Compact Form ReCAPTURE html


I’m using the great Compact Form on a site but the client is complaining of receiving a lot of spam so wants a reCAPTURE added.

Can this be done by adding code to the RapidWeaver output html?


Compact Form uses the ‘Honeypot’ method to avoid spam so maybe that’s not the issue? Is the spam definitely coming from the form or is the submission email address being used unprotected somewhere else on the site?


1 Like

Hi Rob

That’s a very good point. It’s unlikely I think that the honey pot isn’t working? I don’t like reCAPTUREs so better without one I think!

Using the honeypot (like Doobox’s contact stack) works for me without spam. In all instances where spam was involved, the email address has been made available on the site in plain text somewhere. You can test it by using a different email address in the compact form and check what’s coming into the inbox.

The first step towards resolving this matter is to determine what sort of spam we are dealing with:-

Human generated spam

Sadly there are some people within impoverished regions of the world who are employed to sit in front of vast banks of computer screens manually spamming and hacking websites on an industrial scale. No amount of spam protection can stop this. They will continue to keep getting through, no matter what you put up to protect your forms.

Your best option is to analyse where the spam is coming from and put some IP blocks in place. In a hypohetical scenario, if you deployed a contact form for a dentist in the US who was getting spam from Russia, then it would make sense to IP block Russia. Theoretically, nobody in Russia needs a dentist in the US! So in those types of scenario, you can efficiently cut-off a big source of spam (and many other website vulnerabilities). It will not stop the spammers using VPNs, but if will stop those who are only after easy targets.

Computer generated spam

The ‘honeypot’ is the most effective way to stop these. But like with any system, it is not 100% watertight and there are still ways around…

If the email address has currently (or historically) been used on a website or form, then it may already be on the spammers lists. Spam volumes can fluctuate significantly over many months or years. Spambots can take the basic HTML of your form and just bombard the email address (they already have on record). They don’t even submit the form through your website, in these situations.

A while ago someone ranted on the RW forums that the Compact Form stack was not offering any spam protection. When we eventually got given a URL to check it in detail, we found the user had mistakenly published an HTML version of the webpage before uploading the correct PHP version. The older version was still visible - along with their email address sitting plainly and clearly at the top of the page! This is something to watch out for.

Really advanced spam bots can ‘brute force’ attack a form with honeypot protection. They can determine which fields have to be completed, before the form sends. Then they have a basic algorithm to repeatedly target the form and dodge the honeypot. In stacks like CommentsStack, I randomised the name and order of the hidden honeypot input - which pretty much eliminated spam by this method. Compact Form does not have this feature yet, but it could be added if its proven to be required.

To summarise:

  • All the above applies to any contact form you are using in RapidWeaver.
  • reCAPTURE is evil. Form abandonment rates will go through the roof. It uses Google and there are serious performance / accessibility implications. Just don’t do it. None of the reCAPTURE versions are any better than the previous.
  • Expect every contact form on a website to receive some spam. Spam can be a good measure that your form is still working! There are different ways spammers target you. It is impossible to block it 100% outright. Expect at least a few a month.Some websites are targeted more than others.
  • Writing your own spambot to target website contact forms is not rocket science. I’ve written a few myself in Python! The cooking instructions are easily obtained from YouTube. So be aware that its something within reach of many people. As always, the simplest methods of protection are usually the most robust.
  • Cloudflare - I remain on the fence about this one. Yes it can help block against website abuse, but at the same time it adds another layer of complexity to website deployment and management. The aggressive caching can be maddening at times.

Of all the hundreds of contact forms I have deployed, honeypot has been the most powerful method of spam protection time and time again. And unlike reCAPTURE, it is totally unobtrusive to the average website user. We should be engineering the perfect website experience for users, not spammers.

If you need to consult with me direct about getting an anti-spam ‘master plan’ setup for your website, then please contact me via the messaging on this forum.


Well this is an eye opener, cheers Will


What is a “honey pot” or how does it work? (basic explanation for a non coder :-))
Which stacks do use this?

Thx all

The honeypot system works by inserting an invisible extra field to the form. Genuine users don’t see the field and don’t fill in that field, but automated bots would actually see the field and fill it in.

If the invisible is filled in, the honeypot then flags it as spam.

Will Woodgate’s Compact Form uses it and so does the HTML Contact Form by Doobox There may be others that I’m not aware of.

1 Like

Thx @Neil for your quick answer :-)

1 Like

I’ve been trying to get contact form to work with my site , built in RW8, hosted on godaddy. Have tried using my aol address, didn’t work. Tried an email, didn’t work. I spoke with tech support at GD and was told the aol wouldn’t go through because of AOL’s requirement of captcha (?).
How do I resolve this? I’ve tried adding SPF records to the MX… “aol -all”, and was told that it won’t fix the problem.

Thoughts, solutions?

Hi @D03ree ,

You could try using the Formulate stack and set this up to redirect your form submissions to a third-party mail handling service like Formbucket or Formspree. Think of these services as a virtual ‘PO Box’. Either of these services should then be able to forward emails onto your normal AOL address.

Captcha is evil. Do everything you can to stop adding this to a website. If you put Captcha up, your number of form submissions will plummet. It makes people angry and will do nothing to stop human submitted spam.

GoDaddy is garbage for anything to do with PHP and mail handling. Long term you should consider switching to a better hosting company (like Chillidog) when your hosting contract is up for renewal.


Thanks for the input Will.
I took a spin with Formstack and it’s other iteration. Wasn’t really keen on not being able to try it out fully without purchasing.
On another note, I’ve tried HTML contact form from doobox using, and still nothing comes through. I feel your angst about captcha, I’m not a huge fan of it either. But as for Godaddy hosting, I spoke with an actual knowledgeable human tech and she explained that the captcha security thing was AOL’s security directive and everything else non-captcha was being marked spam. The glitch I’m finding is that even using a non aol “send to” address doesn’t work.
Pulling my hair out in NY.

Thanks for your guidance

I don’t use go-daddy but I think you have to use a mail address at your domain. There’s also a setting that needed to be set.

This is an old KB article but it might help: