Multi-layer anti-spam protection for WordPress forms. No CAPTCHA required.
SPAM SHIELD
Now Available on WordPress.org
Stop WordPress Form Spam Before It Reaches Your Inbox
Spam Shield Pro blocks bots, direct HTTP attacks, and spam submissions across every form on your WordPress site — no CAPTCHA, no friction, no monthly API fees.
No CAPTCHA Required
Works With Every Form Plugin
No External API
GDPR Friendly
62
0
100%
Bots Don't Use Browsers. Your Plugin Probably Doesn't Know That.
Standard anti-spam plugins rely on JavaScript to stop bots. But modern spam bots bypass the browser entirely.
Direct HTTP Attacks
Bots skip your JavaScript entirely and POST straight to your server. Most plugins never see them coming because they only monitor browser activity.
Rotating Bot Networks
Each attack comes from a different IP address. Blocking one IP means nothing when there are thousands of proxies hitting your forms simultaneously.
Plugin-Specific Gaps
Contact Form 7, Gravity Forms, WPForms — most anti-spam solutions only protect one plugin at a time, leaving your other forms completely vulnerable.
Two Layers of Protection. One Plugin.
We don’t just protect the browser. We protect the server. If a bot bypasses one layer, the other catches it.
Step 1: Browser
JS Validation fires instantly on form submit — checks field rules, global words, timing, honeypot before data leaves the browser.
Step 2: Server
PHP Intercept catches every POST — even bots that skip JavaScript entirely — validates HTML injection, IP blocklist, rate limiting, global words.
Step 3: Block/Log
Blocked submissions are logged with IP, field, reason, and payload — clean entries pass through normally to your inbox.
Even if a bot bypasses JavaScript, the server layer catches it. Even if it bypasses your form plugin’s AJAX endpoint, we catch that too.
Every Layer of Protection, Built In
Comprehensive spam defense without the bloat. Choose the tier that fits your needs.
Free
Core Protection
Field-Level Rules
Block specific words, set min/max character and word counts per field. Targets the exact name="" attribute of any HTML input.
IP Blocklist
Manually ban any IP address permanently or for a set duration. Confirmed attackers never get through again.
Blocked Submissions Log
Every blocked attempt is recorded with IP, timestamp, field name, reason code, and sanitised payload for investigation.
Frontend JS Validation
Instant client-side blocking before form data leaves the browser. Works on all forms automatically via MutationObserver.
Direct Bot POST Detection
Catches bots that skip JavaScript entirely by validating all POST requests at the PHP level, not just browser submissions.
HTML Tag Injection Block
Automatically blocks any submission containing HTML tags like
, , — the #1 sign of a direct bot POST.
Pro
Advanced Defense
Honeypot Protection
Invisible hidden field injected into every form. Real users never see it. Bots fill it. Instant block.
Submission Timing
Block submissions under 5 seconds (bots are instant). Optionally block stale sessions too. Fully configurable.
Rate Limiting
Limit submissions per IP within a rolling time window. Auto-ban IPs that exceed your blocked-attempt threshold.
Global Blocked Words
One list blocks words/phrases across every field on every form site-wide. No per-field rules needed.
Content Checks
Block all-caps submissions, repeated characters (aaaaaa), disposable email addresses, and URLs/links in any field.
Advanced Log with Payload Viewer
See exactly what the bot submitted. Full sanitised POST data viewable per log entry. Export ready.
Real Numbers From a Real Site Under Active Bot Attack
Real Numbers From a Real Site Under Active Bot Attack
Live Blocked Submissions Log
| Timestamp | IP Address | Reason Code | Trigger Field | Status |
|---|---|---|---|---|
|
10:42:15 AM |
192.168.1.105 |
html_injection |
message |
BLOCKED |
|
10:41:03 AM |
45.22.19.88 |
global_word |
subject |
BLOCKED |
|
10:38:22 AM |
103.44.21.9 |
ip_blocked |
N/A |
BLOCKED |
|
10:35:11 AM |
88.192.4.55 |
rate_limit |
N/A |
BLOCKED |
|
10:31:45 AM |
201.14.99.2 |
too_fast |
email |
BLOCKED |
“62 bot attempts blocked in under 60 minutes. Zero spam in the inbox.”
How Spam Shield Pro Compares
See why we’re the most comprehensive self-hosted anti-spam solution.
| Feature | Spam Shield Pro | Akismet | CleanTalk | OOPSpam | WP Armour |
|---|---|---|---|---|---|
|
Works with ALL form plugins |
 |
 Limited |
|
Limited |
 CF7 only |
|
No CAPTCHA required |
|
|
|
|
|
|
No external API dependency |
|
|
|
|
|
|
No monthly API fees |
|
$9.95/mo |
$12/yr |
API-based |
|
|
Blocks direct HTTP bot POSTs |
|
|
|
|
|
|
HTML tag injection detection |
|
|
|
|
|
|
Per-field word + length rules |
|
|
|
|
|
|
IP blocklist with auto-ban |
|
|
|
|
|
|
Rate limiting |
Pro |
|
|
|
|
|
Honeypot |
Pro |
|
|
|
|
|
Submission timing check |
Pro |
|
|
|
|
|
Global word blocking |
Pro |
|
|
|
|
|
All-caps + repeated char detection |
Pro |
|
|
|
|
|
Disposable email blocking |
Pro |
|
|
|
|
|
Blocked submissions log |
|
|
|
|
|
|
GDPR compliant, data stays on server |
|
|
|
|
|
|
Free version available |
|
personal only |
|
|
|
|
One-time / annual pricing |
$39/yr or $99 lifetime |
monthly |
$12/yr |
API |
free only |
Simple, Transparent Pricing
No API keys. No usage limits. No per-site fees. Your data never leaves your server.
Spam Shield Free
$0 / forever
Available on WordPress.org
Field-level blocked word rules
Min/max character and word count per field
IP blocklist (manual ban)
Blocked submissions log
Frontend JavaScript validation
Direct bot POST detection
HTML tag injection blocking
Works with every form plugin
Most Popular
Spam Shield Free
$39 / year
Everything in Free, plus:
Everything in Free
Honeypot protection
Submission timing (bot speed check)
Rate limiting + auto-ban
Global blocked words (site-wide)
All-caps + repeated character detection
Disposable email blocking
Block links/URLs globally
Advanced log with payload viewer
Priority support
30-day money back guarantee • Cancel anytime • 1 site licence
Frequently Asked Questions
Yes. Spam Shield Pro works with every HTML form on your WordPress site. It hooks into form submissions at the PHP level, not through a specific form plugin’s API. This means it protects Contact Form 7, Gravity Forms, WPForms, Elementor, Ninja Forms, Formidable, and any other form plugin automatically.
No. The plugin is entirely self-hosted with zero external API calls. The JavaScript file is lightweight (~5KB) and deferred. Server-side validation runs in microseconds. No third-party requests, no latency.
No. Spam Shield Pro is 100% invisible to real users. No puzzles, no checkboxes, no “I am not a robot”. Protection is completely behind the scenes.
Every blocked submission is logged in your WordPress database with the IP address, timestamp, field name, reason code, and a sanitised copy of the POST data. Nothing is sent to external servers.
The Free version gives you field-level rules, IP blocking, a blocked log, and direct bot POST detection — solid protection for most sites. Pro adds the advanced layers: honeypot, timing checks, rate limiting, global word blocking, content pattern detection, and the full payload log viewer.
Yes. All data stays in your WordPress database. No submission data is sent to external servers. Sensitive fields (passwords, card numbers) are automatically stripped before logging.
Check your Blocked Log — it shows exactly which rule triggered and what was submitted. You can then adjust or remove that rule. The log also includes the full (sanitised) payload so you can diagnose false positives immediately.
The base Pro licence covers 1 site. Multi-site and agency licences are available on request. The Free version has no site limit.
Full Documentation
Complete setup guide, configuration reference, troubleshooting, and developer notes.
Installation Guide
Configuration Reference
Troubleshooting
Developer Notes
Learn More About WordPress Spam Protection
Deep dives into how modern spam bots work and how to stop them.
How Bots Bypass JavaScript and Post Directly to WordPress Forms
Most WordPress spam plugins only validate forms in the browser. Here's why that's not enough — and how Spam Shield Pro catches direct HTTP bot POSTs that never touch your JavaScript.
Target: wordpress form spam no javascript
Gravity Forms Spam Protection: Why Your Current Plugin Isn't Enough
Gravity Forms submits via admin-ajax.php. Most anti-spam plugins treat admin-ajax as a trusted endpoint. We don't — and that's why bots keep getting through even with protection enabled.
Target: gravity forms spam bot direct post
WordPress Anti-Spam Without an API Key, Monthly Fee, or External Server
CleanTalk costs $12/year. OOPSpam requires API calls. Akismet sends your data to Automattic's servers. Spam Shield Pro runs entirely on your own WordPress install — no API, no fees, no data leaving your server.
Target: wordpress spam plugin no api key
Ready to Stop the Spam?
Join hundreds of WordPress site owners who stopped bot spam today