Prevent Bot Spam | reCaptcha V3 | CF7 | Honeypot

I think it’s safe to say that everyone hates to get online form spam. I do. And I can’t think why anyone wouldn’t, but to each their own, right. Regardless, my go-to online form spam prevention tool, like many other developers, is reCaptcha, Google’s free “I’m not a robot” checkbox with subsequent “Choose the correct pictures” puzzle. Yes, I agree it can be annoying as a user, but it serves the purpose and seems to do an adequate job of fighting off pesky spam bots.

Also, like many other developers that use WordPress, Contact From 7 (CF7) is Corner Tab’s online form builder of choice. It’s simple, extremely established, and has proven to work time after time across many different sites.

However, recently I discovered upon updating the Contact Form 7 plugin, that if you choose to integrate reCaptcha, Google’s latest V3 version is the only option available. With Contact Form 7 – 5.1.1, the older V2 API keys will need to be updated. Otherwise you have to stick with previous releases of CF7 until the policy changes, if it ever does???

https://contactform7.com/recaptcha/

V3 Research Time

So I decided to read up on reCaptcha V3, check some tech sites, watch a Youtube video or two, and scour over Google’s documentation just to familiarize myself before moving forward:

At first, it sounded like a win-win. Simple to integrate, users will no longer have to click a checkbox or solve problems, and you get scored analytics to boot! So I signed into Google, generated my V3 API keys and integrated them into CF7, and lickety-split reCaptcha V3 was now active. I didn’t even have to add code to my CF7 forms!

No matter for me, because that’s when things went down-hill.

V3, CF7, and Me, A Brief Partnership (At least for now)

To start with, at least for my WordPress install, reCaptcha V3 is not just installed on the pages with online forms, but the entire site, and it automatically places a branding badge in the bottom right of every page, displaying Google’s Privacy Policy and Terms of Use links. Google will allow you to remove the badge with CSS, but it comes with stipulations. You are required to include V3 usage notes and links in applicable areas so users are aware it is being used.

I’m not too enthused about either of these new factors and have a hard time understanding the site wide approach. Seems like overkill to me.

Then there’s the analytics feature, that scores each user, determining if they are likely to be a bot or human via online behavior patterns. So, ok, the bots are being scored, but how exactly are they being prevented from filling out the form? Well, it appears that once you determine, from studying the analytics, that bots are frequenting your forms, you need to add additional verification features in order to stop them. Ugh!

I can’t say that this is all entirely unreasonable in certain situations, but it just seems to be unnecessary complex for the type of WordPress sites I normally work on. Google even states themselves that V3 “is intended for power users, site owners that want more data about their traffic“.

They also state “V2 is not going away! We will continue to fully support and improve security and usability for V2“.

So if you want to keep using V2, just keep it and all will be good. Hold it! That is unless you are using the latest version of Contact Form 7. Double, Ugh!

Like I said above, the latest version of CF7 requires V3. I hope that will change soon, and maybe it already has depending on when you are reading this post, but until then I have decided to go an alternate route for online spam protection. I crave simplicity, friends!

Queue Contact Form 7 Honeypot

If you build WordPress sites, you may have heard of the CF7 Honeypot plugin. It’s been around for a while and is an alternative to using reCaptcha for preventing online form spam with CF7 forms. Is it as effective as reCaptcha? Maybe, maybe not, but it has a 4 star rating and has been installed by 200,00 users, so that’s good enough for my sites. And if it helps me side step the aggravation of the current V3/CF7 conundrum, I am willing to make the switch for now, until the items above are worked out.

If you need more instruction, Bjorn Allpas (Love that guy!!!) at WPLearningLab.com has a great Youtube video/tutorial that explains how to install and implement CF7 Honeypot. It’s rather simple too, if you have experience with WordPress:

ReCaptcha, Honeypot Final Thoughts

Perhaps I didn’t spend enough time tinkering with reCaptcha V3. And quite possible I looked over some documentation that would have swayed my current path on this. But, my hassle meter said to get out before the day was spent. So I opted for Honeypot and moved on to the next project. Hopefully it will get the job done for me and my client, and if you have been presented with the same dilemma, hopefully it will give you another option for your CF7 forms.