Avoid Elementor form spam – the solution

Tired of having your inbox flooded with spam emails sent to you via Elementor forms?

These spam bots are annoying, but there are several ways in which you can stem this flood of spam emails. I will introduce you to the best 6 of them, including advantages and disadvantages (especially with regard to data protection).

TLDR; The last solution effectively avoids form spam in Elementor with a simple code snippet.

Curb Elementor form spam with the honeypot field

The easiest way to avoid form spam with Elementor is to add a honeypot field to the form. This works with Elementor on-board tools.

To do this, add a new field to your forms and select “Honeypot” as the type:

Elementor Honeypot field
Elementor Honeypot field

This field is not visible to visitors to your website, but is automatically filled in by spam bots. If the field is filled in, Elementor knows that it is a spam bot and issues an error message.

This method is very easy to implement and you should use it with every Elementor form. However, this method is not particularly good at keeping spam out.

Advantages Honeypot Disadvantages Honeypot
✅ Easy to implement
✅ Function included in Elementor
GDPR-compliant
✅ No puzzle necessary
❌ Does not stop all spam

Elementor Avoid form spam with Akismet

Since version 3.19, Elementor Pro also supports Akisment, the anti-spam plugin from Automattic.

Akismet Plugin - reliably keeps spam away from Elementor forms.

Unfortunately, the setup is somewhat more complex and is carried out as described in the Elementor help. You can secure your forms against spam very reliably with Akismet, but the plugin is subject to a fee and is only GDPR-compliant to a limited extent.

Advantages of AkismetDisadvantages of Akismet
✅ Keeps spam out very reliably
✅ Function included in Elementor
✅ No action required by the user
Plugin subject to a charge
Problematic in relation to the GDPR
❌ Complicated setup

Avoid Elementor form spam with Google ReCaptcha v3

The better option, which is also included in Elementor by default, is to use Google reCaptcha.

With version 2 of Google ReCaptcha, your website visitors have to solve a “puzzle” and select all traffic lights, bicycles or boats, for example:

With version 3 of Google reCaptcha, Google automatically recognizes whether it is a real user and your website visitors no longer have to search for images. So be sure to choose version 3.

Elementor and Google reCaptcha v3
Elementor and Google reCaptcha v3

The big disadvantage of Google reCaptcha is that it is a Google service. This is very useful, but unfortunately Google has fallen out of favor with data protectionists.

You should therefore always seek legal advice before using Google reCaptcha.

Advantages of Google reCaptcha Disadvantages of Google reCaptcha
✅ Reliably stops almost all form spam
✅ Function included in Elementor
According to current legal opinion, probably not GDPR-compliant

Kennst du schon das Business-Membership für alle WordPress-Professionals?

Avoid Elementor form spam with Cloudfare Turnstile

Cloudfare has launched Turnstile, an alternative to Google reCaptcha. Like Google reCaptcha v3, the service runs automatically in the background and automatically recognizes bots.

Prevent Elementor spam with Cloudfare Turnstile

Cloudfare automatically draws on the findings from its CDN and does not store any personal data.

To use Cloudfare Turnstile with Elementor (or WordPress), you need this free plugin from WPPOOL and an API key, which you can get for free from Cloudfare.

Please note that you must also adapt your privacy policy here.

Advantages of Cloudfare Turnstile Disadvantages of Cloudfare Turnstile
✅ Reliably stops form spam
✅ Runs in the background – no puzzles to fill in
❌ Extra WordPress plugin required
Problematic in terms of data protection law

Prevent Elementor form spam with captcha.eu

Google ReCaptcha and Cloudfare Turnstile are problematic in terms of data protection. That’s why I already use the data protection-friendly solution from captcha.eu for some customers.

Simply install the corresponding WordPress plugin and let it guide you through the setup process.

In my experience, the spam protection works excellently, but the plugin is unfortunately subject to a charge.

Advantages of Cloudfare Turnstile Disadvantages of Cloudfare Turnstile
✅ Reliably stops form spam
✅ Runs in the background – no puzzles to fill in
✅ Solution from Austria
❌ Extra WordPress plugin required
❌ With costs
❌ Shows logo in the bottom right corner

Avoid Elementor form spam with your own code

Have you recognized the dilemma? Either you are not successfully preventing form spam or you have a problem with the GDPR.

That’s why I was looking for a simpler solution to reliably prevent spam in Elementor forms.

The result is a short code snippet that you can copy into the functions.php of your child theme:

add_action( 'elementor_pro/forms/validation', function($record, $ajax_handler) {
 $blackwords = explode("\n", get_option('disallowed_keys'));

 $fields = $record->get_field([]);
 foreach($fields as $field) {
  foreach($blackwords as $blackword) {
   if(!trim($blackword)) continue;
   $regex = '|'.trim($blackword).'|i';
   if(preg_match($regex, $field['value'])) {
    $ajax_handler->add_error($field['id'], esc_html__( 'Invalid Form.', 'elementor-pro' ) );
    return;
   }
  }
 }
}, 10, 2);

Don’t know what to do with this code snippet? This code snippet (and many more) is already included in my Clean WordPress installation. Get my WordPress setup now.

This snippet loads the WordPress comment blocklist and blocks the submission of Elementor forms if one of the words in this list appears.

You can find the blacklist in the WordPress backend under Settings > Discussion > Comment blacklist:

The comment blocklist in WordPress
The comment blocklist in WordPress

Enter the unwanted words here and future spam messages can no longer be sent.

In my experience, a handful of good spam words is enough to reduce the flood of spam by 90%.

Advantages of your own code Disadvantages of own code
✅ Uses WordPress standard functions
✅ Transparent for visitors – no puzzle necessary
✅ No extra plugin or service required
GDPR-compliant
❌ More difficult to implement for non-programmers
❌ Only stops around 90% of spam

Conclusion

As you can see, there is unfortunately not THE one solution to avoid form spam in Elementor. The challenges posed by the GDPR are too complex and the spammers are also too intelligent.

For me, the combination of Elementor Honeypot and my code snippet works very reliably. Over time, you will have collected enough blocking words to reliably prevent spam.

By the way, I’m making my WordPress setup available to you at Website Heroes. This already contains this spam protection and many other useful functions.

Picture of Michael
Hi, I'm Michael Baierl and I'm a WordPress programmer from Vienna, Austria. In my WordPress community - the Website Heroes - web designers will find everything they need to create great websites for their customers and be financially successful: regular training, exchange, feedback, quick problem solving and co-working. Come and visit us now.

Content

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *