reCAPTCHA v2 adds a visible checkbox that some users fail repeatedly. reCAPTCHA v3 is invisible but sends visitor behaviour data to Google. For sites with privacy constraints or where form UX matters, stopping Contact Form 7 spam without Google’s involvement is worth doing.
Method 1: CF7 Honeypot
Install the “Contact Form 7 Honeypot” plugin (free, by Nocean). Add the honeypot tag to your CF7 form:
[honeypot honeypot-field]Add to your form template and style it hidden. The plugin handles the CSS and the server-side check. Bots that process all form fields will fill this in and CF7 Honeypot rejects the submission silently. This catches the majority of automated spam with zero user friction.
Method 2: Timing Validation
Bots submit forms in milliseconds. Add a time check using a hidden timestamp field and server-side validation:
// Add to your CF7 form:
// [hidden form_loaded_at ""]
// Then in functions.php:
add_action('wp_footer', 'cf7_inject_load_time');
function cf7_inject_load_time() {{
echo '';
}}
add_filter('wpcf7_validate_hidden', 'cf7_validate_submission_time', 10, 2);
function cf7_validate_submission_time($result, $tag) {{
if ($tag->name !== 'form_loaded_at') return $result;
$loaded_at = intval($_POST['form_loaded_at'] ?? 0);
$elapsed = time() - $loaded_at;
// Reject if submitted in under 3 seconds or over 1 hour
if ($elapsed < 3 || $elapsed > 3600) {{
$result->invalidate($tag, 'Form submission failed. Please try again.');
}}
return $result;
}}Need this built properly? Describe the project and get a free estimate.
Method 3: Akismet Integration
CF7 has a built-in Akismet module that is disabled by default. If you already use Akismet, enable CF7’s integration in the form editor under the “Akismet” tab. Map your form fields to the Akismet parameters (author name, email, URL, content). Akismet then checks each CF7 submission against its spam database and rejects flagged submissions.
This adds cloud-based classification to your forms without any user-visible challenge. The trade-off is that submission data goes to Akismet’s servers – the same privacy consideration as using Akismet for comments.
Method 4: Server-Side IP and Email Checks
Add validation that checks the submitter’s email and IP against public blocklists without a third-party plugin:
add_filter('wpcf7_validate_email', 'cf7_check_disposable_email', 10, 2);
add_filter('wpcf7_validate_email*', 'cf7_check_disposable_email', 10, 2);
function cf7_check_disposable_email($result, $tag) {{
if ($tag->name !== 'your-email') return $result;
$email = isset($_POST[$tag->name]) ? $_POST[$tag->name] : '';
$domain = strtolower(substr(strrchr($email, '@'), 1));
// Maintain a local list of known disposable domains
$blocked = array('mailnull.com', 'guerrillamail.com', 'tempmail.com', 'throwam.com');
if (in_array($domain, $blocked)) {{
$result->invalidate($tag, 'Please use a permanent email address.');
}}
return $result;
}}Combining Methods
Layering these techniques catches different attack types. A practical stack that handles the vast majority of CF7 spam without reCAPTCHA or cloud services:
- CF7 Honeypot – catches automated bots that process all form fields
- Timing validation – catches fast-submitting bots that skip invisible fields
- Disposable email blocking – catches semi-automated spam using throwaway addresses
Human-operated spam gets through all three because a person fills the form manually. For that, Akismet or CleanTalk is the practical solution – they classify submission content rather than behaviour.