WordPress Security
WordPress Security

How to stop spam form submissions on your WordPress

Enable spam protection for WordPress forms with Cerber anti-bot engine and block form submissions from specific countries


WP Cerber Security enables you to protect all contact forms on a website. The anti-spam engine is compatible with virtually any form. Tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms, and WooCommerce forms.

WP Cerber’s anti-spam engine is a great alternative to Google’s reCAPTCHA.

Enabling the anti-spam engine

To enable spam protection, go to the Anti-spam plugin admin page and enable Protect all forms on the website with bot detection engine.

In most cases, the anti-spam protection works fine with default settings. But as a professional solution, Cerber offers several options to fine-tune its anti-spam algorithms.

Block form submissions from specific countries

The professional version of WP Cerber enables you to configure a set of GEO rules that allow you to permit or block form submissions from a configurable list of countries. If you want to be in touch with people in several countries only, this is the right way. Get the professional version of WP Cerber here. Note that these settings affect all forms on your website except the standard WordPress registration form. To create the list of countries:

  1. Go to the Security Rules admin page and click the Countries tab.
  2. Click Submit forms.
  3. Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window. To remove a country from the list, click on the country name in the right window.
  4. Once you’ve created the list, set its type. If you want to block form submissions from the selected list of countries, click Selected countries are not permitted to Submit forms, other countries are permitted to. If you want to allow form submissions, click the second option Selected countries are permitted to Submit forms, other countries are not permitted to.
  5. Click the Save all rules button.
Restrict form submissions on WordPress with country GEO rules

Restrict form submissions on WordPress with country GEO rules

Block form submissions from specific IP addresses

To completely block form submissions from a given IP address or an IP network or any combination of them, add them to the Black IP Access List. Keep in mind that entries in both IP access lists have the highest priority which means they are processed before any other security rules and plugin settings. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for a set of IP addresses and IP networks

You can set up exceptions for a given IP address or an IP network or any combination of them by adding them to the White IP Access List. Know more: Using IP Access Lists for protecting WordPress.

Exceptions for specific HTTP requests

Usually, you need to configure anti-spam exceptions if you use a technology that communicates with your website by submitting forms or sending POST requests programmatically. In such cases, Cerber’s anti-spam engine can block legitimate requests because it recognizes them as generated by bots. This leads to false positives, which you can see on the Activity tab. Such log entries are marked as Spam form submission denied.

Read more on how to configuring URL-based exceptions

Disable anti-spam inspection for logged in users

If you trust your logged-in users, you can disable the anti-spam inspection for all of them. The users will be able to submit any form, including comments, without an anti-spam check.

Safe anti-spam mode

If you come across some incompatibility with another plugin or theme, you can enable a special mode that tells the plugin to use less restrictive policies when it detects spam. The safe mode makes it compatible with the rest of the plugins and themes. Use it with caution.

Is Cerber anti-spam engine compatible with reCAPTCHA?

Absolutely. The spam detection engine is compatible with any captchas, including reCAPTCHA that you can activate in the plugin settings. Please note: activating reCAPTCHA for the login form doesn’t protect a website from hackers.

How does the anti-spam engine work?

The Cerber spam protection engine uses the combination of JavaScript, jQuery, and cookies to understand is it a real browser, and is it a real form that has been submitted by clicking a submit button by a human. Also, to make a decision, the plugin tracks all suspicious and malicious requests from an IP address by using its Activity log.

How to stop spam user registrations on your WordPress?

Cerber Security has five anti-spam and antibot options, which can be enabled simultaneously to stop the registration spam nightmare.

Follow this guide: How to stop spam user registrations on your WordPress.

Let’s sum up the capabilities of Cerber anti-spam engine

  • You can set up anti-spam protection for WordPress registration form and comments, for contact and WooCommerce forms
  • You can permit or deny form submissions from specific countries by configuring GEO rules *
  • You can set up exceptions for IP address, network, or a specific request URI
  • If something goes wrong, you can enable safe anti-spam mode
  • You can enable reCAPTCHA and Cerber anti-spam protection at the same time
  • You can get notifications on email or mobile phone about spam activity
  • Performance of the anti-spam engine can be monitored on the Activity tab

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments