FormWit FormWit
Get Started Free

Form Spam Protection: Honeypot, CAPTCHA & More

Last updated: March 2026

Contact forms are prime targets for spam bots. Without protection, you'll wake up to hundreds of junk submissions clogging your inbox. This guide covers the most effective spam protection methods for HTML forms, from invisible honeypot fields to CAPTCHA services, and how FormWit handles spam automatically.

Why contact forms get spam

Bots crawl the web looking for forms to submit. They target contact forms, comment boxes, and signup forms to send spam, phishing links, or SEO spam. Their goal is simple: abuse any open form endpoint they can find to distribute their content at scale.

If your form has no protection, automated bots will find it within days of going live. Even low-traffic sites aren't safe. Bots don't care about your visitor count, they care about finding unprotected <form> tags.

The good news: a few simple techniques can block the vast majority of spam without adding friction for your real users.

Honeypot fields

A honeypot field is the simplest and most user-friendly spam protection method. It works by exploiting how bots interact with forms differently than humans.

How it works

You add a hidden input field to your form. Real users never see or fill it because it's invisible via CSS. Bots, however, fill every field automatically. They can't tell which fields are visible and which aren't. If the honeypot field has a value when the form is submitted, the submission is spam.

Code example with FormWit

<form action="https://app.formwit.com/api/s/YOUR_FORM_ID" method="POST">
  <label for="name">Name</label>
  <input type="text" id="name" name="name" required />

  <label for="email">Email</label>
  <input type="email" id="email" name="email" required />

  <label for="message">Message</label>
  <textarea id="message" name="message" required></textarea>

  <!-- This field is invisible to users but bots will fill it -->
  <input type="text" name="_gotcha" style="display:none" tabindex="-1" autocomplete="off" />

  <button type="submit">Send Message</button>
</form>

The _gotcha field is hidden with style="display:none". The tabindex="-1" prevents keyboard users from accidentally tabbing into it, and autocomplete="off" stops browsers from auto-filling it.

Pros

  • No user friction - completely invisible to real visitors
  • No JavaScript required - works with pure HTML
  • Works everywhere - compatible with every browser, device, and platform
  • No third-party dependencies - nothing to load or configure

Cons

  • Not 100% effective alone - sophisticated bots can detect hidden fields and skip them
  • Won't stop targeted attacks - if someone specifically targets your form, they can bypass it

FormWit's implementation

FormWit checks the _gotcha field automatically on every submission. If it has a value, the submission is silently rejected: no error shown to the bot, no notification sent to you. Just add the hidden field to your HTML and FormWit handles the rest.

reCAPTCHA

reCAPTCHA is Google's CAPTCHA service and the most widely used spam protection on the web. It comes in two main versions:

  • reCAPTCHA v2 - the classic "I'm not a robot" checkbox. May present visual challenges (select all traffic lights, etc.).
  • reCAPTCHA v3 - invisible, score-based. Runs in the background and assigns a score from 0.0 (likely bot) to 1.0 (likely human). No user interaction required.

How to add reCAPTCHA to a form

  1. Register your site at the reCAPTCHA admin console to get your site key and secret key
  2. Load the reCAPTCHA script in your page
  3. Add the reCAPTCHA widget to your form
  4. Verify the response token on your backend
<!-- Load reCAPTCHA v2 -->
<script src="https://www.google.com/recaptcha/api.js" async defer></script>

<form action="/submit" method="POST">
  <input type="text" name="name" required />
  <input type="email" name="email" required />
  <textarea name="message" required></textarea>

  <!-- reCAPTCHA widget -->
  <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>

  <button type="submit">Send</button>
</form>

Pros

  • Very effective - Google processes billions of CAPTCHAs daily, so their detection is highly accurate
  • Widely trusted - users recognize it
  • v3 is invisible - no user interaction needed for most legitimate visitors

Cons

  • Requires JavaScript - won't work if JS is disabled
  • Google dependency - adds Google's tracking scripts to your site
  • Privacy concerns - Google collects user data for risk analysis
  • Can frustrate users (v2) - visual challenges can be difficult, especially on mobile
  • Needs backend verification - the token must be validated server-side via Google's API

hCaptcha

hCaptcha is a privacy-focused CAPTCHA alternative that works like reCAPTCHA v2 but doesn't track users for advertising purposes. It presents visual challenges to verify humans.

hCaptcha is used by major sites including Cloudflare, Discord, and many others that moved away from reCAPTCHA over privacy concerns.

<!-- Load hCaptcha -->
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>

<form action="/submit" method="POST">
  <input type="text" name="name" required />
  <input type="email" name="email" required />
  <textarea name="message" required></textarea>

  <!-- hCaptcha widget -->
  <div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>

  <button type="submit">Send</button>
</form>

Pros

  • Privacy-friendly - GDPR compliant, doesn't use data for advertising
  • Free tier available - suitable for most sites
  • Effective - strong bot detection comparable to reCAPTCHA

Cons

  • Requires JavaScript - same limitation as reCAPTCHA
  • User friction - presents checkbox and visual challenges to visitors
  • Needs backend verification - token must be validated server-side

Cloudflare Turnstile

Cloudflare Turnstile is an invisible CAPTCHA replacement. It runs challenges entirely in the background: no visual puzzles, no checkboxes, no user interaction at all. It verifies visitors by analyzing browser signals without disrupting the user experience.

<!-- Load Turnstile -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

<form action="/submit" method="POST">
  <input type="text" name="name" required />
  <input type="email" name="email" required />
  <textarea name="message" required></textarea>

  <!-- Turnstile widget -->
  <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>

  <button type="submit">Send</button>
</form>

Pros

  • Invisible to users - no friction, no puzzles, nothing to click
  • Free - no usage limits on the free plan
  • Privacy-focused - Cloudflare doesn't sell user data
  • No visual puzzles - better experience than reCAPTCHA v2 or hCaptcha

Cons

  • Requires JavaScript - won't work with JS disabled
  • Cloudflare dependency - tied to Cloudflare's infrastructure
  • Newer service - smaller ecosystem and community compared to reCAPTCHA

Rate limiting

Rate limiting restricts how many submissions a single IP address can make within a given time window. It's a server-side technique that prevents brute-force spam floods.

Unlike honeypots and CAPTCHAs, rate limiting isn't something you add to your HTML. It's enforced on the backend. If someone (or a bot) submits your form 50 times in a minute, rate limiting blocks the excess submissions.

Pros

  • Catches flood attacks - stops bots that submit hundreds of times in rapid succession
  • No user friction - legitimate users never notice it
  • No JavaScript required - entirely server-side

Cons

  • Doesn't stop one-off bot submissions - a bot that submits once per IP won't be caught
  • Can block shared IPs - users behind corporate NAT or VPNs may share IPs
  • Requires server-side implementation - can't be added to a static site without a backend

FormWit applies rate limiting automatically on all plans, so you don't need to configure anything.

Comparison table

Method User Friction JavaScript Required Privacy Effectiveness
Honeypot None No High Good
reCAPTCHA v3 None Yes Low (Google) Excellent
hCaptcha Low-Medium Yes High Excellent
Turnstile None Yes High Excellent
Rate limiting None No High Moderate

For most static sites, a honeypot field combined with rate limiting provides strong protection with zero user friction. Add a CAPTCHA only if you're dealing with high-traffic forms or targeted spam attacks.

How FormWit handles spam

FormWit includes honeypot field detection and server-side rate limiting on all plans, including Free. No configuration required. Just add the _gotcha hidden field to your form and FormWit handles the rest.

<form action="https://app.formwit.com/api/s/YOUR_FORM_ID" method="POST">
  <input type="text" name="name" required />
  <input type="email" name="email" required />
  <textarea name="message" required></textarea>

  <!-- Honeypot spam protection — FormWit checks this automatically -->
  <input type="text" name="_gotcha" style="display:none" tabindex="-1" autocomplete="off" />

  <button type="submit">Send</button>
</form>

No CAPTCHA JavaScript, no third-party scripts, no user friction. Spam submissions are silently rejected and never appear in your dashboard or trigger email notifications.

Best practices

  • Use honeypot as your baseline. It catches most automated spam with zero user friction and no dependencies.
  • Add CAPTCHA for high-traffic forms. If you're getting sophisticated spam that bypasses honeypots, add reCAPTCHA v3 or Turnstile for an extra layer.
  • Always validate on the server. Client-side validation is for user experience, not security. Bots bypass JavaScript entirely.
  • Don't rely on client-side only. Any protection that runs only in the browser (like disabling the submit button) can be trivially circumvented.
  • Use a form backend with built-in protection. Services like FormWit include honeypot detection and rate limiting out of the box, so you don't have to build and maintain spam filtering yourself.
  • Layer your defenses. Combine honeypot + rate limiting as a minimum. Add CAPTCHA only when needed, since every extra step is potential friction for real users.

Summary

Spam protection doesn't have to mean annoying your users with puzzles. A simple honeypot field blocks most automated spam, and server-side rate limiting catches the rest. For the rare cases where that's not enough, invisible CAPTCHA services like reCAPTCHA v3 and Cloudflare Turnstile add strong protection without visible friction.

FormWit includes honeypot detection and rate limiting on every plan. No setup required. Get started free and stop worrying about spam.

Related guides: HTML contact form · Form to email · Simple contact form · Free contact form options · Contact form templates

Frequently asked questions

How does honeypot spam protection work?

You add a hidden text input to your form that real visitors never see (hidden with CSS display:none). Bots auto-fill every field they find, including hidden ones. When FormWit receives a submission with the honeypot field filled in, it silently rejects it. No CAPTCHAs, no user friction.

Is CAPTCHA necessary with FormWit?

For most sites, no. FormWit's built-in honeypot detection and rate limiting block the vast majority of automated spam. Add a CAPTCHA (reCAPTCHA v3 or Cloudflare Turnstile) only if you run a high-traffic form that still sees spam getting through after honeypot filtering.

What happens to spam submissions?

Submissions caught by the honeypot or rate limiter are silently rejected. They do not appear in your dashboard, do not trigger email notifications, and the bot receives no indication that it was caught. Legitimate submissions pass through normally.

Want to skip the setup?

FormWit gives you a form endpoint in 60 seconds. Free plan, no credit card.

Create Free Form

Need a form fast?

Build one visually with our free HTML form generator — no coding required.

Try the Form Generator →

Add spam protection to your form

Add a contact form to your site in 30 seconds. No backend code required.

Try FormWit Free