How to install a secure Elementor form on my website?

WordPress and Elementor

Building a WordPress site with a page builder is much easier. One alternative to the standard Gutenberg block builder is Elementor. You can download Elementor for free from the WordPress plugin library. With Elementor, you can easily build content without programming skills using drag-and-drop blocks. At the same time, you will see your page almost in the same form as it will be when it is published.

The basic version of Elementor does not include the Elementor's Form Builder. The form builder is a feature of Elementor Pro. The Elementor Pro has many more functionalities overall, therefore Elementor Pro is often installed on websites on top of the basic Elementor. One good reason to get Elementor Pro is precisely its easy-to-use element for building the forms. With this element, you can add, for example, a contact form to your site very quickly and easily. It is also easy to change the fields and layout of the form.

There is plenty of material to get started with Elementor on their support page: Elementor help.

Below I explain how to add the form to your page. There is also plenty of information on adding form functions and modifying the appearance of the form on the same Elementor support pages.

At the same time, it is important to consider the security of the form. Spam bots find your form very quickly after publishing, so it is worth protecting it from spamming by bots.

Installing an Elementor form

  1. Open the editable page with the "Edit with Elementor" option.
  2. The sidebar on the left side of the view contains elements that can be dropped onto the page. If you are using the Pro version, the "Pro" elements can be found right below the "Basic" elements. The easiest way is to write the word "form" in the top search tool.

    Elementor search for form

  3. Drag and drop the “Form” element on your page to “Drag widget here”. When dropped, the element transforms into a draft form.

    Elementor contact form draft

  4. You can select more fields and change the current fields in the "Form Fields" section of the left sidebar. Add a field by pressing “+ Add item”.

    Elementor draft form fields

  5. Be sure to protect your form. More on this below.

You can see more examples of form editing in the video: How to Use Elementor's Form Builder.

Standard protection methods of the Elementor form

You can protect the form in Elementor Pro with the standard security measures found in Pro.

    1. In the "Form Fields" section, click "+ Add item". After that, select "Honeypot" from the drop-down menu.

      Elementor form add field

    2. The field becomes invisible on the form itself. Remember to save the page by pressing "Update" at the bottom of the page. Nothing else is required.

A honeypot is usually a moderately good protection method. However, the bot test tool on this website was tested and it sent easily mail through a honeypot-protected Elementor Pro form. The standard security measures of the Elementor Pro form also include Google's Captcha. Installing Google Captcha is not covered in this article, as it requires registration with Google. Google also has its own requirements for the use of Captcha and in some cases separate sensitivity settings.

Protecting your Elementor form more efficiently with a plugin

The easiest and most effective way to protect your Elementor Pro form from bots is to use the Bot Spam Block plugin. The plugin has been specially developed to block spam sent by bots. The only setting for the plugin is the license key. Otherwise, the plugin is lightweight and works both efficiently and automatically without unnecessary settings. It also does not create additional frustration to the actual user of the form, because the user does not have to solve additional tasks or riddles.

Elementor and dxw3 now offer a bundle where the buyer of Elementor Pro gets dxw3 Bot Spam Block plugin for free.

This requires that you 1) order the Elementor Pro plugin by clicking the image below.

2) Request after this 100% coupon code either by email or by using the contact form.

And 3) come back here to shop and redeem the plugin with the coupon code.

How to install a Contact Form 7 form on my WordPress site?

Follow these instructions to install the Contact Form 7 form on your web page

  1. Open the WordPress admin view under Plugins – Installed Plugins. Click "Add new".
  2. Enter "Contact Form 7" in the search box in the upper right corner and click Contact Form 7 - "Install now". After that, click on the same button "Activate".
  3. After that, click on "Contact" in the admin menu. You can see only one form at this time. The form usually works with its default settings, but you can edit the settings by clicking on the name of the contact form. By default, form submissions arrive in the site administrator's email box. You can also see the default fields of the form by clicking on the name of the form "Contact form 1".
  4. Click on the code in square brackets "Shortcode". Copy the code including square brackets to the clipboard, e.g. Ctrl+C/Command-C.
  5. After this, the shortcode must be placed in the desired place where the form is to be placed. If you want to place the form on a specific page, click "Pages" in the admin menu.
  6. Next, either add a new page or click on the title of an existing page. In page editing mode, click the plus sign in the upper left corner to add a block. Type "short" in the search box.
  7. Drag the block to the desired position on the page. Set the code copied to your clipboard as the value of the block. After that, save the page from the upper right corner "Update".

Everything is ready. Your contact form will now send you contact requests entered via your form on your site. Your site's e-mail must of course be set up correctly. Try out your form and if you do not receive the message entered through the form to your admin email, there may be a problem with the email settings. In this case, you should test the emailing by trying to reset your own password. If you do not receive a message for resetting the password, your email settings need to be fixed. However, if you can receive a password reset message, there likely is a problem with your form.

Important spam settings

When your form is set up correctly, you will receive the test messages in your email. Consecutively, however, it won't be long before spam bots find your form. You should immediately block the reception of spam mail with additional settings. Contact Form 7 can connect Google's CAPTCHA/reCAPTCHA, the purpose of which is to prevent spam. However, CAPTCHA can be tricky to set. Furthermore, it may add extra tasks for your visitors before they can submit their messages. In addition, the new CAPTCHA requires some admin settings, and after all the trouble, you may block some genuine submissions or allow bots to submit the form.

The easiest way to stop the bot spam is to set up on your site the Bot Spam Block plugin. The plugin works automatically after activation. You only have to set the license code for the plugin. Your visitors won't notice the plugin as it works in the background. In addition, they won't have to complete extra image tasks or solve math equations. Yet the plugin prevents bot spam from being sent via your form.

How to prevent form bot spam?

The amount of traffic from malicious bots compared to all traffic on the internet has grown significantly in recent years. According to statistics, in 2016 the amount of traffic was still less than 20%, but in 2022 it had already grown to more than 30% (Statista). Because of this, the amount of spam sent via website forms is also increasing. Protect your forms before this becomes a problem.


Harm caused by spam

Your website's form spam is detrimental in many ways.

  • you have to sift through a large number of messages to find the genuine ones and all of your response times slow down
  • your site's performance slows down, which leads to both lower search engine visibility and you may have to upgrade your server to a more efficient one
  • bots may sign up for your email marketing list, leading to unnecessary emailing in your campaigns
  • you may receive malicious links, become a victim of phishing, or your site may be hijacked
  • if you analyze visitor data e.g. for commercial purposes, your data is no longer correct

The longer the problem is allowed to continue, the bigger the problems and risks become.

Bot spam and spam sent by humans

Most spam can be prevented. Spam is generally divided in junk mail sent by humans or bots.

Spam sent by people is initiated by either individual actors or commercial companies of several actors whose task is to send a specific message via forms. The behavior between genuine customers and spammers is similar. Therefore, separating these groups from each other is challenging. This guide focuses on malicious bot spam, but there is also a brief advice below on how to prevent human spam on your WordPress site.

Spam sent by bots practically means a computer program that has been developed for the purpose. A well-designed bot can send an incredible amount of messages. The bot can open links and fill in forms automatically. If there is no blocking on the form, this is very easy. Bots have evolved significantly recently, and a large part of bot spam prevention methods can be bypassed today. Therefore, when designing websites, it is necessary to take into account that it is possible to automatically send a lot of spam via an unprotected form placed on the site.

Spam sent by people is almost impossible to completely prevent. Spam from malicious bots, on the other hand, can be prevented using techniques that the bot does not yet recognize. However, this is a constant race between spammers and spam block developers.

Goals of the bots

The reassuring thing about this race is that the aim of most malicious bots is merely to market a specific message. This may be a commercial advertisement or other information, which is spread to be visible in as many places as possible. Your site will probably be able to continue operating. It's just being abused to spread this message.

A smaller number of bots aim to damage your site or fish for data. However, there are some bots whose purpose is to harm your site and hinder your business. These bots may place so much load on your site that your site can no longer handle it and the whole site crashes. Another group of malicious bots, on the other hand, may try to find weaknesses in your site and possibly fish for various types of information that can be used in criminal activities.

Frequently used ways to prevent form spam

It is possible to try some easy-to-install ways to prevent harmful bot spam. The customer's user experience is very important in your choices. Due to the shortsightedness of the customers and the user experience aspects, it is not recommended to install extra tasks on the site for the customer to solve. Your website's forms should always work quickly and easily for customers. The same form, on the other hand, should be very difficult for a bot to use. Some commonly used spam blocking methods are mentioned below.


Ghosting is a very effective and so far less frequently used method to block spam. dxw3 Bot Spam Block - plugin uses this method. In ghosting, the elements of the form on the website are ghosted, i.e. they practically disappear. Since bots can't find elements, they can't send spam. However, the form is normally visible to the actual user. The advantage of this method is its ease of use. Once the protection is turned on, no other settings are required. On the website, the visitor does not have to solve additional tasks or press buttons, but the visitor uses the form normally.


Honeypot is currently one of the most popular and effective means of protection against form-sent spam. As the name suggests, the idea of ​​the honeypot is based on its ability to lure a bot into a trap. At its simplest, the form's programming code includes a field to be filled in, which is visually hidden from the customer. The bot reads the code, but the customer sees the form visually. So the customer doesn't fill in anything in the field, but the bot thinks it needs to be filled out. If there is information in the field, the submission of the form will be rejected. Honeypot with its different versions is still a reasonably good way to prevent spam. However, it has become more and more vulnerable because nowadays bots read the code (CSS/JavaScript) used to hide it and know how to react accordingly.

Speed ​​limit

Another promising way to stop bot form submission is to use rate limiting. The power of the bot is based on its speed. The bot tries to submit forms very quickly and efficiently. However, if sending the form or filling in the fields too quickly, is blocked, the bot's form submission can be blocked. The problem with this method might be the browser's "autofill" function, the purpose of which is to improve user-friendliness. Due to the autofill function, filling out the form is very fast. However, if you know how to set the right time limits, user-friendliness can be maintained and still prevent bots from sending.

IP address blocking

A certain type of bot traffic can be blocked based on IP addresses. It is possible to save harmful IP addresses or to prevent fast and repeated form submissions from the same address. However, malicious IP addresses must be recorded and retrieved so that they can be compared. Often the first spam submission is successful anyway and the next one can come from somewhere else. However, this method prevents a large amount of spam, depending on the implementation applied.

Cookie-based blocking

Some sites use cookies that store session data on the user's computer. If something is not set on the site on a page other than the form page itself, the form submission will be rejected. However, since bots nowadays easily read cookies and use JavaScript, this method does not always prevent bots. When implemented correctly, it can be effective and forms protected by dxw3 used in the past cookies to prevent form submissions.

Validation of fields

It is worth validating the fields of the forms, i.e. checking that the entered information is in the right format. However, this hardly blocks the operation of the bots very much, because the bots know how to insert the information correctly.


In the past, Google's CAPTCHA was a very popular anti-spam method. However, this method is disappearing, as it weakens user-friendliness a lot. Adding various quizzes before submitting the form is harmful.


reCAPTCHA is a more user-friendly blocker than CAPTCHA. Many sites use reCAPTCHA. The algorithm behind it tries to determine whether the site visitor is a bot or a human. Although reCAPTCHA is more user-friendly, it still adds an extra step for the customer before the form can be submitted. In addition, the bot may pass this blocker and its effective use requires a little more work from the site administrator.

Changing the original URLs and file names

An effective way to prevent some bot spam is to change WordPress standard URLs and some file names. In this case, finding the form itself is made somewhat more difficult.


Mainly the bigger software companies offer comprehensive anti-spam services. However, the problem with these systems is both their price and their vulnerability against the so-called 0-attacks. These services rely on complex algorithms to determine what is spam. However, the algorithms are often unable to recognize new types of spam, allowing it to get through. Some genuine mail may also be filtered out.

Additional questions

One way to prevent bots from working has traditionally been to ask various simple questions. The form might ask, for example, how much is 1+3. Or it might have some easy verbal questions. However, it is challenging to set these methods in such a way that they are completely user-friendly and effective. The calculation task can be solved by the bot and the verbal task may be difficult for the human user.

Email verification

Blocking of e-mail addresses or domain names can be used especially in the validation of the registration form. Known malicious domains are not accepted. Harmful e-mail addresses can be blocked if the registration has to be confirmed with a link sent to the e-mail. This method should not be used widely, as it weakens the user experience.

JavaScript protection

You can use JavaScript to block various functions on your form. Or you can change the behavior of functions over time. These are effective means of protection. If implemented correctly, JavaScript can block most malicious bots. In practice, certain elements related to the correct function of the form can be made usable later. For example, first the human form-filler performs certain non-suspicious action on his computer by using the keyboard or mouse. Consecutively, the condition that was dynamically removed from the bots, is made usable. Another way is to enable the use of the form certain time later by scheduling the form functions. Many bots fill out the form very quickly, so by scheduling you can block the submissions of several bots. There are problems with JavaScript-based technologies. For example, some bots know how to execute JavaScript and solve these obstacles. Another problem can be users who have disabled their browsers from running JavaScript. In this case, the technology may block bots and at the same time some of the real users as well. Ghosting does not have these problems and is the best way to stop form bot spam.

Try out the capability of your form to block spam sent by the bots on this website with the bot spam tester.

Blocking human spam

Blocking spam sent by humans is partially possible, for example with the Akismet plugin . Often, to prevent spam sent by humans, you have to use a comprehensive library of words or IP addresses to be blocked. Blocking is therefore not as effective, but if this kind of spam is a problem, you should use one of the many WordPress plugins developed for this purpose.

WordPress Contact Form 7 and WPForms spam blocking

Almost without exception, WordPress homepages have a page that also has a contact form. Contact form 7 and WPForms are the most common add-ons for WordPress websites designed to implement a contact form. The CF7 plugin doesn't have any anti-spam by default, so sending spam is very easy. However, Google's reCAPTCHA can be connected to CF7. WPForms, on the other hand, now offers its own token-based protection by default, as well as numerous third-party plugins. Token-based protection is relatively easy for bots to circumvent, and for example, this site's simple spam tester is able to send messages through a form protected in this way.

It is therefore worth testing the protection of your form with dxw3's bot spam online tester.

dxw3's form-based blocking was previously partially based on cookies. This can be a very effective and invisible way to prevent spam. Honeypot was also used at the time. Today, blocking is based on ghosting. If the above methods do not help, or otherwise you want an easy and effective blocker, you should get and install it on a WordPress site dxw3 Spam Block plugin. This add-on does not require settings, but works automatically after activation. However, if you use some method to optimize the CSS code, read the related notice general installation instructions.