Skip to content

Spam protection

Every check runs server-side on FormWire, so protection behaves the same in local development and production. Spam is stored in a separate dashboard tab — never emailed, never counted against your quota.

FormWire checks every submission for a hidden honeypot field — no configuration needed. Humans never see it; bots fill it. Any submission that arrives with a value in it is filed as spam and never emailed, and the bot still receives a generic success response, so it learns nothing. The trap value is stripped from your stored submission data.

By default the field is named fax_number — plausible enough that a fill-everything bot takes the bait, but rare as a real field:

<input type="text" name="fax_number" tabindex="-1" autocomplete="off"
aria-hidden="true" style="position:absolute;left:-9999px" value="">

Pick your own name per form (dashboard → form settings → Honeypot Field Name) so it isn’t the same guessable token on every site. Keep it out of the tab order and hidden with inline CSS — some bots skip fields hidden only by an external stylesheet.

Enable a provider per form in the dashboard, add its widget to your page, and FormWire verifies the token server-side before accepting the submission. A failed verification returns 403 Captcha verification failed.

ProviderToken field the widget submitsPlan
hCaptchah-captcha-responseFree
reCAPTCHAg-recaptcha-responsePro
Cloudflare Turnstilecf-turnstile-responsePro

Each provider’s own snippet adds the token field automatically — you only add their widget markup and toggle the provider on in the dashboard.

  • Rate limiting throttles abusive senders per key and per IP; excess requests receive 429.
  • Domain rules restrict which origins may submit to a form; other origins receive 403 Submissions are not allowed from this domain.
MethodVisitor frictionBest for
HoneypotNone (invisible)Every form — the default first line
TurnstileNear-zero (invisible)Targeted forms, privacy-conscious sites
hCaptchaLow (often single-click)Targeted forms on the free tier
reCAPTCHALow–mediumTeams already in Google’s ecosystem
Rate limits + domain rulesNoneCapping abuse from non-browser clients

Start with the honeypot alone; add a captcha only when a specific form is being targeted. You can review everything that was flagged in the dashboard’s Spam tab and mark false positives as not-spam.