Stop bots from submitting forms without annoying your real visitors. This guide walks through Formigo's layered form spam protection, a privacy-friendly reCAPTCHA alternative, and how to prevent form spam without a captcha.
Bots love web forms. The good news: you don't need an intrusive puzzle to keep them out. Formigo ships with three layers of spam protection that work together: a honeypot field, a timestamp check, and optional CAPTCHA via Cloudflare Turnstile or hCaptcha, plus automatic rate limiting and a transparent spam score. Most forms only need the first two, which add zero friction for humans.
Hidden field that catches bots automatically
Blocks submissions that are too fast
Optional challenge for suspicious traffic
A honeypot field is a hidden input that real users won't see or fill, but bots typically will. It's the easiest and most effective way to stop form spam, and it's invisible to humans, so there's no friction at all.
<input type="text"
name="_formigo_hp"
value=""
style="display:none"
tabindex="-1"
autocomplete="off">Use display:none
Don't use visibility:hidden or positioning tricks
Add tabindex="-1"
Prevents keyboard users from accidentally focusing the field
Add autocomplete="off"
Prevents browsers from auto-filling the field
The field must remain empty. If it's filled, the submission will be flagged as spam (100 points).
Timestamp validation stops bots that submit forms instantly. Real users take at least a couple of seconds to fill out a form; bots fire in milliseconds. Pair this with the honeypot above and you stop bots from submitting forms without a single CAPTCHA in sight.
<!-- Hidden input for timestamp -->
<input type="hidden" name="_formigo_t" value="">
<script>
// Set timestamp when form loads
document.querySelector('input[name="_formigo_t"]').value =
Math.floor(Date.now() / 1000);
</script>This works even if JavaScript is disabled - the field will just be empty and add minimal spam points. Real users won't be blocked.
For high-value or high-spam forms, you can layer on a CAPTCHA. Formigo deliberately does not use Google reCAPTCHA, since we'd rather not hand your visitors' data to an ad network. Instead, Formigo supports two privacy-friendly reCAPTCHA alternatives: Cloudflare Turnstile and hCaptcha. They're free, less intrusive, and don't track your users across the web.
Free, privacy-friendly, and less intrusive than reCAPTCHA.
Privacy-focused alternative to reCAPTCHA with better accessibility.
<!-- Add Turnstile widget -->
<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>
<!-- Load Turnstile script -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js"
async defer></script>
<!-- Hidden field (auto-populated by Turnstile) -->
<input type="hidden"
name="_formigo_captcha"
class="cf-turnstile-response"><!-- Add hCaptcha widget -->
<div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>
<!-- Load hCaptcha script -->
<script src="https://js.hcaptcha.com/1/api.js"
async defer></script>
<!-- Hidden field (auto-populated by hCaptcha) -->
<input type="hidden"
name="_formigo_captcha"
class="h-captcha-response">You'll need to enable CAPTCHA in your form settings and provide your secret key for validation. A failed CAPTCHA adds 100 spam points.
Here's a complete form with the honeypot and timestamp layers and no CAPTCHA. It's everything you need to prevent form spam without captcha friction:
<form action="https://formigo.io/f/your-form" method="POST">
<!-- Your actual form fields -->
<div>
<label for="name">Name:</label>
<input type="text" id="name" name="name" required>
</div>
<div>
<label for="email">Email:</label>
<input type="email" id="email" name="email" required>
</div>
<div>
<label for="message">Message:</label>
<textarea id="message" name="message" required></textarea>
</div>
<!-- Spam protection fields -->
<!-- Honeypot (hidden field) -->
<input type="text"
name="_formigo_hp"
value=""
style="display:none"
tabindex="-1"
autocomplete="off">
<!-- Timestamp -->
<input type="hidden" name="_formigo_t" value="">
<button type="submit">Send Message</button>
</form>
<script>
// Set timestamp when form loads
document.querySelector('input[name="_formigo_t"]').value =
Math.floor(Date.now() / 1000);
</script>Formigo automatically rate limits submissions to prevent abuse:
5 submissions
Per IP, per form, every 10 minutes
20 submissions
Per IP, all forms, per hour
When rate limits are exceeded, the API returns a 429 Too Many Requests status with a retry_after value in seconds.
Each submission is assigned a spam score based on triggered checks:
Submissions with a score of 100 or higher are marked as spam.
Spam submissions are stored but notifications are not sent.
These two fields catch the vast majority of spam with zero user friction.
CAPTCHA adds friction. Start without it and add only if you see spam.
Check your spam folder in the dashboard for false positives.
Use display:none, not visibility tricks that might confuse screen readers.
Keep an eye on submission patterns and adjust protection as needed.
Quick answers to the most common questions about form spam protection, honeypot fields, and reCAPTCHA alternatives.
A honeypot field is a hidden form input that real users never see or fill, but automated bots usually do. In Formigo the honeypot field is named _formigo_hp and must stay empty. If a submission arrives with that field filled in, Formigo adds 100 spam points, which is enough to flag it as spam on its own.
Yes. Formigo does not use Google reCAPTCHA. Instead it supports Cloudflare Turnstile and hCaptcha as privacy-friendly, free reCAPTCHA alternatives. Both submit a token in the _formigo_captcha field, and a failed CAPTCHA adds 100 spam points. For most forms you do not need a CAPTCHA at all, because the honeypot and timestamp checks already stop the vast majority of bots.
Add two hidden fields to your form: a honeypot field named _formigo_hp that stays empty, and a timestamp field named _formigo_t that JavaScript sets to the current Unix time when the page loads. Filling the honeypot adds 100 points, submitting in under 2 seconds adds 50 points, and a missing or invalid timestamp adds 25 points. Submissions scoring 100 or more are marked as spam, so you can stop bots from submitting forms with zero friction for real users.
Combine the honeypot field, the timestamp check, and Formigo's built-in rate limiting. Formigo allows 5 submissions per IP per form every 10 minutes and 20 submissions per IP across all forms per hour; exceeding either limit returns an HTTP 429 response with a retry_after value in seconds. Together these layers prevent form spam without a captcha and without blocking legitimate visitors.
Every submission gets a spam score. Submissions scoring 100 or higher are marked as spam. Spam is still stored so you can review it for false positives, but notifications are not sent for it, keeping your inbox clean.
Honeypot, timestamp checks, rate limiting, and privacy-friendly CAPTCHA come built in. Create a form and let Formigo handle the bots.
Start for free