Overview
The article details official add-ons, how spam protection integrates with Save and Continue and Partial Entries, certified partner add-ons, and third-party plugins organized by category: blocklists, CAPTCHAs, field validators, OTP systems, and spam detection services.
Gravity Forms Add-Ons
Akismet Add-On
The Akismet Add-On sends form submissions to the Akismet service for analysis. As of version 1.1, the Akismet plugin by Automattic no longer needs to be active. Submissions identified as spam are saved, with the entry marked as spam.
Cloudflare Turnstile Add-On
The Cloudflare Turnstile Add-On offers a CAPTCHA with a focus on privacy and user experience. It automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session, without the use of cookies. Submissions are blocked or fail validation.
reCAPTCHA Add-On
The reCAPTCHA Add-On adds support for the score-based Google reCAPTCHA v3 or Enterprise keys, and challenge-based (checkbox) Enterprise keys. When using a score-based key, if the reCAPTCHA script doesn’t run or the response is invalid, the form will fail validation without any field-specific errors. When using a challenge-based key with the reCAPTCHA Checkbox field, the field fails validation if the challenge is not completed or the response is invalid. Entries are marked as spam when their reCAPTCHA score is equal to or less than the configured threshold.
Captcha Field (legacy)
The built-in Captcha field can reduce spam from bots, but it’s no longer recommended because it can introduce accessibility issues. It integrates with Google’s legacy reCAPTCHA version 2 (checkbox or invisible) or the third-party Really Simple CAPTCHA plugin, which is image-based. Submissions are blocked or fail validation.
Feature Integrations
Save and Continue
When enabling Save and Continue for a form, we also recommend enabling the Honeypot in the Form Settings. The draft submission will not be saved when the honeypot fails validation. If enabled, the custom Spam Confirmation will be displayed, or the default text used by new forms will be displayed instead of the configured Save and Continue Confirmation.
Captchas (e.g. reCAPTCHA (all versions) and Turnstile) are not validated.
Zero Spam by GravityKit does support protecting Save and Continue.
The email field in the Save and Continue Confirmation will be validated by WordPress, which does include a filter for the result, so plugins that offer enhanced email validation are supported.
Partial Entries Add-On
When using the Partial Entries Add-On, enabling the Honeypot will prevent the saving or updating of the partial entry if it fails validation.
Captchas (e.g. reCAPTCHA (all versions) and Turnstile) cannot be used to prevent the saving or updating of partial entries.
The gform_email_field_rejectable_values filter is supported, so if a rejectable value is found in an email field value, that will prevent the saving or updating of the partial entry.
For other field types, the gform_field_validation filter can be used to prevent saving or updating of the partial entry by including the following line to set the is_value_spam context property on the field object.
$field->set_context_property( 'is_value_spam', true );
The gform_partialentries_abort_save filter can be used to prevent saving or updating the partial entry based on the results of custom spam checks.
Certified Developer Add-Ons
The following add-ons are from certified developers:
| Add-On | Developer | What it does |
|---|---|---|
| Advanced Phone Field | Gravity Wiz | Enhances the Phone field with automatic phone number validation. |
| Blocklist | Gravity Wiz | Validates submissions against the WordPress Disallowed Comment Keys (formerly Comment Blocklist / Comment Blacklist). |
| Email Validator | Gravity Wiz | Enhances the Email field with automatic email and email domain validation. |
| GC OpenAI | Gravity Wiz | Checks if content from the form submission complies with OpenAI’s usage policies. See How to Use AI to Boost Gravity Forms Moderation (with GC OpenAI) for more details. |
| Limit Submissions | Gravity Wiz | Limits submissions by user, role, IP, URL, or field value for specified time periods. |
| One-Time Password | CosmicGiant | Protects forms by adding a simple verification field. Before a user can submit the form, they’ll click a button to send a verification code via email or SMS. Once verified, the form can be submitted. |
| Zero Spam | GravityKit | Uses JavaScript to inject a time-limited token into the form submission or save progress (Save and Continue) request. If the token is missing, or it doesn’t match the expected token, the entry is marked as spam, or the progress is not saved. Also extends Email fields with global and field-specific email rejection rules, allowing you to block submission or mark the entry as spam when matching addresses, domains, or patterns are found. |
Third-party Plugins
The following solutions are from third-party developers:
Blocklist
| Plugin | What it does |
|---|---|
| Blacklist Manager | Blocks submissions that match your blocklists (IP addresses, email addresses, phone numbers or domains). |
| Block IPs for Gravity Forms | Blocks submissions from specified IP addresses. |
| BSK Forms Blacklist | Blocks submissions that match your blocklists (emails, IPs, or other values). |
| Disposable Email Blocker | Enhances email field validation to reject disposable or temporary email addresses. |
Captchas
| Plugin | What it does |
|---|---|
| ALTCHA | Includes the ALTCHA field, which uses ALTCHA’s real-time spam-protection (heuristic and behavioural signals) to block bots, repeat offenders, and low-quality submissions. |
| Captcha.eu | Protects forms from bots using advanced, invisible behavioral analysis – no puzzles, no image selection, no user friction. |
| Captcha 4WP | Includes the Captcha 4WP field, which supports multiple CAPTCHA service providers, including reCAPTCHA, hCaptcha, and Cloudflare Turnstile. |
| CaptchaFox | Includes the CaptchaFox field, which utilizes various data signals and challenges to verify the authenticity of the user without the use of cookies or trackers. |
| Friendly Captcha for WordPress | Includes the FriendlyCaptcha field, a proof-of-work based solution in which the user’s device solves a unique crypto puzzle. |
| hCaptcha for WP | Includes the hCaptcha field, a privacy-focused alternative to reCAPTCHA. |
| MultiForm Anti-Spam Image CAPTCHA Pro | Includes a fully customizable image-based CAPTCHA field. |
| SilentShield | Adds invisible CAPTCHA and anti-spam protection using challenge checks and bot-detection heuristics to block automated submissions and reduce spam without impacting legitimate users. |
| TrustCaptcha | Includes the Trustcaptcha field, a multi-layered security concept with proof-of-work and intelligent bot score for reliable bot detection. |
| WordPress Captcha Plugin Pro | Includes the BWS Captcha field, which works without external services. No API keys, no tracking, and full privacy control — everything is processed locally on your site. |
| WP Image CAPTCHA Pro | Includes the Image CAPTCHA field, that requires users to identify or interact with images to prove they are human. |
Field Validation
| Plugin | What it does |
|---|---|
| Byteplant Email Validator | Enhances email field validation using Byteplant’s validation service — detecting invalid, mistyped, disposable, or non-existent addresses. |
| Byteplant Phone Validator | Enhances phone field validation using Byteplant’s phone-validation service to check format, existence, and carrier/region data, helping block invalid, mistyped, or potentially fraudulent numbers. |
| Clearout Email Validator | Enhances email field validation using Clearout’s service, performing 20+ refined real-time validation checks to determine the current status of the email address. |
| DeBounce Email Validator | Enhances email field validation using DeBounce’s validation service to detect invalid, disposable, role-based, or non-existent addresses. |
| Dilli Email Validator | Enhances email field validation using Dilli’s validation service to detect invalid, disposable, or non-existent addresses. |
| GF No Duplicates | Uses a unique token to prevent identical POST requests from creating duplicate entries — for example, requests some browsers resend when users click back/refresh or when mobile tabs are restored. |
| Regex Textfield | Includes a new field type, allowing form editors to specify a regex string to be used when validating the submitted value. |
Opt-In/OTP
| Plugin | What it does |
|---|---|
| Double Opt In for Gravity Forms | Adds a double opt-in step by sending an email with a verification link after form submission and only accepting the entry once the user clicks to confirm, reducing fake sign-ups, spam, and unverified or low-quality leads. |
| Gravity Forms – OTP Verification (SMS/EMAIL) | Adds one-time password (OTP) verification via SMS or email, requiring users to enter a time-limited code before the form is accepted to block fake submissions, automated bots and unauthorised or fraudulent entries. |
| miniorange OTP Verification Addon | Adds OTP (one-time password) verification via SMS or email, requiring users to enter a time-limited code before the form is accepted to block automated bots, fake submissions and unauthorised or fraudulent entries. |
Spam Detection
| Plugin | What it does |
|---|---|
| CleanTalk | Uses the CleanTalk anti-spam service to check submissions against a cloud-based spam database and behavioural heuristics, blocking spambots, automated scripts and known spammers in real time to keep form entries clean and reduce unwanted or malicious submissions. |
| Fullworks | Detects and block spam submissions using server-side checks, heuristics and configurable rules—preventing automated bots, spammy entries and abusive submissions from being accepted. |
| HighPots Spam Protection | Adds honeypot-style fields and other hidden-field checks to trap and block automated bots — submissions that fill the hidden fields are rejected, reducing spam and abusive automated entries. |
| Maspik | Adds honeypot and other anti-spam techniques to silently trap and block automated bots; submissions that trigger the hidden-field checks are rejected, reducing spam and abusive automated entries. |
| No Spam AI | Uses AI-powered analysis to evaluate submissions for spammy content and patterns, marking the entry as spam. |
| OOPSpam | Uses the OOPSpam service to validate submissions against a cloud-based spam detection API, blocking or flagging entries that match known spam patterns, abusive content, or bot behaviour. |
| Shield Security Pro | Adds Shield’s anti-spam and security checks, using behaviour analysis, blacklists and blocking rules to detect and stop automated bots, suspicious submissions and known malicious actors. |
| WP Armour | Adds honeypot fields and optional time-based submission checks to silently trap automated bots—submissions that fill hidden fields or submit too quickly are blocked, reducing spam and abusive automated entries. |
Code Snippets
Code snippets can be used in the theme functions.php file or custom functionality plugins.
Field Validation
Since version 2.9.15, the Email field has a dedicated filter, gform_email_field_rejectable_values, which can be used to reject partial (e.g. domains) or complete email addresses. When a rejectable value is found, the field fails validation and the form is re-displayed with a validation error.
The gform_field_validation and/or gform_validation filters can be used to perform custom validation of field values.
- Integrate with QuickEmailVerification API
- Prevent submission based on a word list
- Prevent submission if a URL is entered into Text or Paragraph fields
- Prevent submission of Cyrillic characters
Spam Filter
The gform_entry_is_spam filter can be used to mark submissions as spam.
- Integrate with the ZeroBounce Email Validation API
- Check field values for URLs
- Rate limit submissions based on the IP address
- Check that first and last name inputs contain different values
- Use ipapi.co to check country code for IP address
- Gravity Forms and Disallowed Keys by Ipstenu (Mika Epstein)
- Stopping Jerks in Gravity Forms by Ipstenu (Mika Epstein)
Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.
Feedback, feature, and integration requests, and other functionality ideas can be submitted at http://forms.roadmap.gravity.com/.