful third layer. It catches the small minority of bots that get past the honeypot and Turnstile.

Most form plugins don’t have this built in, so it’s a custom snippet rather than a checkbox setting. On a managed site it’s a fifteen-minute job. On a site you’re maintaining yourself, you might decide the first two layers are enough.

5. Verify the email at the receiving end

This is a different problem worth mentioning. When a real-looking enquiry arrives, you want to know quickly whether the email address is real and whether the message is worth chasing. A receiving-end check, either through a tool like ZeroBounce or by integrating with a CRM that does this automatically, separates the genuine leads from the surviving spam without you having to look at every message.

It’s not a substitute for blocking spam at the form. It’s a sensible addition once the form-level protection is in place.

What we don’t recommend, and why

Three things we’d specifically steer you away from.

reCAPTCHA v2

The tick-the-box version of Google’s reCAPTCHA was the default for years. It stopped working as a spam filter around 2023, when commercial CAPTCHA-solving services worked out how to defeat it reliably. If your form still has the “I’m not a robot” tick box, it’s adding friction for your real visitors and almost no friction for the bots. Switch to Turnstile or hCaptcha and you’ll see the spam volume drop overnight.

reCAPTCHA v3, the score-based invisible version, is better than v2. But Turnstile is easier to integrate, faster, and free at any scale. We don’t see a reason to pick reCAPTCHA v3 in 2026.

Akismet on its own

Akismet is good. It’s run by the WordPress people, it’s well-maintained, and it catches a lot. The problem on a busy form is that it analyses the content of the message after the bot has already submitted it, which means the spam still lands in your inbox briefly before being flagged. If the volume is high, you’ll still feel it. We’d use Akismet alongside the honeypot and Turnstile, not instead of them.

Heavy WordPress security suite plugins

Plugins like Wordfence and iThemes Security do useful things, but stopping form spam isn’t really what they’re built for. They’ll catch some of it as a side effect of their general bot-blocking, but they also load a lot of code on every page, slow the site down, and introduce false positives that can keep real customers out. Most decent UK hosts already cover the firewall and brute-force-protection job those plugins were originally designed for. For form spam specifically, a honeypot and Turnstile do the same job better, with no performance cost.

Which form plugin handles spam best?

Most form plugins in common use can be made spam-resistant. The difference is how much you have to add to get there.

WordPress sits behind a large share of UK business sites, and the breadth of its form plugin ecosystem is one of the reasons. You can pick the tool that matches your budget and complexity, then bolt on the spam protection that suits.

Contact Form 7

The most-installed form plugin on WordPress. Free, lightweight, but ships with no spam protection at all. You’ll need at least the Honeypot add-on and a Turnstile or hCaptcha add-on to get to a workable state. Once those are in, it holds up fine. The downside is that the configuration is fiddly compared with the alternatives.

Gravity Forms

Paid (annual licence). Honeypot is built in, Turnstile and hCaptcha integrations are official. Out of the box with the right settings turned on, it’s the lowest-effort way to a well-protected form. We default to Gravity Forms on most client builds for this reason.

WPForms

Paid in any useful tier (the free version is too limited for most business uses). Honeypot built in, modern CAPTCHA integrations official. Easier setup than Contact Form 7, similar end result to Gravity Forms.

Fluent Forms

Paid, with a usable free version. Honeypot built in, modern CAPTCHAs supported. Faster than Gravity Forms in our testing, with a smaller plugin footprint. Worth a look if performance matters and you don’t need the deep ecosystem of Gravity add-ons.

For most clients, our shortlist is Gravity Forms or Fluent Forms. We use Contact Form 7 only on existing sites where it’s already installed and ripping it out would create more work than it saves.

Already drowning? Here’s the order

Skip ahead if your inbox is on fire right now. Four steps, in order, will give you most of your day back.

  1. If the spam is truly unmanageable, switch the form off temporarily. Replace it with a short message: “we’re updating our contact form, please email us at [your address]”. This buys you the next hour.
  2. Install a honeypot field. Ten minutes. This alone takes most of the heat out.
  3. Add Turnstile or hCaptcha. Half an hour. This stops most of what gets through the honeypot.
  4. Turn the form back on and watch what comes in for the next few hours.

If your spam is happening across multiple forms, or if you’re not sure where the form is configured, or if previous attempts to fix it have made things worse, this is the kind of thing we look after for clients on the managed partnership plan. Honeypot, Turnstile and form-plugin choice are part of how the site is set up from day one, and we maintain the protection through plugin updates so it doesn’t quietly break.

When to call us

If your form’s drowning in spam, or you’ve gone quiet and you’re not sure which, tell us about your site and we’ll have a look. We’ll tell you what’s happening and what it would take to fix.