Introduction
Publicly accessible forms are vulnerable to spam, and combating it is difficult due to the ever-evolving tactics of spammers and bots. However, there are various solutions available to minimize the submission of spam or to mark entries as spam. It’s important to note that no single method can catch 100% of spam, and as a result, there are numerous anti-spam techniques and services. For optimal results, it’s recommended to use multiple solutions simultaneously.
See also: Moderating Entries
First Steps
Form Status
If a form is no longer needed or not currently in use, switch its Status toggle on the Forms List page to “Inactive”, or move it to the “Trash”. Inactive and trashed forms will not accept or process submissions.
Honeypot
Gravity Forms includes a built-in honeypot feature available in the Spam Detection section of each form’s Form Settings.
When enabled, the honeypot detects spam using multiple techniques:
- A hidden honeypot field. The submission is spam if the field contains a value.
- A JavaScript-inserted site-specific version hash. The submission is spam if the value is missing or fails validation. Since version 2.7.
- An optional Submission Speed Check that measures the time between page load and user actions such as clicking submit, next, or previous. The submission is considered spam if the timing data is missing, invalid, or below the configured threshold. Since version 2.9.21.
Depending on your form settings, detected spam will either be blocked (not saved, no entry is created) or saved as an entry marked as spam.
If logging is enabled, the result of the honeypot checks will be recorded in the Gravity Forms core log. Here are the possible logging statements, not all of them will be recorded for every submission.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is honeypot input (name: [input name]) empty? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Submission initiated by GFAPI. version_hash validation and speed check bypassed.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is submission valid? No; version_hash input is empty.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is version_hash input valid? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Submission speed check is disabled.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Is speed check valid? No; gform_submission_speeds input is empty or invalid.
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::is_valid_submission_speed(): Is speed check valid? [Yes or No]; [count] of [total] submissions met the threshold ([threshold] ms). Min required: [number]. All speeds: [JSON containing all the recorded timings]
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::validate_honeypot(): Is submission valid? [Yes or No].
[date and time] - DEBUG --> Gravity_Forms\Gravity_Forms\Honeypot\GF_Honeypot_Handler::handle_abort_submission(): Result from Honeypot: [true or false]
[date and time] - DEBUG --> GFFormDisplay::process_form(): Aborting early via gform_abort_submission_with_confirmation filter.
[date and time] - DEBUG --> GFCommon::is_spam_entry(): Result from gform_entry_is_spam filter: [true or false]
[date and time] - DEBUG --> GFCommon::is_spam_entry(): Spam checks completed in [number] seconds. Is submission considered spam? [Yes or No].
The gform_honeypot_labels_pre_render filter can be used to change the labels used by the honeypot field.
If you think a bot has discovered the name attribute of your form’s hidden honeypot field, the gform_honeypot_input_name filter can be used to customize it.
Form Design
Fields
Out of the box, Gravity Forms automatically blocks spam submissions that send random or unexpected values to supported form fields as part of its built-in form validation feature. Refer to the State Validation article for more details.
Multi-Page Forms
The Page field can be used to split a long form into multiple pages (a multipage or paginated form). While its main purpose is improving usability, it also has the benefit of making it harder for bots to submit spam.
Configuring Next Button Conditional Logic on Page fields can prevent some bots reaching later pages of the form. If the submission is forced while the button is hidden or disabled, the form will fail validation.
Payment Forms
If you will be accepting payments using a card or payment add-on field, make your form multi-page (see above), and position the card/payment field on the last page of the form.
Using conditional logic on next buttons and enabling the required setting on fields on earlier pages will limit the use of the card/payment field to those who have successfully completed the earlier pages, reducing the risk of fraudulent carding activity.
Submit Button Conditional Logic
Add a single-line text, number, or multiple choice field to your form which asks a simple question. A real person should be able to answer the question correctly, whereas most bots won’t.
Here are some examples:
- A panda is black and _____
- 4 + 7 = _____
- What goes up, must come _____
- A cow has how many legs? _____
- The sky is typically what colour? _____
- What sound does a cat make? _____
- What do you call water when it is frozen? _____
- What is 10 minus 4? _____
In the settings panel of the Submit Button field, in the Form Editor, you would enable button conditional logic based on this question field. If the submitter doesn’t input the correct answer, the form can’t submit. If the submission is forced while the button is hidden or disabled, the form will fail validation.
Additional Solutions
Block Search Indexing
Preventing search engines from indexing the page containing the form can help prevent your form being targeted by bots and spammers.
Google recommends using the noindex directive, but if the page is already indexed, you’ll also need to remove it via webmaster tools.
Cloudflare
Cloudflare provides various services, including IP Access Rules, DDoS Protection, WAF, Bot Management, Rate Limiting, SSL/TLS, and DNSSEC, that can safeguard your site and forms. With IP Access Rules, you can easily block entire countries.
Our Cloudflare Turnstile Add-On enables integration with the Cloudflare Turnstile service.
Note: If you decide to use Cloudflare services, please make sure to keep Rocket Loader disabled, and exclude pages that include forms from Cloudflare’s caching to prevent potential issues.
Integrations & Plugins
Akismet Add-On
The Akismet Add-On sends form submissions to the Akismet service for analysis. As of version 1.1, the Akismet plugin by Automattic no longer needs to be active. Submissions identified as spam are saved, with the entry marked as spam.
Cloudflare Turnstile Add-On
The Cloudflare Turnstile Add-On offers a captcha with a focus on privacy and user experience. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session, without the use of cookies. Submissions are blocked or fail validation.
reCAPTCHA Add-On
The reCAPTCHA Add-On adds support for the score-based Google reCAPTCHA v3 or Enterprise functionality, without using a form field. If the reCAPTCHA script doesn’t run or the response is invalid, the form will fail validation without any-field specific errors. Entries are marked as spam when their score from the reCAPTCHA response is less than or equal to the configured threshold.
Captcha Field (legacy)
The built-in Captcha field can reduce spam from bots, but it’s no longer recommended because it can introduce accessibility issues. It integrates with Google’s legacy reCAPTCHA version 2 (checkbox or invisible) or the third party Really Simple CAPTCHA plugin, which is image-based. Submissions are blocked or fail validation.
Certified Developer Add-Ons
The following add-ons are from certified developers:
| Add-On | Developer | What it does |
|---|---|---|
| Advanced Phone Field | Gravity Wiz | Enhances the Phone field with automatic phone number validation. |
| Block Email Domains | GravityKit (previously Road Warrior Creative) | Allows you to define a comma separated list of email domains to block on each email field. |
| Blocklist | Gravity Wiz | Validates submissions against the WordPress Disallowed Comment Keys (formerly Comment Blocklist / Comment Blacklist). |
| Email Validator | Gravity Wiz | Enhances the Email field with automatic email and email domain validation. |
| GC OpenAI | Gravity Wiz | Checks if content from the form submission complies with OpenAI’s usage policies. See How to Use AI to Boost Gravity Forms Moderation (with GC OpenAI) for more details. |
| Limit Submissions | Gravity Wiz | Limits submissions by user, role, IP, URL, or field value for specified time periods. |
| One-Time Password | CosmicGiant | Protects forms by adding a simple verification field. Before a user can submit the form, they’ll click a button to send a verification code via email or SMS. Once verified, the form can be submitted. |
| Zero Spam | GravityKit | Uses JavaScript to inject an input containing a key into the form submission. If that input is missing or its value doesn’t match the expected key, the entry is marked as spam. Deactivating and then reactivating the plugin will generate a new key. |
Third-party Plugins
The following solutions are from third-party developers:
Blocklist
| Plugin | What it does |
|---|---|
| Blacklist Manager | Blocks submissions that match your blocklists (IP addresses, email addresses, phone numbers or domains). |
| Block IPs for Gravity Forms | Blocks submissions from specified IP addresses. |
| BSK Forms Blacklist | Blocks submissions that match your blocklists (emails, IPs, or other values). |
| Disposable Email Blocker | Enhances email field validation to reject disposable or temporary email addresses. |
| Gravity Forms Email Blacklist | Enhances email field validation to reject specified email addresses and/or domains. |
Captchas
| Plugin | What it does |
|---|---|
| ALTCHA | Includes the ALTCHA field, which uses ALTCHA’s real-time spam-protection (heuristic and behavioural signals) to block bots, repeat offenders, and low-quality submissions. |
| Captcha.eu | Protects forms from bots using advanced, invisible behavioral analysis – no puzzles, no image selection, no user friction. |
| Captcha 4WP | Includes the Captcha 4WP field, which supports multiple CAPTCHA service providers, including reCAPTCHA, hCaptcha, and Cloudflare Turnstile. |
| CaptchaFox | Includes the CaptchaFox field, which utilizes various data signals and challenges to verify the authenticity of the user without the use of cookies or trackers. |
| Friendly Captcha for WordPress | Includes the FriendlyCaptcha field, a proof-of-work based solution in which the user’s device solves a unique crypto puzzle. |
| hCaptcha for WP | Includes the hCaptcha field, a privacy-focused alternative to reCAPTCHA. |
| MultiForm Anti-Spam Image CAPTCHA Pro | Includes a fully customizable image-based CAPTCHA field. |
| SilentShield | Adds invisible CAPTCHA and anti-spam protection using challenge checks and bot-detection heuristics to block automated submissions and reduce spam without impacting legitimate users. |
| TrustCaptcha | Includes the Trustcaptcha field, a multi-layered security concept with proof-of-work and intelligent bot score for reliable bot detection. |
| WordPress Captcha Plugin Pro | Includes the BWS Captcha field, which works without external services. No API keys, no tracking, and full privacy control — everything is processed locally on your site. |
| WP Image CAPTCHA Pro | Includes the Image CAPTCHA field, that requires users to identify or interact with images to prove they are human. |
Field Validation
| Plugin | What it does |
|---|---|
| Byteplant Email Validator | Enhances email field validation using Byteplant’s validation service — detecting invalid, mistyped, disposable, or non-existent addresses. |
| Byteplant Phone Validator | Enhances phone field validation using Byteplant’s phone-validation service to check format, existence, and carrier/region data, helping block invalid, mistyped, or potentially fraudulent numbers. |
| Clearout Email Validator | Enhances email field validation using Clearout’s service, performing 20+ refined real-time validation checks to determine the current status of the email address. |
| DeBounce Email Validator | Enhances email field validation using DeBounce’s validation service to detect invalid, disposable, role-based, or non-existent addresses. |
| Dilli Email Validator | Enhances email field validation using Dilli’s validation service to detect invalid, disposable, or non-existent addresses. |
| GF No Duplicates | Uses a unique token to prevent identical POST requests from creating duplicate entries — for example, requests some browsers resend when users click back/refresh or when mobile tabs are restored. |
| Regex Textfield | Includes a new field type, allowing form editors to specify a regex string to be used when validating the submitted value. |
Opt-In/OTP
| Plugin | What it does |
|---|---|
| Double Opt In for Gravity Forms | Adds a double opt-in step by sending an email with a verification link after form submission and only accepting the entry once the user clicks to confirm, reducing fake sign-ups, spam, and unverified or low-quality leads. |
| Gravity Forms – OTP Verification (SMS/EMAIL) | Adds one-time password (OTP) verification via SMS or email, requiring users to enter a time-limited code before the form is accepted to block fake submissions, automated bots and unauthorised or fraudulent entries. |
| miniorange OTP Verification Addon | Adds OTP (one-time password) verification via SMS or email, requiring users to enter a time-limited code before the form is accepted to block automated bots, fake submissions and unauthorised or fraudulent entries. |
Spam Detection
| Plugin | What it does |
|---|---|
| CleanTalk | Uses the CleanTalk anti-spam service to check submissions against a cloud-based spam database and behavioural heuristics, blocking spam bots, automated scripts and known spammers in real time to keep form entries clean and reduce unwanted or malicious submissions. |
| Fullworks | Detects and block spam submissions using server-side checks, heuristics and configurable rules—preventing automated bots, spammy entries and abusive submissions from being accepted. |
| HighPots Spam Protection | Adds honeypot-style fields and other hidden-field checks to trap and block automated bots — submissions that fill the hidden fields are rejected, reducing spam and abusive automated entries. |
| Maspik | Adds honeypot and other anti-spam techniques to silently trap and block automated bots; submissions that trigger the hidden-field checks are rejected, reducing spam and abusive automated entries. |
| No Spam AI | Uses AI-powered analysis to evaluate submissions for spammy content and patterns, marking the entry as spam. |
| OOPSpam | Uses the OOPSpam service to validate submissions against a cloud-based spam detection API, blocking or flagging entries that match known spam patterns, abusive content, or bot behaviour. |
| Shield Security Pro | Adds Shield’s anti-spam and security checks, using behaviour analysis, blacklists and blocking rules to detect and stop automated bots, suspicious submissions and known malicious actors. |
| WP Armour | Adds honeypot fields and optional time-based submission checks to silently trap automated bots—submissions that fill hidden fields or submit too quickly are blocked, reducing spam and abusive automated entries. |
Code Snippets
Code snippets can be used in the theme functions.php file or custom functionality plugins.
Field Validation
Since version 2.9.15, the Email field has a dedicated filter, gform_email_field_rejectable_values, which can be used to reject partial (e.g. domains) or complete email addresses. When a rejectable value is found, the field fails validation and the form is re-displayed with a validation error. See Automatically Block Unwanted Emails Using Code for a complete code snippet.
The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.
- Integrate with QuickEmailVerification API
- Prevent submission based on a word list
- Prevent submission if a URL is entered into Text or Paragraph fields
- Prevent submission of Cyrillic characters
Spam Filter
The gform_entry_is_spam filter can be used to mark submissions as spam.
- Integrate with the ZeroBounce Email Validation API
- Check field values for URLs
- Rate limit submissions based on the IP address
- Check that first and last name inputs contain different values
- Use ipapi.co to check country code for IP address
- Gravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)
- Stopping Jerks in Gravity Forms by Ipstenu (Mika Epstein)
What Happens When a Submission Is Marked as Spam
Submissions that pass validation but are flagged and saved as spam appear in the form’s Entries section under the spam filter.
Configured notifications and add-on feeds are not processed. For the confirmation, the default text used by new forms will be displayed instead of the configured confirmations. This can be customized using the gform_confirmation filter.
When viewing an entry through the spam filter, a note will often indicate which system or rule flagged it as spam.
For more information, refer to Reviewing Spam Submissions.
Related Articles From The Blog
Related Tutorials From The Video Library
- Using the Akismet Add-On
- How to Invisibly Block Spam on Your Site with Google reCAPTCHA v3
- Fighting Spam with Honeypot
- Five Tools to Fight Spam
Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.
Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity Forms, Gravity Flow, or Gravity SMTP product roadmap pages.