Spam protection
Every check runs server-side on FormWire, so protection behaves the same in local development and production. Spam is stored in a separate dashboard tab — never emailed, never counted against your quota.
Honeypot (on by default)
Section titled “Honeypot (on by default)”FormWire checks every submission for a hidden honeypot field — no configuration needed. Humans never see it; bots fill it. Any submission that arrives with a value in it is filed as spam and never emailed, and the bot still receives a generic success response, so it learns nothing. The trap value is stripped from your stored submission data.
By default the field is named fax_number — plausible enough that a fill-everything bot takes the bait, but rare as a real field:
<input type="text" name="fax_number" tabindex="-1" autocomplete="off" aria-hidden="true" style="position:absolute;left:-9999px" value="">Pick your own name per form (dashboard → form settings → Honeypot Field Name) so it isn’t the same guessable token on every site. Keep it out of the tab order and hidden with inline CSS — some bots skip fields hidden only by an external stylesheet.
Captcha providers
Section titled “Captcha providers”Enable a provider per form in the dashboard, add its widget to your page, and FormWire verifies the token server-side before accepting the submission. A failed verification returns 403 Captcha verification failed.
| Provider | Token field the widget submits | Plan |
|---|---|---|
| hCaptcha | h-captcha-response | Free |
| reCAPTCHA | g-recaptcha-response | Pro |
| Cloudflare Turnstile | cf-turnstile-response | Pro |
Each provider’s own snippet adds the token field automatically — you only add their widget markup and toggle the provider on in the dashboard.
Rate limits and domain rules (Pro)
Section titled “Rate limits and domain rules (Pro)”- Rate limiting throttles abusive senders per key and per IP; excess requests receive
429. - Domain rules restrict which origins may submit to a form; other origins receive
403 Submissions are not allowed from this domain.
Which should I use?
Section titled “Which should I use?”| Method | Visitor friction | Best for |
|---|---|---|
| Honeypot | None (invisible) | Every form — the default first line |
| Turnstile | Near-zero (invisible) | Targeted forms, privacy-conscious sites |
| hCaptcha | Low (often single-click) | Targeted forms on the free tier |
| reCAPTCHA | Low–medium | Teams already in Google’s ecosystem |
| Rate limits + domain rules | None | Capping abuse from non-browser clients |
Start with the honeypot alone; add a captcha only when a specific form is being targeted. You can review everything that was flagged in the dashboard’s Spam tab and mark false positives as not-spam.