preloader

WP Armour plugin review and common issues

WP Armour is used for blocking spam in forms, comments, and registration screens. In most cases, it fits business sites better than a custom build done too early. A common issue is that real users sometimes get flagged by strict filters. This usually happens when spam patterns change, so settings need review over time. It can save time, but it still needs testing on a staging site before major changes go live. From experience, WP Armour works best when you keep the setup focused and avoid overlapping plugins.

Official Plugin Page ↗ Get Help With This Plugin

What is WP Armour plugin?

WP Armour is a honeypot anti-spam plugin for WordPress that stops form spam without CAPTCHAs, cloud APIs, or external data processing. The honeypot technique works by adding invisible fields to forms — fields that are visible in the HTML source code but hidden from human visitors via CSS. Spam bots, which programmatically parse and fill all form fields, fill these invisible fields. WP Armour detects filled honeypot fields and silently rejects the submission before it reaches your inbox or database.

WP Armour is compatible with Contact Form 7, WPForms, Elementor Form, Gravity Forms, Ninja Forms, Formidable Forms, WooCommerce, BuddyPress, and WordPress native comment and registration forms — covering virtually all common form types on a WordPress site. The free version handles all core honeypot functionality. WP Armour Extended Pro ($19.99/year) adds IP-based blocking, spam log with submission recording, enhanced WooCommerce protection, and additional spam detection layers beyond the basic honeypot.

The honeypot approach has a fundamental advantage over cloud-based services: no data leaves your server, making WP Armour completely GDPR-compliant without disclosure requirements. However, honeypots are effective primarily against automated bots — sophisticated human spam farms can learn to avoid honeypot fields. For sites receiving human-operated spam, pairing WP Armour with Akismet or CleanTalk provides layered protection. For sites primarily combating automated bot spam (which is the majority of WordPress form spam), WP Armour alone is often sufficient.

Need Help With WP Armour Setup, Troubleshooting, or Customization?

Need help with WP Armour? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get WP Armour Expert Help

Key Features

  • Invisible honeypot fields added to forms — bots fill them, humans do not
  • Compatible with CF7, WPForms, Elementor, Gravity Forms, Ninja Forms, Formidable, WooCommerce, BuddyPress, WordPress comments and registration
  • No CAPTCHA friction — completely invisible to legitimate visitors
  • No external API or cloud service — fully server-side
  • GDPR-compliant by design

Pros & Cons

Pros

  • Zero friction for legitimate visitors — completely invisible spam protection
  • GDPR-compliant with no external data processing
  • Free for core honeypot functionality covering all major form plugins

Cons

  • Honeypot technique vulnerable to sophisticated bots that detect and skip hidden fields
  • No cloud database — cannot catch known spam IPs or email addresses without Pro

Free vs Premium

Free: honeypot protection for all major form plugins. WP Armour Extended Pro ($19.99/year): IP blocking, spam log, enhanced WooCommerce protection, additional detection layers.

Common Problems & Fixes

WP Armour is installed but spam is still coming through Contact Form 7 forms. How do I verify honeypot integration is active?

Check if WP Armour’s honeypot is correctly integrated with Contact Form 7: right-click your form on the frontend and inspect the HTML source. Look for hidden input fields added by WP Armour (they have an opacity:0 or display:none style). If no hidden fields are visible, the integration may not be active. Go to WP Armour → Settings and ensure Contact Form 7 integration is enabled. If integration is enabled and fields exist but spam still comes through, the spam source is likely human-operated or an advanced bot that detects hidden fields — add Akismet or CleanTalk as an additional layer.

WP Armour is blocking legitimate form submissions — real users cannot submit the contact form. How do I troubleshoot false positives?

Honeypot false positives are rare but can occur if: (1) a browser auto-fill extension fills all form fields including the hidden honeypot field — some aggressive autofill tools do this. Ask the affected user to disable autofill extensions and try again; (2) a JavaScript error prevents WP Armour’s CSS from loading, making the honeypot visible and accidentally filled by users; (3) a screen reader or accessibility tool reads and populates all form fields. For accessibility-related issues, WP Armour has an option to use a different honeypot hiding method — check Settings for alternative display options.

WP Armour does not appear to protect WooCommerce checkout from spam orders. How do I enable WooCommerce protection?

WooCommerce protection in WP Armour requires the Extended Pro version. In WP Armour Pro → Settings, enable WooCommerce protection. This adds honeypot validation to the WooCommerce checkout and registration forms. For the free version, WooCommerce checkout protection is not included — use CleanTalk ($8/year) for comprehensive WooCommerce spam protection without upgrading WP Armour, or combine WP Armour free with WooCommerce’s built-in checkout limitations (email verification, address validation).

Customization & Developer Notes

How do I add WP Armour honeypot protection to a custom HTML form not using a supported plugin?

For custom forms, manually add the WP Armour honeypot field using its PHP function. In your form’s PHP template, add the honeypot field: This renders the hidden field. Add honeypot validation in your form processing function using: if(wp_armour_honeypot_check()) { // reject submission }. This approach extends WP Armour’s protection to any PHP-rendered form, including custom-coded forms and plugin-generated forms that are not natively supported.

Can I use WP Armour alongside Akismet for comment spam protection?

Yes — using WP Armour and Akismet together is a recommended combination. WP Armour’s honeypot catches automated bots before they reach Akismet’s API, reducing Akismet’s API call volume and providing an additional filtration layer. Submissions that pass the honeypot check (likely from more sophisticated sources) are then evaluated by Akismet’s cloud database. This two-layer approach improves overall spam detection while reducing false positive risk from either tool operating alone.

Frequently Asked Questions

Is WP Armour better than using CAPTCHA for spam protection?

WP Armour’s honeypot is invisible — no user interaction required, no UX friction, no accessibility concerns. CAPTCHAs add a frustrating user interaction step that increases form abandonment. For automated bot spam (the vast majority of WordPress spam), WP Armour is equally or more effective than CAPTCHA. CAPTCHAs have an advantage against human spam farms, as they cannot be automatically bypassed. For sites facing human-operated spam, combining WP Armour with Akismet or CleanTalk provides better coverage than either alone.

Does WP Armour affect site performance?

WP Armour’s performance impact is minimal. Adding hidden fields to forms is a server-side HTML injection — it adds a small amount of HTML output but involves no database queries or API calls on page load. Spam detection (checking if the honeypot field is filled) occurs only at form submission time, not on every page view. WP Armour is one of the most lightweight anti-spam options for WordPress, making it suitable even for performance-critical pages.

Can WP Armour break after updates?

Yes, that can happen, especially on older sites with many plugins. This usually happens when the plugin, theme, and add-ons are updated out of sequence. In most cases, testing on staging catches the issue before it reaches the live site. From experience, backups and changelog reviews save a lot of cleanup time.

What should I check before installing WP Armour?

Start by checking whether another plugin already does the same job. In most cases, overlap is what creates avoidable conflicts and performance issues. A common issue is installing a plugin because it looks convenient without checking the stack first. From experience, a short compatibility review avoids most of the pain later.

Need a WP Armour Developer?

Find a vetted WordPress developer specializing in WP Armour. From setup and configuration to custom WP Armour development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.