Preventing spam, even when you have honeypot and CAPTCHA enabled


We have several forms in active use and we get a lot of spam through them.

We have the anti-spam honeypot enabled and also have a CAPTCHA on the form but we still get spam.

Usually the spammers include HTML code in their email. e.g. they might try to insert HTML code into the paragraph text box. Is there some way we can stop this?

This has been a huge problem for all types of forms this year. Spammers have been more active lately and in general seem to be a bit more sophisticated than in the past. Additionally, they are likely looping in human intervention to beat things like reCAPTCHAs that were only really intended to stop automated spam. Here are a few other measures you can take, ranging from less extreme to more extreme. In combination with a reCAPTCHA, adding one or a couple should stop most spam:

  • Enable the anti-spam honeypot on the individual form settings pages if you have not done so already.
  • Install Akismet and enable the Akismet integration on the Forms > Settings page when Akismet is active. This will pass all entered data through Akismet’s spam filter.
  • You could use the following third-party perk from Gravity Wiz to set up a list of blacklisted keywords using WordPress’ commenting blacklist if the spam has any sort of common keywords:
  • If the spam is coming from a foreign country most of the time, you could use cloudflare to set up more nuanced firewall rules at a server level to stop the spammers from reaching the site entirely.
  • Require your users to either log in before they can submit any forms.

Hi Chris,

The forms are public and need to remain public. As such, user login is not an option/

The Gravity Wiz option seems to be a premium plugin? I’d like to avoid shelling over money for every website to avoid spam.

Most of the spam includes HTML links in the form of
<a href=""

If there is a way to block HTML from being submitted in text fields that would be great and solve 90% of the problem.

1 Like

You can use the gform_field_validation filter to check a field for HTML:

Coming up with the regular expression to parse and input for HTML tags or content is the real issue. I could not find a quick solution when searching (checking a string for HTML content.)

Maybe you could use the WordPress function wp_filter_nohtml_kses to strip out all the HTML, then compare the filtered value to the original value, and if they don’t match, then HTML was stripped out, and the submission was likely spam.

Discussion of the functions available to do this in WordPress:

I use Conditional Logic to Hide the Submit button (Form Settings page) if the Comments field contains ‘http’.

1 Like
© 2008 - 2019. Gravity Forms is a project by Rocketgenius Inc.