Spam protection

formbuild.io includes multiple layers of spam defense so your Inbox stays clean — without CAPTCHAs that annoy real visitors.

Honeypot fields

A honeypot is a hidden field that real visitors never see or fill in. Bots that auto-fill every field will trigger it.

  1. In your form settings, go to Spam and set a honeypot field name (e.g. _honey).
  2. Add a hidden input to your HTML form:
<!-- Hidden honeypot — do not show to users -->
<div style="display:none" aria-hidden="true">
  <input name="_honey" tabindex="-1" autocomplete="off" />
</div>

If a response includes a non-empty value for this field, we silently discard it — returning a success status so the bot doesn't know it was caught.

Automatic spam scoring

We run a set of heuristics on every response to detect common spam patterns (link stuffing, suspicious content, etc.). Responses flagged as likely spam are still stored but moved to the Spam tab in your Inbox, keeping your main view clean.

You can always review the Spam tab and mark responses as Not spam if they were caught incorrectly, or manually mark legitimate-looking responses as Spam.

Google reCAPTCHA

For high-traffic forms or when honeypots aren't enough, you can enable Google reCAPTCHA for advanced bot protection.

  1. In your form settings, go to Spam and enable reCAPTCHA.
  2. Enter your Site Key and Secret Key from theGoogle reCAPTCHA Admin Console.
  3. Add the reCAPTCHA script to your page's <head>:
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
  4. Place the reCAPTCHA widget inside your <form>:
    <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>

formbuild.io will automatically detect the g-recaptcha-responsefield and verify it with Google before accepting the submission.

Rate limiting

Bulk actions

In the Inbox, you can select multiple responses and use bulk actions to:

  • Mark as spam
  • Mark as not spam
  • Delete permanently

Tips

  • Always use a honeypot — it catches the majority of naive bots with zero friction for real visitors.
  • Use tabindex="-1" and autocomplete="off" on the honeypot input so screen readers and browsers skip it.
  • Combine honeypot with server-side validations (e.g. require an email field) for stronger protection.

← Success page · Next: Integrations →