Gravity Forms is one of our 10 Mandatory WordPress Plugins for good reason–it is a powerful, highly customizable form builder, that has gotten consistently better year over year. But as with any form on the web, forms built with Gravity Forms tend to attract a lot of spambots. Here are a few ways you can fight back:

1. Use the built-in honeypot. A honeypot is a form field that is invisible to human users, but visible to spambots. The logic is that a spambot will fill out the field, while a human will not, because they never saw it. If the form submission contains data in the honeypot field, the entry is rejected. Seems simple enough, and in practice, it is relatively effective. The honeypot option is built into Gravity Forms but must be manually enabled. Go under Forms > Form Settings and scroll to the bottom of the page. Some of your spam will be blocked, but don’t expect 100% success–that would be too easy, right?
2. The next thing many people try is reCAPTCHA. Gravity Forms offers an add-on that allows you to easily add Google reCAPTCHA to your forms. We find it annoying and generally try to not put obstacles in front of legit website users. But it is popular because it is generally effective, so you should decide for yourself if you want to use it. We use it sometimes, but not on every site.
3. We prefer to use Akismet because it is invisible to users, and in our experience, it is highly effective at blocking Gravity Forms spam. You can configure Akismet to quarantine spam entries in a spam folder so that you can check for false positives manually. But in our experience, false positives are very rare. If you are willing to pay for a spam blocker, we highly recommend starting with Akismet.
4. But what about stubborn situations that aren’t even mitigated by the above tools? We’ve experienced these situations from time to time, most frequently with WooCommerce websites. And the best tool we’ve found so far to stamp out fake WooCommerce customer registrations and fake orders is WPArmour which operates on the honeypot principle but offers more robust blocking and configuration options than the built in Gravity Forms honeypot. WPArmour is a paid plugin, but thankfully, it does not require a subscription. Pay once, and use it forever. And there’s a generous 30-day trial period so you can test it out before committing. But for us, WPArmour has been a great way to solve the most stubborn spam problems.

Look, the war against spambots will likely never be won. We know that. But the four methods listed here have been effective for us, and go a long way to stamping out Gravity Forms Spam.