WordPress form spam protection: honeypot, CAPTCHA, Akismet — what to use when.

Every WordPress site with a public form (contact, newsletter signup, lead capture) gets hit by spam bots within hours of going live. The market has converged on three good defenses — honeypots, CAPTCHA, and Akismet — each with a different trade-off between friction, accuracy, and cost. Most sites should run at least two of them in combination. Here's how each works, where each fails, and how to think about which to deploy on a given form.

Spam against WordPress forms is so common it counts as ambient noise. The bots are automated, persistent, and uninterested in any specific site. They crawl every contact form on the web and submit because the cost of doing so is essentially zero. Without protection, a typical contact form receives anywhere from 50 to several thousand spam submissions per month. Each one consumes time in the inbox, dilutes legitimate leads, and (if email is configured loosely) can trigger blacklisting.

The defensive options have converged on three patterns. Each works against a different subset of bots, has different visible friction, and fails in different ways. The strongest implementations layer them.

Honeypot: zero friction, catches the lazy bots.

A honeypot is an invisible form field. The field is hidden from human users via CSS (display: none, visibility: hidden, or off-screen positioning). Real humans never see it; their browsers don’t fill it. Automated bots, which parse the form HTML and fill every field they find, fill the honeypot too. Any submission with content in the honeypot field is silently discarded server-side.

Properties:

• Zero user friction. Humans don’t see anything. The form looks normal.
• Zero subscription cost. A few lines of code; no service to pay.
• Catches the lazy majority. Spam tools that just fill every form field get caught. This is most of the volume.
• Misses sophisticated bots. Bots that render JavaScript or inspect computed CSS see the field is hidden and skip it. The smart bots get through.
• The accessibility trap. If the honeypot relies on off-screen CSS positioning rather than display: none, it must include aria-hidden="true" and tabindex="-1". Otherwise, visually impaired users navigating via keyboard and screen reader will inadvertently fill it out and be silently discarded as bots.

Realistic effectiveness: a well-implemented honeypot typically blocks 70-90% of spam volume on a low-profile site, less on a high-profile one where attackers have invested in better tooling. It’s the right baseline for every form.

CAPTCHA: visible friction, catches more sophisticated bots.

The current standard is Cloudflare Turnstile or Google’s invisible reCAPTCHA v3, which look like a small checkbox or are entirely invisible to most users. They fingerprint the browser, evaluate dozens of behavioral signals, and challenge only when something looks off. Older versions (“pick all the traffic lights”) still exist but have largely been replaced by these invisible variants.

Properties:

• Low friction in most cases. Most users see a checkbox or nothing at all.
• Real friction when challenged. Users behind VPNs, with strict privacy extensions, or on uncommon browsers get image challenges. Some abandon the form.
• High accuracy against bots. The behavioral fingerprinting catches most automated traffic, including the sophisticated kind that defeats honeypots.
• Privacy and consent concerns. Google’s reCAPTCHA shares data with Google (consent banner trigger in EU). Cloudflare Turnstile is meaningfully better on this axis.
• Vendor dependency. The service has to be available for the form to work.

Realistic effectiveness: invisible CAPTCHA catches 95%+ of remaining spam after honeypot. The combination of honeypot + CAPTCHA typically reduces spam volume to near zero.

Akismet: content classification, catches what got past everything else.

Akismet (and its modern, popular agency alternative, CleanTalk) acts as a hosted content-classification service. Submissions are sent to their servers. Submissions are sent to Akismet’s servers, which compare the content against a continuously-updated global database of known spam patterns and assign a probability score. Submissions classified as spam are silently marked as such; everything else passes through.

Properties:

• Zero user-facing friction. The check happens entirely server-side after submission.
• Catches content-pattern spam. Submissions that look legitimate technically (filled out by a real human or a sophisticated bot) but contain spam content (link farms, crypto promotion, drug ads) get caught.
• Subscription cost. Akismet starts at $10-20/month for commercial sites. Alternatives like CleanTalk offer similar API-based classification for closer to $12/year, which is why many agencies have migrated to them
• Privacy implication. Submission content goes to a third-party service. Needs disclosure in the privacy policy.
• Misses non-content spam. Submissions that contain no spammy content (just generic “hello, contact me back” filler) often pass through.

Realistic effectiveness: Akismet catches a specific class of spam that the other two miss: content-pattern attacks rather than form-flood attacks. It’s the right third layer for sites with meaningful submission volume.

How to layer them.

For a typical WordPress site with one or more public forms:

• Always run the honeypot. Zero cost, catches most volume, no downside.
• Add invisible CAPTCHA on forms that get serious traffic. Cloudflare Turnstile by default; Google reCAPTCHA only when there’s a specific compatibility need (and accept the privacy trade-off).
• Add Akismet on contact and comment forms. Especially on sites where legitimate submissions contain meaningful content (vs. just newsletter sign-ups, which Akismet doesn’t add much to).

A high-volume contact form with all three running typically sees fewer than 5 spam submissions per month, where the same form unprotected would receive thousands. The honeypot is doing 70-90% of the work invisibly; CAPTCHA is catching the sophisticated bots that defeat honeypots; Akismet is catching the content-pattern submissions that look human.

What to avoid.

A few common mistakes:

• Visible reCAPTCHA v2 (“pick all the buses”) on a low-spam form. The friction loses real submissions; the spam volume didn’t warrant it.
• No protection at all on a publicly-listed contact form. The form will be discovered within 24 hours and start receiving spam. There’s no “small enough to ignore” — bots crawl indiscriminately.
• Akismet on every form. It’s the right third layer; running it as the only layer means paying a subscription for the smallest layer of catch.
• Heavy bot-protection tools (Cloudflare Bot Fight Mode, Imunify360) on the form itself. Overkill and prone to false positives. Use those at the edge for site-wide DDoS, not for individual form submissions.

The honest accounting.

The right combination is honeypot + invisible CAPTCHA + Akismet on any commercial contact form. Setup is half a day; the per-month cost is modest (CAPTCHA is typically free at low-medium volume; Akismet is a small subscription). The result is a contact form that surfaces only real submissions, which is what matters: the value of the form isn’t measured in spam blocked but in real leads that reach the team without competing with noise.

See security hardening built into the platform for how this fits with the broader security posture.