The complete guide to form spam protection in 2026

If your website has a contact form, you will get spam. It is not a question of if, but when. Scrapers crawl the web looking for <form> tags, and automated bots fill them out thousands of times a day. The result: a flooded inbox, polluted analytics, and wasted time sorting real messages from junk.

This guide covers every major spam protection technique, when to use each one, and how to combine them into a layered defense. We will walk through what FormBlade offers on each plan so you can pick the right approach for your situation.

If you just want the quick argument for why most forms do not need a CAPTCHA, read how to stop form spam without annoying your users instead.

Understanding the threat landscape

Not all spam bots are the same. Understanding the different types helps you choose the right defense:

• Dumb scrapers — parse raw HTML, find <form> tags, POST to the action URL. Do not execute JavaScript. Represent the vast majority of spam. Defeated by honeypots and JS verification.
• Script kiddies — use basic tools like cURL or Python scripts to submit forms. May follow redirects but do not render pages. Defeated by honeypots, JS verification, and basic CAPTCHAs.
• Headless browsers — use Puppeteer, Playwright, or Selenium to render pages fully, including JavaScript. Can solve simple challenges. Defeated by behavioral CAPTCHAs (hCaptcha, reCAPTCHA, GeeTest).
• Human spam farms — real people paid to fill out forms manually. No automated defense stops these entirely. Rate limiting and content analysis help.

Layer 1: Honeypot fields (all plans)

The simplest and most effective first line of defense. A honeypot is a hidden form field that is invisible to real users but visible to bots that parse HTML. If a bot fills in the hidden field, you know it is not human.

<!-- Hidden from users, visible to bots -->
<input type="text" name="_fb_hp" style="display:none" tabindex="-1">

FormBlade adds a honeypot field automatically to every hosted form. For self-hosted forms, the code snippet includes it. You can customize the field name in form settings to make it harder for sophisticated bots to detect.

Effectiveness: Catches 60-70% of spam bots. Zero impact on user experience. No setup required.

Layer 2: JavaScript verification (all plans)

Most spam bots do not execute JavaScript. FormBlade includes a hidden field that JavaScript sets to a value after a short delay. If the field is empty when the form is submitted, the submitter did not run JavaScript — almost certainly a bot.

<!-- Automatically set by JavaScript after 1.5 seconds -->
<input type="hidden" name="_fb_js" id="_fb_js">
<script>setTimeout(function(){
  document.getElementById("_fb_js").value = Date.now()
}, 1500)</script>

This is enabled by default on all forms. Combined with honeypots, it blocks the vast majority of automated spam without any user interaction.

Effectiveness: Catches 80-90% of bots when combined with honeypots. Zero impact on UX.

Layer 3: Math challenge (all plans)

A simple math question like "What is 3 + 7?" that the user must answer. The answer is verified server-side with a signed token, so bots cannot cheat by inspecting the HTML.

FormBlade generates a random math question for each page load. The question changes every time and the token expires after 10 minutes. No external service needed — it works completely within FormBlade.

Best for: Forms where you want visible proof that a human is submitting, but do not want to use a third-party CAPTCHA. Works everywhere, including China and regions where Google services are blocked.

Effectiveness: Stops all automated bots. Some advanced bots can parse and solve simple math, but combined with layers 1 and 2, the chances are minimal.

Layer 4: hCaptcha (all plans)

hCaptcha is a privacy-friendly CAPTCHA service that shows an interactive challenge. Unlike reCAPTCHA, it does not use Google tracking cookies and is GDPR-friendly out of the box.

hCaptcha is free to use (up to 1 million verifications per month) and available on all FormBlade plans, including Personal. You need a free hCaptcha account to get your site key and secret key.

Best for: High-traffic forms, forms receiving targeted spam, privacy-conscious websites.

Layer 5: Advanced CAPTCHAs (Pro)

Pro plans unlock additional CAPTCHA providers for specific use cases:

reCAPTCHA v3 is particularly powerful because it runs invisibly and assigns a score to each visitor. You set a threshold (0.5 is recommended) and submissions below it are flagged. No user interaction at all.

GeeTest v4 is the go-to for websites with Chinese or Asian audiences. It uses behavioral analysis (slide puzzle, click challenge) and works without Google services.

FormBlade's soft-fail approach

Most form services reject submissions that fail CAPTCHA verification. FormBlade takes a different approach: failed submissions are accepted but flagged as spam. This means:

• You never lose a real submission due to a CAPTCHA glitch or misconfigured keys
• Spam submissions are stored but hidden from your inbox by default
• You can review flagged submissions and unflag false positives with one click
• No notification emails are sent for spam-flagged submissions

The dashboard shows exactly which check triggered the spam flag (honeypot, JS verification, or CAPTCHA) so you can diagnose issues.

Recommended setup by plan

Personal (free) — strong default protection

1. Honeypot + JS verification are enabled by default. No setup needed. This alone blocks 80-90% of spam.
2. Add hCaptcha if you are getting targeted spam that bypasses honeypots. Free hCaptcha account required.
3. Use math challenge as an alternative if you prefer no third-party dependencies.

Pro — layered defense for business forms

1. Keep honeypot + JS verification as your base layer.
2. Add reCAPTCHA v3 (invisible) for zero-friction scoring. Set threshold to 0.5. Users never see a challenge unless they score low.
3. Use domain restrictions (Business) to only accept submissions from your own domains, blocking submissions from scraped form actions.
4. Enable auto-responder (Pro+) to confirm receipt — legitimate users get a confirmation, spam does not.

International / Asia-focused sites

1. Avoid reCAPTCHA — Google is blocked in China and unreliable in some Asian networks.
2. Use GeeTest v4 (Pro) for behavioral verification that works globally.
3. Use Turnstile (Pro) as a fallback — Cloudflare has strong Asian presence.
4. Math challenge (free) works everywhere with zero external dependencies.

General tips beyond CAPTCHAs

• Use HTTPS — encrypted submissions prevent man-in-the-middle tampering and are required for most CAPTCHA providers.
• Validate on the server — never rely on client-side validation alone. Bots bypass JavaScript entirely.
• Require specific fields — making email and message fields required filters out many low-effort bots that submit empty forms.
• Monitor your spam folder — check the Spam tab in FormBlade regularly to catch false positives and understand what kind of spam you are receiving.
• Rotate honeypot field names — if you notice bots adapting to your honeypot, change the field name in form settings. Pro users can also customize the JS verification field name.
• Use consent checkboxes — requiring a checkbox adds another field bots must interact with, and it helps with GDPR compliance.
• Set data retention — configure auto-deletion so spam submissions do not accumulate indefinitely and consume storage.
• Review submission patterns — if you see bursts of spam from the same IP range, that information is visible in the submission detail view.

What FormBlade includes by plan