Spam Protection

Keep your forms spam-free with built-in honeypot, rate limiting, and multiple CAPTCHA providers.

Honeypot

The honeypot is a hidden field invisible to real users but detected by bots. It's enabled by default on all forms.

How it works: A hidden field is added to the form. If a bot fills it in, the submission is silently rejected.
No user interaction required: Completely invisible and frictionless.
Always active: The honeypot is automatically included in all forms with no configuration needed.

Tip: The honeypot catches most basic bots without any setup or third-party service.

Submission Speed Check

Giraforms records a timestamp when the form loads. If the form is submitted in less than 3 seconds, it's automatically rejected as spam — real users need more time to fill out a form.

This check is always active and requires no configuration.

Rate Limiting

Prevent abuse by limiting how often a single IP address can submit a form. This protects against both bots and intentional flooding.

Parameter	Description	Default
Max Submissions	Maximum submissions allowed per time window	5
Time Window	Period before the counter resets	1 hour (3600 seconds)

Rate limiting is based on the user's IP address and is enabled by default. Developers can adjust the limits using PHP filters:

// Allow 10 submissions per 2 hours
add_filter( 'giraforms_rate_limit', function() { return 10; } );
add_filter( 'giraforms_rate_timeframe', function() { return 7200; } );

Note: Users behind shared IPs (offices, schools) may trigger the limit faster. Increase the limit via the filter if your audience typically shares IPs.

CAPTCHA Providers

Giraforms supports multiple CAPTCHA providers in the same Captcha block. You can choose the provider per form, depending on your needs and compliance requirements.

Provider	Type	Notes
Cloudflare Turnstile	Privacy-focused challenge	Usually invisible for users
Google reCAPTCHA v2	Checkbox challenge	Traditional \"I'm not a robot\" flow
Google reCAPTCHA v3	Score-based invisible	No direct challenge for most users
hCaptcha	Challenge-based	Alternative to Google solutions

Setup

Get Keys for Your Provider

Create API/site keys for your chosen provider (Turnstile, reCAPTCHA v2/v3, or hCaptcha) in the provider dashboard.

Enter Keys in Giraforms

Go to Forms → Integrations. Fill in the key fields for the provider(s) you want to use.

Add the Captcha Block to Your Form

In the page editor, add the Giraforms Captcha block inside your Form Container and choose the provider in block settings.

Test

Submit the form on the front-end to verify your selected provider works correctly and bot submissions are blocked.

Captcha integration keys under Forms → Integrations

Combining Protections

For maximum protection, all methods work together:

Honeypot — catches simple bots (always on)
Speed check — blocks instant submissions under 3 seconds (always on)
Rate Limiting — prevents flooding attacks (always on)
CAPTCHA provider — Turnstile, reCAPTCHA, or hCaptcha for advanced bot filtering

These protections work independently and complement each other. A submission must pass all enabled checks to be accepted.

Choose the CAPTCHA That Fits Your Site

Turnstile, reCAPTCHA v2/v3, and hCaptcha are available in Giraforms. Configure keys in Forms → Integrations and enable the Captcha block.

Get Giraforms