Spam in contact forms can quickly render your inbox unusable. Here are the most effective solutions to block these unwanted messages, from the simplest to the most advanced.
Prerequisites
Access to the .htaccess file via cPanel or FTP
Access to your site's WordPress dashboard
Basic file editing knowledge
Task completion: depends on expertise
Expertise: intermediate
How to do it?
Method 1: Add a Honeypot (no plugin)
A honeypot is a hidden field that bots automatically fill in, unlike humans.
Instructions:
Go to Appearance > Theme Editor (use a child theme if possible)
Open the functions.php file
Add this code at the end (for Contact Form 7):
add_action('wp_footer', 'ajout_champ_honeypot');
function ajout_champ_honeypot() {
if (is_page('contact')) {
echo '<style>.hp-email-field { display: none; }</style>';
echo '<input type="text" name="email_confirm" class="hp-email-field" value="">';
}
}
add_filter('wpcf7_validate', 'verification_honeypot', 10, 2);
function verification_honeypot($result, $tags) {
if (!empty($_POST['email_confirm'])) {
$result->invalidate('', 'Robot détecté.');
}
return $result;
}
Method 2: Protect Your Form via .htaccess
This method specifically protects your form against code injections and malicious POST requests.
Instructions:
Log in to your cPanel > File Manager
Navigate to the /public_html/ folder
Locate the .htaccess file (if it doesn't exist, create it)
Add these protection rules before the line # BEGIN WordPress :
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /contact|/formulaire|/wp-contact-form|/contact-form [NC]
RewriteCond %{HTTP_REFERER} !^https?://(www.)? [NC]
RewriteRule ^(.*)$ - [F,L]
##Blocks submissions containing PHP or JavaScript code
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /contact [NC]
RewriteCond %{QUERY_STRING} (eval(|base64_|<?php|javascript:) [NC,OR]
RewriteCond %{QUERY_STRING} (INSERT INTO|SELECT.FROM|UNION.SELECT) [NC]
RewriteRule ^(.*)$ - [F,L]
##Blocks user agents from known spammers
RewriteCond %{HTTP_USER_AGENT}
(ahrefs|mj12bot|rogerbot|semrush|spbot|dotbot|mail.ru|bot|crawler|spider|scanner) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
##Protects the .htaccess file itself
<Files .htaccess>
order allow,deny
deny from all
</Files>
Important :
If the site becomes inaccessible after modifying the .htaccess, rename the .htaccess file to .htaccess_old. The site should become accessible again. Check the syntax of your rules and try again.
The honeypot does not block all spam because it is only effective against basic bots.
Combine it with the .htaccess method for better protection.
If you cannot find the .htaccess file, make sure to enable showing hidden files in the File Manager.
Method 3: Add a Captcha
If previous methods aren't enough, add a Captcha to your form.
Instructions:
For Contact Form 7:
Install the Contact Form 7 reCAPTCHA plugin (or use the native integration)
Get keys for free at reCAPTCHA website security and fraud protection
Go to Contact > Integration and enter your keys
For WPForms / Elementor:
The Captcha option is available directly in the plugin settings.