If you run a WordPress site for any length of time, you already know the rhythm. Quiet for a week, then forty submissions overnight that all say “Hello dear, I checked your site and would like to offer…”. The contact form is the single most-abused public endpoint on a typical WordPress site, and every form plugin — Contact Form 7, WPForms, Gravity Forms, Fluent Forms, Elementor Forms — leaks by default. Here is why, and what actually stops it.
Why your form is a magnet, not a target
Spam bots do not pick on you because of who you are. They pick on you because contact-form HTML is recognisable: a couple of <input> fields, a textarea, a submit button, and a predictable JSON or POST endpoint. Scanners crawl the open web, fingerprint the form plugin from its CSS classes, and queue your URL into a list of working targets. The form does not need to be on a busy site to attract submissions — it just needs to be discoverable.
Why the usual fixes stop working
The three traditional defences are honeypots, reputation lists, and CAPTCHAs. Each has a hole that modern spam exploits:
- Honeypots catch lazy bots. They miss anything that runs a headless browser.
- Reputation lists (Akismet-style) score by IP and email patterns. They do not see the content of the message and miss realistic AI-written spam that uses a clean residential IP.
- CAPTCHA shifts the cost onto your real visitors and drops conversions 5 to 15 percent on most contact forms. Worse, modern solvers handle reCAPTCHA v2 in under a second for a fraction of a cent.
What actually works in 2026
The pattern that has held up across forty-plus client sites is layered, invisible-to-the-user defence:
- Honeypot + timing trap in the form itself. Catches everything dumb. Costs nothing.
- Server-side intent scoring on the submission. This is the bit that catches AI-written submissions: a model reads the message and decides whether it looks like a real enquiry or a sales pitch with a link.
- Outbound mail guard. Even if a spam submission gets through, hold the email before it relays through your domain — that is what protects your sender reputation.
This is exactly what QWeb Spam Shield does
QWeb Spam Shield is the plugin we install on every WordPress site we touch. It reads each form submission with Google Gemini, layers in honeypot and timing checks for the dumb traffic, and includes a Mail Guard for the relayed-through-your-domain case. No CAPTCHA, no puzzles for real visitors, sensible defaults out of the box, two-minute setup.
What to do this afternoon
If you do not want to install another plugin, you can get most of the way with two changes: add a hidden honeypot field to your form (a CSS-hidden <input> that humans never fill), and add a timestamp comparison that rejects submissions completed in under three seconds. That removes about 60 percent of incoming spam in our measurements. The remaining 40 percent — the realistic, AI-written stuff — is the bit you need intent scoring for, and that is what QWeb Spam Shield was built for.
The takeaway is not “another tool to install”. It is that the model of who is sending the spam changed, and the defence has to change with it. CAPTCHA-and-honeypot was the right answer in 2018. In 2026 it is reading the message that matters.