Forms on websites, such as contact, registration, reservation, and quote request forms, are indispensable components of digital interactions. However, these forms are highly susceptible to abuse by spam submissions, bots, and fake users. Especially even when reCAPTCHA is used, if spam forms are still being received, more advanced measures are necessary.

In this article, we explain more than 10 advanced security techniques that can be applied to combat fake forms, both on PHP-based sites and WordPress-based systems, step by step with example code.

1. Google reCAPTCHA v2 / v3 Usage

Using reCAPTCHA v2 (“I’m not a robot”) or v3 (background risk analysis) reduces spam.
However, advanced bots can pass reCAPTCHA v2. Therefore, it is not sufficient on its own.

PHP Example:

$response = $_POST['g-recaptcha-response'];
$remoteip = $_SERVER['REMOTE_ADDR'];
$secret = 'YOUR_SECRET_KEY';
$verify = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret={$secret}&response={$response}&remoteip={$remoteip}");
$captcha_success = json_decode($verify);
if (!$captcha_success->success) die("Bot detection");

2. Honeypot Method

Hidden fields that the user does not see but bots fill in.

PHP:

if (!empty($_POST['honeypot'])) {
  die("Bot detection!");
}

HTML:

Plugin for WordPress:

WP Armour – Honeypot Anti Spam

⌛ 3. Form Submission Time Control

Bots usually fill out the form very quickly. Applications received in less than 3 seconds can be rejected.

session_start();
if (time() - $_SESSION['form_start'] < 3) die("Sent too quickly, may be a bot");

‍♂️ 4. IP and User-Agent Control

Block the same IPs or invalid user-agents that come with a large number of forms.

if ($_SERVER['HTTP_USER_AGENT'] == '' || preg_match('/curl|bot|python/i', $_SERVER['HTTP_USER_AGENT'])) die("Bot detection");

5. Smart Form Field Analysis

Bots usually fill in every field. However, if logical data is not entered in optional fields, this may be spam.

If no field is left blank > suspicious
If random characters are entered in the name > suspicious

6. IP and Country Based Blocking

Block bots from certain countries with Cloudflare or GeoIP.

PHP GeoIP
For WordPress: iQ Block Country

7. Two-Factor Authentication (Form confirmation email)

An email is sent to the user after the form is submitted. No action is taken unless confirmed.

Especially recommended for quote/reservation forms.

8. JavaScript Controlled Submit

Trigger the form submission process only with JS. Non-JS systems (bots) cannot submit.

document.querySelector("form").addEventListener("submit", function(e) {
  // this check should be done on the server
});

9. In Addition to reCAPTCHA: Friendly CAPTCHA or hCAPTCHA

Friendly CAPTCHA → more comfortable in terms of user experience
hCAPTCHA → more visual testing, Google reCAPTCHA alternative

For WordPress: hCaptcha for WordPress plugin

10. Smart Logging + Manual Review

Which IPs have submitted how many times and when?
In which fields is the same data always entered?
Keep track of these by keeping logs

$log = date("Y-m-d H:i:s") . " | " . $_SERVER['REMOTE_ADDR'] . " | " . $_POST['email'] . "\n";
file_put_contents("form_log.txt", $log, FILE_APPEND);

11. Spam Detection with Content Control (with Regex)

Block if there are certain character patterns in the email, name, message fields:

if (preg_match('/(viagra|casino|win money|bit.ly|http\:|https\:)/i', $_POST['message'])) {
  die("Spam content detected");
}

️ 12. Akismet Usage (WordPress Recommendation)

Akismet is WordPress's spam filtering system.
It is especially effective against comment + form spam.
Works integrated with Gravity Forms, Contact Form 7.

13. Jetpack Anti-Spam (Premium)

Provides IP-based data in addition to form field analysis
Recommended for WordPress-based corporate sites

Additional Security Steps

Publish all your forms over HTTPS
Create a "Blacklist" for frequently received spam data (example emails, names)
Show your forms only to logged-in users (like WordPress comment form)

Conclusion: A Layered Approach is Essential for Form Security

reCAPTCHA alone is not enough to protect a web form. Especially in widespread systems like WordPress, bots can target forms by exploiting plugin vulnerabilities. Therefore, it is necessary to use methods such as honeypot, time control, content analysis, and IP restriction together.

It is recommended to use at least 4-5 of the methods in this list together for a structure that will stop spam by 95% without disrupting the user experience.