Why CAPTCHA is bad at preventing spam from your WordPress forms

Let's face it - every website owner longs for the moment when a new amazing offer to triple their income with no effort whatsoever arrives in their inbox. At least that would be the case if those offers were actually true and not just a pitiful attempt at scamming. No, spam is the true menace of the 21st century, where virtually all communication happens electronically.

So how would one protect against spam then? The simplest and most common solution is to use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Is that the right way though?

No. CAPTCHA is bad!

First of all, it shifts the responsibility from the site owner to the user. Why should Alice care if Bob's site is attacked by spambots? All Alice wants is to send a question through Bob's Perfect Contact Form, not to deal with hard to read, mangled letters.

Secondly, some bots can solve as much as 90% of the captchas - for example by using services like DeathByCaptcha. Sure, those kind of services employ real people to solve the challenge, but the end result is that the form is still not send by an user that is actually interested in your services and/or products.

What is more, some ill-designed CAPTCHAs are more difficult to solve for the user instead of a machine:

  • poor contrast? Not an issue for algorithms, but an issue for color-blind people,
  • blurred letters? Some algorithms actually blur the letter before trying to identify them, and poor Charles has to go and get his glasses,
  • small letters/symbols? Less pixels means less time spend for OCR (Optical Character Recognition), more time for the user to stare at the screen and wonder whether that little thing there is a letter or just random noise.

If it's so terrible, why do many popular websites use it as a protection from automated spambots, you ask? Because CAPTCHA is the easiest way to implement something resembling a protection against spam. It's arguably not the right way though.

Okay, I get it know - CAPTCHA is in fact bad. How do I protect my Perfect Contact Form from spammers then?

Don't worry, there are multiple ways to achieve high spam-detection rate without sacrificing your conversion rate:

One of those is to use a "Honeypot" method. If we include a hidden form field that looks like it should be filled to a bot, but users will obviously leave it empty (since they can't see it) we can detect the over-enthusiastic bots that fill every field with something resembling "real" data.

Another good method is to check the time difference between the form being displayed and submited. Naturally, a real person will spend at least some time filling out the form, while the bot would usually do that almost instantly.

Other successful methods include introducing some session-related information to the form, randomizing field names inside HTML (so, with no real difference to the end-user), and using JavaScript to alter some data on form submission.

Our contact form products like the Perfect Easy & Powerful Contact Form for WordPress have implemented protection against spam using a special JavaScript mechanism, effectively blocking most of the automated spammers. Thanks to this, you don't loose conversions because of a CAPTCHA your users couldn't/couldn't be bothered to solve, while still preventing your inbox from exploding with "Cheap prescription drugs" offers and other scam attempts.

Say no to annoying CAPTCHAs and yes to the more user-friendly spam protection in Perfect Easy & Powerful Contact Form for WordPress!