WPZOOM Forms Spam Protection Guide

WPZOOM Forms provides multiple layers of spam protection to keep your forms secure from automated spam submissions. The plugin includes built-in integrations with popular anti-spam services and offers flexible configuration options to suit your needs.

1. Built-in Spam Protection Features
2. Setting Up Google reCAPTCHA
3. Setting Up Cloudflare Turnstile
4. Akismet Integration
5. CleanTalk Integration
6. Best Practices
7. Troubleshooting

---

Built-in Spam Protection Features

Spam Post Status

WPZOOM Forms automatically creates a “Spam” post status for form submissions. Suspicious submissions can be automatically marked as spam and reviewed manually from the WordPress admin panel.

How It Works:

1. Submissions are evaluated by enabled spam protection services
2. Suspicious submissions are stored with “spam” status
3. Administrators can review and manage spam submissions from the admin panel

---

Setting Up Google reCAPTCHA

Google reCAPTCHA is the most popular CAPTCHA service and offers two versions:

• Invisible reCAPTCHA v2: Shows challenges only to suspicious users
• reCAPTCHA v3: Works silently in the background with risk scoring

Step 1: Get Your reCAPTCHA Keys

1. Visit Google reCAPTCHA Admin Console
2. Sign in with your Google account
3. Register a new site:

• Label: Enter a descriptive name (e.g., “My WordPress Site”)
• reCAPTCHA type: Choose either v2 Invisible or v3
• Domains: Add your website domain(s)

4. Accept the Terms of Service
5. Click “Submit”

6. Copy your Site Key and Secret Key

Step 2: Configure in WPZOOM Forms

1. Navigate to Forms → Settings in WordPress admin
2. Go to the Spam Protection tab
3. Select Google reCAPTCHA as your protection service
4. Choose your reCAPTCHA type (v2 or v3)
5. Enter your keys:

• For v2: Enter Site Key and Secret Key in the v2 fields
• For v3: Enter Site Key and Secret Key in the v3 fields

6. For reCAPTCHA v3, configure the badge location (bottomright, bottomleft, or inline)
7. Click Save Settings

reCAPTCHA v3 Score Threshold

The plugin uses a score threshold of 0.5 for v3. Scores below this are considered spam:

• 1.0 = Very likely a good interaction
• 0.0 = Very likely a bot
• Default threshold: 0.5

---

Setting Up Cloudflare Turnstile

Cloudflare Turnstile is a privacy-preserving alternative to reCAPTCHA that doesn’t require user interaction in most cases.

Step 1: Get Your Turnstile Keys

1. Log in to Cloudflare Dashboard
2. Navigate to Turnstile in the sidebar
3. Click Add Widget

4. Configure your widget:

• Site name: Enter a descriptive name
• Domain: Add your website domain(s)
• Widget Mode: Choose Managed, Non-interactive, or Invisible

5. Click Create

6. Copy your Site Key and Secret Key

Step 2: Configure in WPZOOM Forms

1. Navigate to WPZOOM Forms → Settings in WordPress admin
2. Go to the Spam Protection tab
3. Select Cloudflare Turnstile as your protection service
4. Enter your Turnstile Site Key
5. Enter your Turnstile Secret Key
6. Choose widget theme (Light, Dark, or Auto)
7. Click Save Settings

---

Akismet Integration

WPZOOM Forms automatically integrates with Akismet if it’s installed and activated on your site. No additional configuration is needed in WPZOOM Forms.

How It Works:

1. Automatic Detection: The plugin checks if Akismet is available
2. Submission Analysis: Form data is sent to Akismet for analysis
3. Spam Filtering: Submissions identified as spam are blocked

Setting Up Akismet:

1. Install and activate the Akismet Anti-Spam plugin
2. Get your API key from Akismet.com
3. Enter the API key in Settings → Akismet Anti-Spam
4. Akismet will automatically work with WPZOOM Forms

Note: You can use Akismet for free for non-commercial websites. Simply choose the Personal plan and set the price to $0. If your website checks all the conditions for a free plan, proceed with setting up Akismet.

What Data is Checked:

• Sender name (comment_author)
• Email address (comment_author_email)
• Website URL (comment_author_url)
• Message content (comment_content)
• User IP address
• User agent
• Referrer URL

---

CleanTalk Integration

As of July 2025, CleanTalk has added direct integration support for WPZOOM Forms. This provides an additional layer of spam protection.

Setting Up CleanTalk:

1. Install and activate the CleanTalk Anti-Spam plugin
2. Register at CleanTalk.org to get your Access Key
3. Enter the Access Key in Settings → Anti-Spam by CleanTalk
4. Enable “Contact Forms” protection in CleanTalk settings
5. CleanTalk will automatically protect WPZOOM Forms

Benefits of CleanTalk:

• No CAPTCHA required for users
• Real-time spam database
• Email address validation
• Behavioral analysis
• Works alongside other protection methods

---

Best Practices

1. Layer Your Protection

Combine multiple methods for maximum effectiveness:

• Use reCAPTCHA/Turnstile for bot prevention
• Enable Akismet for content analysis
• Consider CleanTalk for additional filtering

2. Choose the Right CAPTCHA

• reCAPTCHA v2: Best for high-security needs
• reCAPTCHA v3: Best for user experience
• Turnstile: Best for privacy-conscious sites

3. Monitor and Adjust

• Regularly check spam submissions
• Adjust reCAPTCHA v3 scores if needed
• Update spam protection services regularly

4. Performance Optimization

The plugin loads protection scripts only when needed:

• CAPTCHA scripts load only on pages with forms
• Akismet checks run server-side
• No impact on pages without forms

5. Global vs. Per-Form Settings

Currently, spam protection is configured globally for all forms. Apply settings that work best for your most important forms.

---

Troubleshooting

reCAPTCHA Not Showing

Problem: The reCAPTCHA widget doesn’t appear on forms.

Solutions:

1. Verify that the Site Key and Secret Key are correct
2. Check that your domain is listed in reCAPTCHA settings
3. Clear browser cache and cookies
4. Check the browser console for JavaScript errors
5. Ensure no conflicts with other plugins

False Positives

Problem: Legitimate submissions marked as spam.

Solutions:

1. For reCAPTCHA v3: The score threshold is hardcoded at 0.5
2. Check Akismet settings and review its accuracy
3. Review CleanTalk sensitivity settings
4. Temporarily disable protection methods one by one to identify the cause

Forms Not Submitting

Problem: Forms fail to submit after protection is enabled.

Solutions:

1. Verify Secret Keys are entered correctly
2. Check server connectivity to Google/Cloudflare APIs
3. Ensure PHP file_get_contents() or cURL is enabled
4. Review server error logs
5. Test with protection temporarily disabled

Multiple Protection Methods Conflict

Problem: Using multiple protection methods causes issues.

Solutions:

1. Start with one method and test thoroughly
2. Add additional methods one at a time
3. Akismet and CAPTCHA methods work well together
4. Avoid using both reCAPTCHA and Turnstile simultaneously

---

Performance Considerations

Script Loading

• Protection scripts load conditionally
• Only loaded on pages containing forms
• Field-specific assets (like datepicker) load on-demand

Server-Side Processing

• Akismet checks add minimal server load
• CAPTCHA verification uses single API call
• Spam submissions are stored for review (not discarded)

Optimization Tips

1. Enable “Load plugin assets globally” only if using page builders
2. Use CDN for faster script delivery
3. Consider caching pages without forms
4. Monitor server response times after enabling protection

---

Security Notes

API Key Security

• Never expose Secret Keys in frontend code
• Store keys in WordPress database (encrypted)
• Use HTTPS for all form submissions
• Regularly rotate API keys if compromised

Data Privacy

• reCAPTCHA: Collects user behavior data
• Turnstile: Privacy-focused, minimal data collection
• Akismet: Sends form data to external servers
• CleanTalk: Maintains spam database

Consider privacy implications when choosing protection methods, especially for GDPR compliance.