Curb Elementor form spam with the honeypot field
The easiest way to avoid form spam with Elementor is to add a honeypot field to the form. This works with Elementor on-board tools.
To do this, add a new field to your forms and select “Honeypot” as the type:
This field is not visible to visitors to your website, but is automatically filled in by spam bots. If the field is filled in, Elementor knows that it is a spam bot and issues an error message.
This method is very easy to implement and you should use it with every Elementor form. However, this method is not particularly good at keeping spam out.
Advantages Honeypot | Disadvantages Honeypot |
---|---|
✅ Easy to implement ✅ Function included in Elementor GDPR-compliant ✅ No puzzle necessary | ❌ Does not stop all spam |
Elementor Avoid form spam with Akismet
Since version 3.19, Elementor Pro also supports Akisment, the anti-spam plugin from Automattic.
Unfortunately, the setup is somewhat more complex and is carried out as described in the Elementor help. You can secure your forms against spam very reliably with Akismet, but the plugin is subject to a fee and is only GDPR-compliant to a limited extent.
Advantages of Akismet | Disadvantages of Akismet |
---|---|
✅ Keeps spam out very reliably ✅ Function included in Elementor ✅ No action required by the user | Plugin subject to a charge Problematic in relation to the GDPR ❌ Complicated setup |
Avoid Elementor form spam with Google ReCaptcha v3
The better option, which is also included in Elementor by default, is to use Google reCaptcha.
With version 2 of Google ReCaptcha, your website visitors have to solve a “puzzle” and select all traffic lights, bicycles or boats, for example:
With version 3 of Google reCaptcha, Google automatically recognizes whether it is a real user and your website visitors no longer have to search for images. So be sure to choose version 3.
The big disadvantage of Google reCaptcha is that it is a Google service. This is very useful, but unfortunately Google has fallen out of favor with data protectionists.
You should therefore always seek legal advice before using Google reCaptcha.
Advantages of Google reCaptcha | Disadvantages of Google reCaptcha |
---|---|
✅ Reliably stops almost all form spam ✅ Function included in Elementor | According to current legal opinion, probably not GDPR-compliant |
Kennst du schon das Business-Membership für alle WordPress-Professionals?
Workshops, Live-Q&A’s, Austausch mit anderen Webdesigner:innen, Co-Working und natürlich professioneller Support für dich. Das sind die Website Heroes.
Avoid Elementor form spam with Cloudfare Turnstile
Cloudfare has launched Turnstile, an alternative to Google reCaptcha. Like Google reCaptcha v3, the service runs automatically in the background and automatically recognizes bots.
Cloudfare automatically draws on the findings from its CDN and does not store any personal data.
To use Cloudfare Turnstile with Elementor (or WordPress), you need this free plugin from WPPOOL and an API key, which you can get for free from Cloudfare.
Please note that you must also adapt your privacy policy here.
Advantages of Cloudfare Turnstile | Disadvantages of Cloudfare Turnstile |
---|---|
✅ Reliably stops form spam ✅ Runs in the background – no puzzles to fill in | ❌ Extra WordPress plugin required Problematic in terms of data protection law |
Prevent Elementor form spam with captcha.eu
Google ReCaptcha and Cloudfare Turnstile are problematic in terms of data protection. That’s why I already use the data protection-friendly solution from captcha.eu for some customers.
Simply install the corresponding WordPress plugin and let it guide you through the setup process.
In my experience, the spam protection works excellently, but the plugin is unfortunately subject to a charge.
Advantages of Cloudfare Turnstile | Disadvantages of Cloudfare Turnstile |
---|---|
✅ Reliably stops form spam ✅ Runs in the background – no puzzles to fill in ✅ Solution from Austria | ❌ Extra WordPress plugin required ❌ With costs ❌ Shows logo in the bottom right corner |
Avoid Elementor form spam with your own code
Have you recognized the dilemma? Either you are not successfully preventing form spam or you have a problem with the GDPR.
That’s why I was looking for a simpler solution to reliably prevent spam in Elementor forms.
The result is a short code snippet that you can copy into the functions.php of your child theme:
add_action( 'elementor_pro/forms/validation', function($record, $ajax_handler) {
$blackwords = explode("\n", get_option('disallowed_keys'));
$fields = $record->get_field([]);
foreach($fields as $field) {
foreach($blackwords as $blackword) {
if(!trim($blackword)) continue;
$regex = '|'.trim($blackword).'|i';
if(preg_match($regex, $field['value'])) {
$ajax_handler->add_error($field['id'], esc_html__( 'Invalid Form.', 'elementor-pro' ) );
return;
}
}
}
}, 10, 2);
Don’t know what to do with this code snippet? This code snippet (and many more) is already included in my Clean WordPress installation. Get my WordPress setup now.
This snippet loads the WordPress comment blocklist and blocks the submission of Elementor forms if one of the words in this list appears.
You can find the blacklist in the WordPress backend under Settings > Discussion > Comment blacklist:
Enter the unwanted words here and future spam messages can no longer be sent.
In my experience, a handful of good spam words is enough to reduce the flood of spam by 90%.
Advantages of your own code | Disadvantages of own code |
---|---|
✅ Uses WordPress standard functions ✅ Transparent for visitors – no puzzle necessary ✅ No extra plugin or service required GDPR-compliant | ❌ More difficult to implement for non-programmers ❌ Only stops around 90% of spam |
Conclusion
As you can see, there is unfortunately not THE one solution to avoid form spam in Elementor. The challenges posed by the GDPR are too complex and the spammers are also too intelligent.
For me, the combination of Elementor Honeypot and my code snippet works very reliably. Over time, you will have collected enough blocking words to reliably prevent spam.
By the way, I’m making my WordPress setup available to you at Website Heroes. This already contains this spam protection and many other useful functions.