If you run a WordPress site with a contact form, you already know the problem. You want to stop contact form spam without making real visitors jump through hoops to reach you. The two usual answers are Google reCAPTCHA and a honeypot field, and a third option, the WP Armor plugin, sits quietly off to the side doing the actual work.
I have spent real time fighting this on client sites. I had a couple of customers who kept getting spam even with Google reCAPTCHA installed and dialed up to its strictest setting. I added a honeypot option to a Divi contact form too. Neither one fully stopped it. So I went looking, and what I found changed my default setup.
This is a comparison of three approaches to the same problem: Google reCAPTCHA, the plain honeypot technique, and the WP Armor honeypot plugin. I will judge them on effectiveness against bots, friction for real users, privacy, cost, and how much setup each one needs. I will tell you what I run now and exactly who should run something different.
The Quick Verdict, Side By Side
Here is the short version before I take each option apart. Skim this, then read the section that matters to you.
| Google reCAPTCHA | Plain Honeypot Field | WP Armor Plugin | |
|---|---|---|---|
| Blocks bots | Weakening over time | Decent, fragile | ~98% of bot spam |
| Visible to users | Sometimes (challenges) | No | No |
| Friction for real visitors | Medium | None | None |
| Privacy / GDPR | Sends data to Google | Fully local | No external calls, GDPR compliant |
| Setup effort | API keys + config | Manual code per form | Activate and done |
| Cost | Free to 10,000/mo, then paid | Free | Free, paid tier optional |
| Works with Divi form | Yes | Manual | Yes, automatic |
The pattern is already visible. reCAPTCHA is the heaviest and the most compromised. The plain honeypot is the lightest but the most fragile. WP Armor lands where I want to be: invisible to users, no setup, and genuinely effective.
Google reCAPTCHA: The Default That Spammers Caught Up To
Google reCAPTCHA is the option most people reach for first, because it is free and it is Google. The modern version, reCAPTCHA v3, runs in the background and scores each visitor instead of showing a checkbox or a grid of traffic lights. In theory it filters bots without bothering humans.
Here is the thing. The bots caught up. WP Armor's own documentation puts it bluntly: spam bots are now able to solve the captcha puzzle, so reCAPTCHA is no longer effective as a standalone anti spam checker (WordPress.org plugin page). That matches exactly what I saw. My clients had reCAPTCHA on, set strict, and spam still landed in their inboxes.
So if your plan to stop contact form spam rests entirely on reCAPTCHA, you are building on ground that is shifting under you. reCAPTCHA also carries baggage that has nothing to do with bots. According to Friendly Captcha's analysis, using the v3 score as a hard block produces a high false positive rate, which means it quietly turns away real people. It is also not fully accessible, and risky-looking visitors get pushed into image challenges anyway.
Then there is privacy. reCAPTCHA collects a range of personal data in the background, including the visitor's IP address and detailed interaction signals, often without the user noticing (captcha.eu GDPR analysis). If you care about the privacy compliance picture for small business sites, that is a real consideration, not a footnote.
Cost used to be a non-issue. It is not anymore. According to Fresh Move Media, the free tier dropped to 10,000 assessments per month, down from the 1 million Google used to give away. Past that, the next tier runs an 8 dollar flat fee up to 100,000 assessments, then 1 dollar per 1,000 after that. For a busy site that is a new line item where there used to be none.
The Plain Honeypot Field: Elegant, Free, And Fragile
The honeypot technique is the cleverest idea in spam prevention and the one I wish worked better on its own. You add a hidden form field that real people never see, usually tucked away with CSS or injected by JavaScript. A simple bot parses the raw HTML, sees an input, and dutifully fills it in. If that field comes back filled, you know it was a bot and you reject the submission (Thryv's explainer).
The appeal is obvious. It is invisible, it is frictionless, and it needs no external service. No data leaves your server, so there is no privacy question to answer. For a developer who wants a lightweight defense, it is the right instinct.
The problem is fragility. According to WP Mail SMTP, browser autofill can drop a value into the hidden field by accident, which flags a real person as a bot and silently eats their message. The same writeup notes that a plain honeypot fails outright if there is any JavaScript error on the page. And the more sophisticated bots have learned to spot and skip honeypot fields entirely.
I added a honeypot option to a Divi contact form expecting it to be the fix. It helped a little. It did not stop the spam. A hand-rolled honeypot is a fine first layer, but on its own it is too brittle to trust with a form your business actually depends on.
WP Armor: The Honeypot Done Right
WP Armor is where my search ended. If your goal is to stop contact form spam without adding friction, this is the one plugin I now install first. It is a honeypot plugin, but it implements the technique in a smarter way than the hand-rolled version, and it does it across nearly every form builder at once. After I installed it, the complaints from my clients stopped. That is the whole review in one sentence, but the details are worth your time.
The technical trick is the part I respect. According to the plugin's WordPress.org page, WP Armor inserts its honeypot field from the client side with JavaScript and then checks whether the field exists, rather than the usual server-side approach of checking whether a static field got filled. Spam bots cannot run JavaScript, so the field is never there for them to deal with correctly. On top of that, each WordPress install generates a unique honeypot field name, so bots cannot build one universal bypass.
Coverage is the other reason I rely on it. The free version automatically protects the Divi Theme contact form, Contact Form 7, Gravity Forms, WPForms, Elementor, Fluent Forms, Formidable, plus WordPress comments, registration, and login (WordPress.org plugin page). You activate it once and every supported form on the site is covered. There are no API keys and no per-form code to maintain.
On effectiveness, the plugin's documentation says the honeypot trap removes around 98 percent of spam, since the only thing it cannot catch is a human manually typing spam by hand. It is also GDPR compliant with no tracking, no cookies, and no external server calls, which is the exact opposite of the reCAPTCHA privacy tradeoff.
The track record backs it up. As of the current version 2.3.04, WP Armor has more than 300,000 active installations and a 5 star rating across more than 1,300 reviews on WordPress.org. You do not get numbers like that on a plugin that quietly breaks forms.
Ernie's note on the statistics: one of the things I genuinely like is that even the free version shows you spam-blocked counts, so you can watch it working instead of just trusting it. If you want spam submission logs and automatic IP blocking after repeated attempts, those live in the paid Extended version. For most of my clients the free version covers everything they need.
My Pick: WP Armor And reCAPTCHA, Working Together
If you want one clear answer for how to stop contact form spam on a WordPress site, here it is. My default now is WP Armor and Google reCAPTCHA running side by side. WP Armor does the heavy lifting against bots, and reCAPTCHA adds a second scoring layer for the edge cases. The two cover different failure modes, so together they close the gap that either one leaves open alone.
WP Armor catches the automated bot traffic, which is the overwhelming majority of spam, without any friction for real visitors. reCAPTCHA, even in its weakened state, still adds a behavioral signal on the submissions that slip through. I would not run reCAPTCHA by itself anymore. As a backup behind a strong honeypot, it still earns its keep.
This is the setup I now use by default on the sites I manage, and the customer complaints about spam have stopped. If you only install one thing, install WP Armor. If you want belt and suspenders, keep reCAPTCHA behind it. If you are weighing other site-management tools while you are in there, my WP Remote review and my roundup of free browser-based tools for site owners are worth a look.
When I Would Not Reach For WP Armor First
No tool is right for every situation, so here is where I would point you elsewhere.
If your spam is coming from real humans, not bots, a honeypot will not help. The WP Armor documentation is honest that the trap is for bots only and manual submissions get through. In that case you need moderation, comment approval, or in the worst cases a blocklist, not a honeypot.
If you are running a high-volume WooCommerce store getting hit with fake card-testing orders at checkout, the free version will not cover you. That protection lives in the paid Extended version, so budget for the license rather than expecting the free tier to handle it.
And if you are on a hosted platform that does not let you install plugins, none of this applies. You will be stuck with whatever spam tooling the platform ships, which usually means some flavor of reCAPTCHA whether you like it or not.
Frequently Asked Questions
Does WP Armor work with Divi contact forms?
Yes. WP Armor adds automatic honeypot protection for the Divi Theme contact form in the free version, along with Contact Form 7, Gravity Forms, WPForms, Elementor, and over a dozen other form builders. You activate the plugin and the Divi form is covered with no extra setup.
Will I still get any spam with WP Armor installed?
The plugin's own documentation says honeypot traps block bot submissions, so you get rid of around 98 percent of spam. The remaining slice is manual spam typed by a human, which no bot trap can stop. That is exactly why I keep Google reCAPTCHA running alongside it.
Is the free version of WP Armor enough, or do I need the Extended version?
For most small business sites the free version is enough. The paid Extended version adds spam logging, IP blocking after repeated attempts, and WooCommerce checkout protection. If you want to see what the bots were trying to submit or block repeat-offender IPs, the Extended version is worth it.
Can spam bots really get past Google reCAPTCHA now?
Yes. WP Armor's own FAQ states that spam bots are now able to solve the captcha puzzle, so reCAPTCHA alone is no longer a reliable filter. That matches what I saw on my own client sites, where reCAPTCHA was set to its strictest level and spam still came through.
The Bottom Line
reCAPTCHA alone stopped being enough the moment bots learned to solve it, and a hand-rolled honeypot is too fragile to trust by itself. WP Armor takes the honeypot idea and implements it well enough to block the vast majority of bot spam with zero friction and zero privacy tradeoff. Run it as your front line, keep reCAPTCHA behind it if you want a second layer, and the spam complaints stop. That is the setup I trust on the sites I manage, and I have no reason to change it.
Sources
- WP Armor - Honeypot Anti Spam, WordPress.org plugin page
- Friendly Captcha: reCAPTCHA v2 vs v3 effectiveness analysis
- captcha.eu: Google reCAPTCHA GDPR compliance analysis
- Fresh Move Media: Google reCAPTCHA v3 pricing update for 2025
- Thryv: How the honeypot technique works for form spam protection
- WP Mail SMTP: When the anti-spam honeypot does not work




0 Comments