Spam protection

Form spam protection, stopped at the door.

Form spam protection is the set of checks FormWire runs on every submission before it reaches you. A server-side honeypot is on by default. Layer on the provider you trust when you need more.

F

FormWire <[email protected]>

to you · just now

Delivered

New submission: Contact form

Name Ada Lovelace
Message Hi! Love the site. Do you take on freelance projects this quarter?

Reply-To: [email protected] · hit reply, land with your visitor

Supported methods

Bring the provider you already trust.

The honeypot and rate limiting protect every form automatically. Captchas and domain rules are per-form toggles in the dashboard, no code changes beyond the widget's own snippet.

Honeypot

On by default.

hCaptcha

Free, privacy-first.

reCAPTCHA

v2 & v3.

Turnstile

Invisible, no puzzles.

Rate limits

Per key & per IP.

Domain rules

Allowlist your sites.

How it works

How form spam protection works.

Cheapest checks first, so bots are rejected before they cost you anything and real submissions pass through untouched.

  • Honeypot first

    A hidden field bots fill and humans never see. Filled means filtered: stored as spam, never emailed, never counted against your quota.

  • Captcha when configured

    If you've enabled a provider, its token is verified server-side before the submission is accepted.

  • Rate & domain rules

    Per-key and per-IP throttles plus optional domain restriction cap abuse from non-browser clients.

F

FormWire <[email protected]>

to you · just now

Delivered

New submission: Contact form

Name Ada Lovelace
Message Hi! Love the site. Do you take on freelance projects this quarter?

Reply-To: [email protected] · hit reply, land with your visitor

The honeypot

One hidden field, zero friction.

The default protection is a hidden field bots fill and humans never see. Add it once. FormWire checks it server-side on every submission, so it works everywhere, including localhost.

<form action="https://api.formwire.io/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR-ACCESS-KEY">

  <!-- Honeypot: hidden from humans, irresistible to bots -->
  <input type="checkbox" name="fax_number" tabindex="-1"
         autocomplete="off" style="display:none">

  <input name="email" type="email" required>
  <textarea name="message" required></textarea>
  <button type="submit">Send</button>
</form>

Keep the field visually hidden and out of the tab order. Real users never touch it; bots that fill it are filed as spam.

Which method should I use?

Pick a spam method by friction and threat.

Start with the honeypot. It's on by default and free. Add a second layer only when a form is actively targeted.

MethodUser frictionBest forSetup
HoneypotNone (invisible)Every form, the default first lineOn by default
Cloudflare TurnstileNear-zero (invisible)Targeted forms, privacy-conscious sitesToggle + widget
hCaptchaLow (often single-click)Targeted forms, free tierToggle + widget
reCAPTCHALow–mediumTeams already in Google's ecosystemToggle + widget
Rate limits + domain rulesNoneCapping abuse from non-browser clientsRate limits built in; domain rules per form

You can combine methods. Every check runs server-side, so protection behaves the same in development and production.

Spam protection FAQ

Want the full feature list?

All features
Ready in a minute

Keep the spam out of your inbox.

Honeypot included on every plan, free tier included.