If you have a form, you’ll get spam. That’s the inevitable truth.
So you need a way to block spammers from flooding your form submissions.
Up until a few years ago, the accepted anti-spam device was CAPTCHA — a program designed to protect against spambots by generating tests that only humans could pass.
The idea was to create a system that was nearly impossible for bots to fill in your form. It wasn’t a perfect system by any means, but for years it was all we had to add any level of security to our devices.
Recently, however, Google declared the death of CAPTCHA.
Bots were getting too smart for it to work as intended, and humans were getting too annoyed with the process to keep it around.
But with its passing, there leaves a big gap in form security. So what's left to replace it?
Why CAPTCHA Never Really Worked for Form Security
The theory behind CAPTCHA went something like this: humans are smarter than computers, so only a human could bypass complicated form security questions.
So CAPTCHA developed an anti-spam tool that you could add to your forms to ask complicated questions.
You probably recognize it:
One thing that this theory failed to account for is the fact that bots would start learning.
Advancements in AI have all but guaranteed that bots would eventually find ways around CAPTCHA, leaving users with the same spam problem they would have without it.
It also failed to account for human annoyance.
People didn’t like having to answer complicated questions when they were filling out a simple form. It was an extra step in the process that felt totally unnecessary, and it hurt form conversions.
In one A/B usability test, only 62% of participants were able to successfully complete a CAPTCHA question on their first try, and 23% struggled through multiple attempts before finally succeeding.
On top of that, many people in the disabled community began voicing concerns that CAPTCHA was difficult to use, especially for those with hearing impairments, limited sight or other challenges.
At the end of the day, everyone was struggling with CAPTCHA. Well, everyone except bots.
But without CAPTCHA, how can users protect their forms? Surely something is better than nothing, right?
The good news is that there are alternative solutions to CAPTCHA that provide some protection and a better user experience. Here are a few options you can use:
Solution #1: ReCAPTCHA
In an effort to save a dying program, Google introduced another anti-bot alternative called reCAPTCHA.
Instead of a bulky questionnaire, users had only to click a button to identify themselves as human.
In terms of user experience, reCAPTCHA is a major leap in the right direction.
When it comes to security, it does have a better level of anti-bot protection compared to traditional CAPTCHA (bots can crack reCAPTCHA with 23% accuracy), but it’s not perfect.
Google recently announced a newer version of reCAPTCHA, called No CAPTCHA, that eliminates the “I’m not a robot” checkbox all together, unless a user is flagged as “suspicious.”
If someone fails to input the correct password one too many times, for example, the box would appear, or users would have to undergo more rigorous security checks.
A “suspicious” user might see a reCAPTCHA that looks like this instead:
In defense of reCAPTCHA, Google assures users that they are applying “the human bandwidth to benefit people everywhere” and that it does provide protection against “most bots.”
If you’re using Gravity Forms, setting up reCAPTCHA is fairly straightforward.
Using the field requires signing up for a free reCAPTCHA API account and entering the Private and Public API keys in the Gravity Forms Settings Page.
You can then add the reCAPTCHA field to any form using the form builder.
You also have the option to use the plugin Really Simple CAPTCHA alongside Gravity Forms to simplify the process further.
Solution #2: Honeypot Method
If you want to skip CAPTCHA/reCAPTCHA all together, you can also use the honeypot method.
Honeypots are extra bits of code used to catch bots without users knowing that they exist. The most common example of this is the hidden form field.
With this method, an extra field is added and then hidden from human users with JavaScript or CSS.
Bots, however, will still recognize the field as legitimate and fill it out. If the field is filled out, the form is automatically rejected.
The benefit of the hidden form field is that it doesn’t impact the user experience.
For the most part, legitimate users never even know it’s being implemented, and your forms are still protected from spambots.
However, there is a downside for users who have any sort of auto-fill feature or screen reader that populates fields for them. These tools might see the invisible fields and auto-fill them the way a spambot would, causing the form to be rejected.
So it’s not a perfect solution by any means. But it is a good one if you know a little code and you don’t want to mess around with reCAPTCHA.
To enable honeypot spam fields in Gravity Forms, do the following:
- Go to the WordPress admin menu > Forms
- Hover over the form you want to edit, then hover over Settings, and click Form Settings
- At the bottom, check the box for Enable Anti-Spam Honeypot
- Click Update Form Settings
Here’s what the anti-spam honeypot option looks like:
Be sure to track your form submissions after enabling the honeypot method.
If you’re still receiving too much spam, you may need additional help via a plugin like Akismet to help fight spam site-wide.
Solution #3: Akismet Plugin Integration
Another option that can be used alongside either of the above solutions is to use an anti-spam plugin like Akismet.
The nice thing about using a plugin is that a lot of the work is done for you. Aksimet, for example, has its own testing system for monitoring comments, trackbacks, and pingbacks on your website.
Unlike the other options on this list, Akismet might cost you some coin.
They do have a free option which will fight against spam, though their higher level features (like stats) are only available under their “Plus” plan or above.
But if your site suffers from a lot of spam, it might be worth the investment, especially if you have reCAPTCHA (or you loathe reCAPTCHA) and it’s just not working for you.
Akismet is totally compatible with Gravity Forms.
To install it, simply search for it under Plugins > Add New on your WordPress Dashboard.
For the most part, Akismet is an out-of-the-box solution for protecting your site against spam.
But it won’t protect against everything. If you’re still seeing a lot of spam, consider using more than one approach from this list to ensure maximum protection.
Final Thoughts
There is no perfect solution when it comes to stopping spambots… yet, anyway.
As technology and AI (and Google’s algorithms) continue to evolve, we might see another more successful option appear later on down the road.
Or Google could release a newer version of reCAPTCHA that does the job better than previous iterations.
But until then, your best bet is to work with the solutions that are available.
Install security plugins, work with the latest form of reCAPTChA, and watch your form submissions closely.
If you want to keep up-to-date with what's happening on the blog sign up for the Gravity Forms newsletter!
Does Gravity Forms support "Invisible Recaptcha?"
Nice post, kudos for this.
I'm a honeypot lover.
I recently noticed (since 3 or 4 months) that the GF built-in honeypot do not prevent spams any more.
Is there a workaround (keeping using honey pot) or any update in GF to harden it ?
Cheers!
Just like @kpry I am also wondering if Gravity Forms supports Invisible Recaptcha. I am not finding anything in regards to this.
Invisible CAPTCHA is not yet supported, but we have that on our list of requested enhancements. I'll add your vote to the open request. Thank you.
Awesome! Please hurry. Also, please ensure code is minified to prevent poor website page loading times. Thank you!
I've noticed Honeypot failing more frequently. I'd also rather have the invisible reCAPTCHA option or some other more friendly UX available.
Your post above and [docs](https://docs.gravityforms.com/spam/) suggest there should be a checkbox to enable Akismet integration if the plugin is active but I don't see it. Is it automatic now?
Check out "Invisible reCaptcha for WordPress" in the WordPress plugin repository. https://wordpress.org/plugins/invisible-recaptcha/
Great plugin. Best alternative out there. Unfortunately, it slows down web page loading times (not sure if caused by the plugin itself and/or Google reCAPTCHA). Cheers.
This article sounds good but the recaptchas suck too. After about thirty attempts to clear the boxes with street signs, the window disappears to uncover red writing saying the recaptcha was incorrect. This happens over and over again. I hate that google does not have anyone intelligent enough to come up with a solution because this is costing me annual income wasting time answering these recaptchas. I am beyond frustrated with the lack of concern by google, the lack of any recourse, the lack of anyone to contact about the issue, so I am sick of google.
Love the post.
I was also Google re-Captcha user for our application.
Recently realized that re-captcha cannot be used in China.
I am not a big fan of honey pot, as i feel it can be easily broken.
Any other suggestions from the team which is acceptable in China as well.
Hi, google docs says they have a different domain that can be used when google.com is block:
https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally
+1 for Invisible Recaptcha Support
+1 for Invisible Recaptcha or better reCaptcha v3 support
May one use both, honeypot and recaptcha, without any negative issues?
You can indeed!
Doesn't Askimet just look for SPAM in post comments? I need something that can check form submissions for SPAM from people that are entering it, not bots. Any suggestions for that?
It's seem that the honeypot doesn't work anymore.
+10 for invisible Recaptcha v3 Support 🙂
Invisible reCAPTCHA Army represent!
The plugin mentioned above, "Invisible reCaptcha for WordPress", broke form submissions on my website and started marking everything as spam, even when trying on different machines and phones.
Had to figure out they were going to spam via the GForms logs because they get deleted from the dashboard.
It could have had something to do with my form being 5 pages long + said plugin active + AJAX.
I've decided to use honeypot for the time being, but a proper implementation of Invisible reCAPTCHA would be neat.
Thanks in advance and merry almost christmas!
+1 for reCAPTCHAv3!
Recaptcha v3 support please!!
Captcha is completely unnecessary because JavaScript already provides a mechanism for determining if an event was user initiated via the "isTrusted" boolean property. Usage is as follows...
Logon
Any javascript attempt to click this button such as logon.click(); would fail this test.
Thanks for the feedback. I have passed this along to the product team for consideration.
Thank you
Have you considered adding Human Presence to this list? HP uses AI and billions of data points to detect whether it is a human or a bot on the website within seconds. All of this is happening in the background with nothing on the front end to disturb the user experience like recaptcha. I've found that it eliminates around 99% of all my form spam compared to about 50% with recaptcha.
Here is their website if you want to check it out https://www.humanpresence.io/anti-spam-wordpress-plugin/
I've created an image captcha and I'll see if it will protect my site from spams. I hope it'll be enough for my website. Thank you for your great article.