Preventing Spam and Bot Submissions

Keep Your Data Clean and Your Forms Protected #

FORMEPIC’s comprehensive anti-spam features protect your forms from automated bots, malicious submissions, and low-quality responses. Whether you’re experiencing bot attacks that fill your inbox with junk, dealing with competitors poisoning your data, or simply want to ensure every response comes from a real human, FORMEPIC gives you multiple layers of protection that work silently in the background.

Choose from three powerful CAPTCHA options—simple math challenges that any human can solve, Google’s industry-leading reCAPTCHA v3 that works invisibly, or hCaptcha for privacy-focused verification. Each option stops bots in their tracks while keeping the experience smooth for real users. Combine CAPTCHA with submission limits to create an impenetrable defense against spam while maintaining a professional, user-friendly form.

The best part? These security features activate instantly and require no coding or complex configuration. Your legitimate users barely notice the protection, while bots and spammers are automatically turned away—keeping your response data clean, your analytics accurate, and your time focused on real feedback instead of filtering garbage.

Available Anti-Spam Features #

FORMEPIC provides multiple anti-spam tools that can be used individually or combined for maximum protection:

CAPTCHA Protection #

Add CAPTCHA fields to your form to verify users are human. Three types available:

• Simple Math CAPTCHA – Basic arithmetic challenges (e.g., “What is 7 + 3?”)
• Google reCAPTCHA v3 – Invisible bot detection powered by Google
• hCaptcha – Privacy-friendly CAPTCHA alternative

Submission Limits #

Prevent spam by limiting submissions per IP address or email (covered in detail in “How to Manage Access Control and Submission Limits”)

Required Fields #

Make critical fields required to prevent empty or meaningless submissions

Email Verification #

Require valid email addresses to reduce fake submissions

How to Add CAPTCHA to Your Form #

Step 1: Add a CAPTCHA Field #

1. Open your form in the Builder
2. In the Field Palette on the left, find the “CAPTCHA” field type
3. Drag and drop it onto your form canvas
4. Position it near the end of your form (typically just before the submit button)

Step 2: Configure CAPTCHA Settings #

1. Click on the CAPTCHA field you just added
2. In the Field Settings panel on the right, you’ll see CAPTCHA configuration options
3. Choose your CAPTCHA type:

Simple Math CAPTCHA (Recommended for Most Users):

• No additional configuration needed
• Generates random math problems like “What is 5 + 8?” or “What is 3 × 4?”
• Users must solve the problem correctly to submit
• Includes a refresh button to generate new questions
• Works offline and requires no external services

Google reCAPTCHA v3 (Invisible Protection):

1. Select “reCAPTCHA” as the CAPTCHA type
2. You’ll need a reCAPTCHA Site Key from Google:

• Go to google.com/recaptcha/admin
• Register your site and select reCAPTCHA v3
• Copy the Site Key (starts with 6L…)

1. Paste the Site Key in the “reCAPTCHA Site Key” field
2. Save your settings
3. reCAPTCHA v3 works invisibly—users won’t see a checkbox or challenge

hCaptcha (Privacy-Focused):

1. Select “hCaptcha” as the CAPTCHA type
2. You’ll need an hCaptcha Site Key:

• Go to hcaptcha.com and create an account
• Add your site and copy the Site Key

1. Paste the Site Key in the “hCaptcha Site Key” field
2. Save your settings
3. Users will see an hCaptcha challenge box

Step 3: Test Your CAPTCHA #

1. Click the Preview button in the builder header
2. Fill out your form and test the CAPTCHA:

• Simple Math: Verify the math question appears and validates correctly
• reCAPTCHA: Check that the form submits without visible prompts
• hCaptcha: Confirm the hCaptcha widget loads and validates

1. Try submitting with an incorrect answer (for Simple Math) to ensure validation works
2. Test on different devices and browsers

Step 4: Publish Your Form #

1. Once CAPTCHA is working correctly in preview, publish your form
2. CAPTCHA protection is now active on your live form
3. Monitor your submissions to ensure the CAPTCHA is working as expected

Choosing the Right CAPTCHA Type #

Simple Math CAPTCHA #

Best for:

• Forms where you want visible spam protection
• Audiences who prefer not to use Google services
• Forms that need to work offline or without external dependencies
• Quick setup without requiring API keys

Advantages:

• No external accounts or API keys required
• Works instantly with no configuration
• Users see clear visual feedback
• No privacy concerns about third-party tracking
• Accessible to users with screen readers

Disadvantages:

• Can be solved by sophisticated bots (though rare)
• Adds visible friction to the form experience
• May frustrate users who are bad at math

Google reCAPTCHA v3 #

Best for:

• High-traffic forms that need invisible protection
• Professional sites where user experience is critical
• Forms experiencing bot attacks that bypass simple CAPTCHA
• Situations where you want Google’s advanced bot detection

Advantages:

• Completely invisible to users—no checkboxes or challenges
• Powered by Google’s advanced AI bot detection
• Highest level of bot protection
• No user friction or tasks to complete

Disadvantages:

• Requires Google account and API key setup
• Sends data to Google (privacy considerations)
• May occasionally block legitimate users
• Requires internet connection to Google servers

hCaptcha #

Best for:

• Privacy-conscious organizations and users
• Sites that want to avoid Google dependencies
• GDPR-compliant forms
• Users who prefer ethical tech alternatives

Advantages:

• More privacy-friendly than reCAPTCHA
• Compliant with strict data protection regulations
• Rewards site owners with revenue (optional)
• Strong bot protection without Google

Disadvantages:

• Requires external account and API key
• May show users challenges (puzzles, image selection)
• Less familiar to users than reCAPTCHA
• Requires internet connection to hCaptcha servers

Combining Anti-Spam Features #

For maximum protection, combine multiple anti-spam features:

Basic Protection #

• Simple Math CAPTCHA
• Required email field
• 1-2 required fields for key information

Standard Protection #

• reCAPTCHA v3 (invisible)
• Submission limit by IP (1 submission per IP)
• Required email field with validation

Maximum Protection #

• reCAPTCHA v3 or hCaptcha
• Submission limit by IP AND email (1 submission each)
• All critical fields marked as required
• Consider adding password protection for invite-only forms

Requirements #

• Your form must be saved before adding CAPTCHA fields
• For reCAPTCHA: A Google account and reCAPTCHA v3 Site Key
• For hCaptcha: An hCaptcha account and Site Key
• For Simple Math: No external requirements
• Internet connection required for reCAPTCHA and hCaptcha to function

Tips and Tricks #

• Position strategically: Place CAPTCHA near the end of your form, after other fields, to reduce abandonment
• Don’t overdo it: One CAPTCHA per form is sufficient—multiple CAPTCHAs frustrate users
• Test thoroughly: Always test CAPTCHA in preview mode before publishing
• Monitor effectiveness: Check if spam decreases after enabling CAPTCHA
• Combine defenses: Use CAPTCHA + submission limits for best results
• Consider user experience: Simple Math is most transparent, reCAPTCHA is most invisible
• Keep keys secure: Never share your reCAPTCHA or hCaptcha Site Keys publicly
• Update keys if compromised: If your Site Key is exposed, generate a new one
• Educate users: Add a note explaining why CAPTCHA is present (e.g., “To prevent spam and protect your data”)
• Check response quality: If you’re still getting spam, upgrade from Simple Math to reCAPTCHA v3

Important Notes #

• CAPTCHA validation happens before form submission—invalid responses cannot submit
• Simple Math generates a new question every time the page loads or user clicks refresh
• reCAPTCHA v3 runs invisibly and assigns a risk score to each submission
• hCaptcha may show users visual challenges (selecting images) depending on risk score
• CAPTCHA fields are automatically marked as required—users cannot skip them
• Test Mode submissions still require valid CAPTCHA completion
• CAPTCHA protection works on direct links, embeds, and preview modes
• Changing CAPTCHA type (e.g., Simple Math to reCAPTCHA) requires updating field settings
• Each form can have only one CAPTCHA field
• CAPTCHA adds minimal load time to your form (except for external services which may vary)

Common Issues & Troubleshooting #

CAPTCHA not appearing on my form

• Make sure you dragged the CAPTCHA field from the Field Palette onto your form canvas
• Check that the field hasn’t been hidden by conditional logic
• Verify your form is published or in preview mode (builder doesn’t show live CAPTCHA)
• For reCAPTCHA/hCaptcha, ensure you’ve entered a valid Site Key

reCAPTCHA showing “Site key not configured”

• You need to obtain a Site Key from Google’s reCAPTCHA admin console
• Go to google.com/recaptcha/admin and register your site
• Copy the Site Key and paste it in the CAPTCHA field settings
• Make sure you selected reCAPTCHA v3 (not v2) when registering

hCaptcha not loading or showing errors

• Verify you have a valid hCaptcha Site Key from hcaptcha.com
• Check that the Site Key is pasted correctly without extra spaces
• Ensure your internet connection is working (hCaptcha requires external server connection)
• Try refreshing the page or clearing your browser cache

Simple Math CAPTCHA accepting wrong answers

• This shouldn’t happen—verify you’re testing in preview or live mode (not builder)
• Check browser console for JavaScript errors that might be interfering
• Try refreshing the form and testing again
• If issue persists, remove and re-add the CAPTCHA field

Forms still receiving spam submissions despite CAPTCHA

• Verify CAPTCHA field is required and cannot be bypassed
• Check if spam is coming through during a brief period when CAPTCHA was disabled
• Consider upgrading from Simple Math to reCAPTCHA v3 for stronger protection
• Add submission limits by IP/email as an additional layer
• Make sure your form is published with the latest CAPTCHA settings

reCAPTCHA blocking legitimate users

• reCAPTCHA v3 assigns risk scores and occasionally blocks real users with suspicious behavior
• Users on VPNs or shared networks may trigger false positives
• Consider using Simple Math or hCaptcha for more user control
• Check Google reCAPTCHA admin console for rejection rates

CAPTCHA making my form look unprofessional

• Use reCAPTCHA v3 for invisible protection—no visible CAPTCHA widget
• For Simple Math, style the field to match your form design using custom CSS
• Position CAPTCHA near the submit button so it feels integrated
• Add explanatory text: “This helps us prevent spam and protect your submission”

Need to change CAPTCHA type (e.g., from Simple to reCAPTCHA)

• Click on the CAPTCHA field in your form
• In Field Settings, change the CAPTCHA Type dropdown
• Enter the required Site Key if switching to reCAPTCHA or hCaptcha
• Save your form and test the new CAPTCHA type

CAPTCHA field disappeared after saving

• Check if it was accidentally deleted while editing
• Look in the Field Palette and drag a new CAPTCHA field onto your form
• Verify you clicked Save after adding the field
• Check conditional logic—the field might be hidden based on conditions

Want to remove CAPTCHA protection

• Click on the CAPTCHA field in your form canvas
• Press Delete or Backspace to remove it
• Save your form
• CAPTCHA is no longer required for submissions

reCAPTCHA not working on localhost or development

• reCAPTCHA requires a registered domain—localhost may not work
• Register “localhost” specifically in Google reCAPTCHA admin
• Or test on your published FORMEPIC URL instead