Is your WordPress site receiving a lot of spam? Want to ensure your business contact forms are secure? There are a few measures that you can put in place on a WordPress site to minimise the amount of spam you get. Learn more about Google’s newest and most up to date reCAPTCHA systems, the honey pot, and how to increase your WordPress email security.

Steps To Maximise WordPress Email Security

In this article, we will discuss the best ways to ensure that any element of your WordPress site related to your email is secure and protected. We will be talking about reCAPTCHA, a captcha system that establishes that the user is a human; this is done in a number of ways spanning multiple versions. The reCAPTCHA is a free system developed by Google designed to protect websites through the use of reCAPTCHA challenges. The honey pot is another system that tries to filter out emails generated by robots while also updating your website IPS to identify how they can detect and stop repeated spam offenders.

Including a range of these systems, updates, and checks, will help to reduce spam emails coming through to the business email address you have set up on your website. Because most spam comes from robotic sources, you will need to ensure that systems target robot spam and protects your website security. Some methods for WordPress email security include the following:

  • The Honey Pot
  • Extra Email Details
  • Implementing Security Steps

Email Spamming


reCAPTCHA is a free service that will detect if the user trying to submit a form through a web page is a human or a robot. This distinction tries to eliminate some of the spam emails that come through from automated sources. The automated sources, or robots, will automatically fill in the form and attempt to submit it; this is were reCAPTCHA is beneficial. Having reCAPTCHA as one of the inputs required on any form means that the automated sources will have to fill it in if the form is to be submitted. reCAPTCHA is designed predominantly to increase security, so includes client-facing aspects which come in a few different forms.

There are three main types of reCAPTCHA; reCAPTCHA v1, reCAPTCHA v2, and reCAPTCHA v3. The reCAPTCHA v1 was the first form of the reCAPTCHA system but has been deprecated and since March 2018, is no longer supported. However, the remaining reCAPTCHA systems provide you with security over emailing systems. To help you understand the different forms of reCAPTCHA and their uses, here are some explanations:

I Am Not A Robot


reCAPTCHA v2 consists of three options for how it runs. Firstly Android reCAPTCHA, which is part of the Google Play Service and provides security for Android phones on a base level and API that integrates into any app that connects to the GoogleApiClient. If this API thinks that you are human, then it will pass the user through, or it will ask you to validate you are human.

The second type of reCAPTCHA v2 is the Invisible reCAPTCHA badge. This method of reCAPTCHA does not require the user to interact with any additional reCAPTCHA challenges, but rather works of a Javascript API when the user clicks the submit button on the form. If the user is deemed to be “suspicious traffic”, then they will be prompted with a captcha to solve. Using this type of reCAPTCHA often comes with the option to have a certificate of sorts on the site.

The third type of reCAPTCHA v2 is the ‘I’m not a robot check’; this method of reCAPTCHA consists of a reCAPTCHA checkbox that requires the user to check it before submitting, reassuring that they are ‘not a robot’. This user input will then be used to dictate whether the user is human or not. If the reCAPTCHA system interprets the user as a robot, it will present the user with a challenge to validate their human status, whereas humans will be passed through immediately with no challenge. This method of integration is the simplest as it only requires two lines of HTML to render the checkbox. What the user will see on their HTML website is displayed below.



The final reCAPTCHA type is reCAPTCHA v3, which is the latest version of the Google reCAPTCHA system. Due to it being the most up to date reCAPTCHA, means that it provides the best usability and features; its main usability upgrade is the complete lack of any UI interface, challenges or test, for the user to interact with. Instead, reCAPTCHA v3 gives users a score dependent on how ‘risky’ they are as traffic; with this new information you are able to selectively add safety precautions when needed, such as requiring email verification for risky logins or “sending a spammy post to moderation” for example.

For reCAPTCHA v3 to function at its best, it is recommended that it be implemented into the site at key points, such as on a contact form, login or any point on the site that a user can enter information. reCAPTCHA v3 will watch how the user acts on the page; this could be the manner in which they scroll down or how they click through the site. If these acts are done at lightning-fast speed, and they are able to click pinpoints accuracy, then the v3 of reCAPTCHA might predict that the user is a robot. This information would then pass through to the website in a similar way to the reCAPTCHA V2, but instead of the user having to request a form of evaluating the site would already know.

Typing On Laptop

The reCAPTCHA System Gud Ideas Uses

The version of reCAPTCHA used within Gud Ideas websites focuses on the ‘Really Simple CAPTCHA’, an extension for utilisation along side contact form 7. This plugin runs on reCAPTCHA v2 with a customisable challenge/user test. The default challenge, and the one we use to make our WordPress emails more secure, include two elements; the image that is not able to be read by robots for text, and a text input field that will check the users input and match it to the letters displayed in the image.

Utilising this system on a WordPress email contact form will mean that there should be a significant drop in the number of spam emails that will be received due to the reduced number of spam emails sent by non-legitimate users. This form of challenge is extremely simple for the user to complete when human, but makes it hard for robot users to understand.

Man Looking At Laptop

The Honey Pot

The Honey Pot is another method of detecting whether the user is a robot or not; this information is gathered by the application of a non-mandatory input entered into a form that is then hidden by the user. The hidden field implemented onto the form will appear as a regulated field in the code. The input field is visible as an enterable field in the raw code, but is made not to be displayed on the actual form that the user sees.

Having the field technically present on the form means that robots will automatically fill this field in, whereas users will not be able to as they are unable to detect it through the backend coding. This method of security is supposed to catch a large percentage of spam coming from your site; this is because the vast majority of spam is sent across by robotic users. The robot will “blindly” fill in every field available to it, including the honey pot field. Assuring that only robots will enter details into the honey pot field, means that the system is able to detect which users are deemed to be illegitimate.

As the honey pot is an alternative to reCAPTCHA, they are designed to filter out the same kind of illegitimate traffic but are implemented to filter out two different sub-genres of illegitimate traffic. The honey pot is designed to filter out large volumes of very simplistic traffic in a basic way, meaning that it is easier to be detected by ‘smarter’ robots. Whereas, Google’s reCAPTCHA is designed to simplify the process while capturing a ‘smarter’ robot. The developers of this specific Honey Pot Plugin state that they prefer to use a honey pot over a reCAPTCHA as the reCAPTCHA is cluttering up our forms. However, we would always advise using the reCAPTCHA system over the Honey Pot for secure emailing and less spamming through your website.

Man Coding Website

Extra Email Details

The last way to improve email security does not rely on detecting if the user is genuine or illegitimate, but instead focuses on preventing repeated offenders. To help to prevent repeated spam or malicious emails from the same user you can implement a form of IP tracking and attach it to your contact form. To do this, there is a built-in shortcode that will automatically write out the IP address of the sender of the email. The extra detailed IP is pictured below:

Extra Detail IP

Including this into the mail option on contact form 7 will add “IP Sent From”, and then attach the users IP address to the bottom of emails sent through the form. This will allow you to see if there are users sending spam or malicious emails, giving you the chance to block or automatically filter out these users.

Writing Out Email

Implementing Security Steps

Implementing a reCAPTCHA of any version onto your site can help to decrease spam, by filtering out any robot users and not letting the suspicious users send the form. Although there seems to be people developing robots with a way around this system boasting a 70.78% success rate at completing the challenges in 19 seconds, there is always and will continue to be developments in security emailing systems.

An additional security measure will be needed to ensure that your WordPress email security is up to date and effective, such as the honey pot system which would work efficiently for this purpose. Adding in a honey pot to the contact form alongside a reCAPTCHA will further increase the security against robots. Adding in an automatic IP address to the bottom of the sent message will help to prevent the spam and malicious emails that get through the reCAPTCHA and honey pot, giving the user more control over what is allowed and what isn’t allowed to be sent through the contact form.

People coding Website

Successful Email Security

Email security is a significant part HTML website design and should be implemented into the coding of your website. To ensure that your website has all of the relevant email security systems, you may need to seek advice and guidance from a professional website designer and coder. Gud Ideas provides website and marketing services to various clients, so if you are looking for a new website that includes relevant security, feel free to contact the team today.