How To Protect WordPress Contact Forms Against SPAM

Contact forms are a common target for spam. Shield Security can protect your forms in the background, so your real users/visitors can send messages as normal, while bots are blocked silently.

This guide shows how to configure Shield and then connect it to your contact forms, so Shield silentCAPTCHA antibot system can start protecting them against spam.

We will do this in three parts:

  • first, configure silentCAPTCHA
  • then, enable Contact Form SPAM Checking for your form plugin
  • last, review and monitor your WP Activity Logs.

#1 - Configure silentCAPTCHA

silentCAPTCHA is Shield’s antibot system. It checks visitors quietly in the background and scores how likely they are to be bots.

  1. Log into your WordPress dashboard.
  2. Go to Shield Security > Security Zones > Bots & IPs zone.
  3. Click Configure next to the silentCAPTCHA component.
  4. A side tab will open with settings for silentCAPTCHA.

In this tab you can see:

  • silentCAPTCHA Complexity
  • silentCAPTCHA Bot Minimum Score
  • High Reputation Bypass
  • a short description for each option, plus a link to a help article or blog post with more details.

Access to silentCAPTCHA component configuration

For most sites, you can start with these recommended values:

  • silentCAPTCHA Complexity: Adaptive
  • Minimum Score: 40
  • High Reputation Bypass: 200

After setting the values, click Save Settings.

silentCAPTCHA options configuration

You can always click the small icon to expand the description beside each option. This explains what the option does and links to the relevant help article if you want to learn more.

Example: Option description and Info/blog links

#2 - Select contact form for spam checking

Once silentCAPTCHA is configured, you need to tell Shield which contact form plugin you use. Shield will then use silentCAPTCHA to check submissions coming from that plugin.

  1. Go to Shield Security > Tools > Integrations.

  2. Select Contact Form SPAM Checking tab.

    You will see a list of supported contact form providers.

  3. Tick the checkbox next to the contact form plugin you are using.
  4. Click Save Settings.

Example: Contact Form 7

Alternatively, you can use automatic selection for active forms. This is a general option that controls how contact form integrations are handled.

If you enable this, Shield will automatically select all active contact forms from supported plugins on your site. This is useful if you have many forms and do not want to configure each one manually.

  • Turn on the option that automatically selects active contact forms.
  • Save your settings.

Access to Auto-Integrations option

Important point to note

Only contact form providers that are on the list of integrated forms, and that you have selected there, can be protected. If your form is not on that list of supported providers, please reach out to us and we will be happy to discuss adding an integration for it.

What this means for your users

After you configure silentCAPTCHA and enable Contact Form SPAM Checking for your form provider:

  • Shield starts protecting your contact forms automatically.
  • silentCAPTCHA runs in the background on each submission.
  • Automated bots that probe or attack your forms are blocked.
  • Real visitors, even if they are not tech‑savvy, use the form as usual and do not see any extra fields or CAPTCHAs.

You don't have to change the form itself. The protection happens inside Shield, based on the settings you configured in this guide.

#3 - Monitor your WP Activity Logs

To check that Shield is protecting your contact forms, first open the Activity Logs settings and make sure it records these events. To do this, you may go to the main Shield Security navigation menu and click the small gear icon next to Activity Logs section and confirm that the "Info" logging level for WordPress Activity is selected.

Access to Activity Log logging levels

After that, you can start monitoring your WP Activity Log like your personal assistant, it records what is happening on your site, including contact form submissions and spam checks.

For example, you can filter logs by event name to see spam checks for your forms. Use the filter and type spam check, and you'll see entries such as "SPAM Check Fail" and "SPAM Check Fail" for your contact form provider. These events show when Shield’s silentCAPTCHA spam protection is checking and handling form submissions. (See the screenshots below)

When you see a Spam check fail event, that usually means the submission was from a bot. In the log entry you can click the IP address to open up IP Analysis page and look at the Bot Signals section. For example, a Total Reputation Score of -80 with Bad bot probability 100% is a strong sign this was an automatic bad bot that Shield has blocked for you.

Example CF7: SPAM Check Fail & Bad Bot

When you see a Spam check pass event, that almost always means the submission came from a real visitor. This shows that Shield is allowing legitimate visitors through while still blocking bad bots in the background.

Example CF7: SPAM Check Pass & Human

Together, these entries confirm that your contact form integration is working and that Shield is actively protecting your forms.