Form spam protection, stopped at the door.
Form spam protection is the set of checks FormWire runs on every submission before it reaches you. A server-side honeypot is on by default. Layer on the provider you trust when you need more.
New submission: Contact form
Reply-To: [email protected] · hit reply, land with your visitor
Bring the provider you already trust.
The honeypot and rate limiting protect every form automatically. Captchas and domain rules are per-form toggles in the dashboard, no code changes beyond the widget's own snippet.
Honeypot
On by default.
hCaptcha
Free, privacy-first.
reCAPTCHA
v2 & v3.
Turnstile
Invisible, no puzzles.
Rate limits
Per key & per IP.
Domain rules
Allowlist your sites.
How form spam protection works.
Cheapest checks first, so bots are rejected before they cost you anything and real submissions pass through untouched.
-
Honeypot first
A hidden field bots fill and humans never see. Filled means filtered: stored as spam, never emailed, never counted against your quota.
-
Captcha when configured
If you've enabled a provider, its token is verified server-side before the submission is accepted.
-
Rate & domain rules
Per-key and per-IP throttles plus optional domain restriction cap abuse from non-browser clients.
New submission: Contact form
Reply-To: [email protected] · hit reply, land with your visitor
One hidden field, zero friction.
The default protection is a hidden field bots fill and humans never see. Add it once. FormWire checks it server-side on every submission, so it works everywhere, including localhost.
<form action="https://api.formwire.io/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR-ACCESS-KEY">
<!-- Honeypot: hidden from humans, irresistible to bots -->
<input type="checkbox" name="fax_number" tabindex="-1"
autocomplete="off" style="display:none">
<input name="email" type="email" required>
<textarea name="message" required></textarea>
<button type="submit">Send</button>
</form> Keep the field visually hidden and out of the tab order. Real users never touch it; bots that fill it are filed as spam.
Pick a spam method by friction and threat.
Start with the honeypot. It's on by default and free. Add a second layer only when a form is actively targeted.
| Method | User friction | Best for | Setup |
|---|---|---|---|
| Honeypot | None (invisible) | Every form, the default first line | On by default |
| Cloudflare Turnstile | Near-zero (invisible) | Targeted forms, privacy-conscious sites | Toggle + widget |
| hCaptcha | Low (often single-click) | Targeted forms, free tier | Toggle + widget |
| reCAPTCHA | Low–medium | Teams already in Google's ecosystem | Toggle + widget |
| Rate limits + domain rules | None | Capping abuse from non-browser clients | Rate limits built in; domain rules per form |
You can combine methods. Every check runs server-side, so protection behaves the same in development and production.
Keep the spam out of your inbox.
Honeypot included on every plan, free tier included.