Have you noticed an increase in the amount of spam being sent through your contact form? I received six phone calls from client on Monday reporting that spam via the contact form was getting out of control. I asked the question on Reddit and it seems a lot of people have noticed an increase in spam recently.

It’s an unfortunate fact that the longer your website has been online, the more spammers are going to know about it. That’s why you might visit a business’s website and you won’t find an email address anywhere – the owners of that business have just gotten sick of the amount of rubbish that was being emailed to them every day. Spammers have been trawling the internet for decades (literally!) looking for new email addresses to add to their lists.

Contact forms are a better way to allow visitors to contact you without needing to display an email address. However, contact forms have also become a target for spammers.

Actually, to clarify, WordPress is the real target. WordPress now makes up more than 30% of the entire internet! That is a rich vein of potential targets. A spammer would only need to create a tool that targets popular form plugins such as GravityForms or Contact Form 7, and they would be able to spam a very large number of people indeed.

And that’s what seems to be happening. Our clients are reporting big spikes increase in the amount of spam they are receiving, which is why I find myself writing this blog post now.

There is an answer to your prayers!

What is a “CAPTCHA”?

CAPTCHA is actually an acronym. (I didn’t know that either!) It stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. And that’s exactly what it does. It helps determine if someone is a real person or if they are a “bot”.

The old CAPTCHA forms were a little cumbersome. You’ve probably seen something like this before:

Some are easier than others. I mean, if you can decipher this one, you’re a better person than I:

As much as they look messy and garish, they have been a necessary evil in the fight against spam.

Nowadays however, Google have provided us with a new, discreet tool for battling spam.

The latest version of reCAPTCHA doesn’t involve any user input at all – it just watches how the form is being filled in, and determines whether it was filled in by a human, or whether it was filled in by a ‘bot.

Introducing Invisible reCAPTCHA

Invisible reCAPTCHA does not require visitors to fill in a box, or click on anything. Instead, it is invoked directly when the user clicks on the existing submit button of your form. If it determines your actions on the page are suspicious, only then will you be prompted to solve a CAPTCHA.

So what exactly constitutes suspicious behaviour? Well, think about how you fill out a form. First, you have to visit the page and wait for the page to load. You then enter one field at a time, and either tab between fields or click into the next field with your mouse. And of course the more you type, the longer it will takes for you to fill in the form. That looks like a human filling out a form.

A spam bot filling out a form will likely already have loaded the page at a previous time, so it knows what the form looks like. It then pushes what it wants to submit to the form action, without necessarily even needing to load the page at all. Even if it does simulate a page load, it’s much more difficult to simulate a human filling in a form manually than a bot copying-and-pasting its spam message into the form.

Invisible reCAPTCHA does a really good job of weeding out the spam from the real visitors. Best of all, it’s completely free and there’s a WordPress plugin!

How to Set Up Invisible reCAPTCHA in WordPress

1. Install and activate the Invisible reCaptcha for WordPress plugin on your WordPress website. This is a free plugin which can be searched from within the WordPress Dashboard.

2. Now we need an API key to activate the Invisible reCAPTCHA. Go to https://www.google.com/recaptcha/admin and login with your Google account details.

3. Under Register a new site, give it a label (just your domain name), select “Invisible reCAPTCHA” and enter your domain under Domains:

4. Once you submit these details, you will be given a Site key and a Secret key. These are necessary for activating the Invisible reCAPTCHA for WordPress plugin.

5. In your WordPress Dashboard, under Settings, click on Invisible reCaptcha:

6. Under the Settings tab, enter your Site key and Secret key:

7. Finally, click on Contact Forms and activate Invisible reCAPTCHA for the contact form you are using: