This document is for an older version of

Express Forms


View latest version →

Express Forms Express Forms for Craft

Spam Protection

Express Forms offers some different options for handling spam protection to help with the management of form submissions.


Express Forms includes its own built-in Honeypot spam protection feature. This is enabled by default, but can be disabled in the Express Forms Settings area. If enabled, you can then specify the behavior Express Forms takes when a spammy submission is detected with the Spam Protection Behavior setting:

  • Simulate successful submission (recommended)
    • The form submit will appear to have worked successfully, but will not actually store any submission data.
    • The Blocked Spam counter will increment by 1.
    • An error will NOT be displayed so as not to give away the spam controls.
  • Display error messages (not recommended)
    • Useful for troubleshooting if you're experiencing some issues with submissions being flagged as spam.
  • Reload form
    • This is a less user-friendly approach to legitimate users that are having their submissions flagged as spam for some reason, but at least shows a sign that there's something wrong while not giving it away the spam controls in place.
    • No submission data will be stored for ones determined to be spammy.
    • The Blocked Spam counter will increment by 1.


For much more advanced spam protection features such as built-in Spam Folder and more, you may want to consider Freeform.

How It Works

When using form.openTag(), Express Forms will automatically insert the Honeypot field inside the form. And like a traditional honeypot field, if it contains any value, the honeypot will fail and the submission will be blocked. It will however, follow the behavior of the Spam Protection Behavior setting.

The honeypot is not a hidden field, but is positioned absolutely outside of the screen, so the field is not visible.


Express Forms includes built-in support for reCAPTCHA v2 Checkbox (more options coming soon). To enable, visit the Spam section of the Settings area (Express Forms -> Settings -> Spam).

To add reCAPTCHA to your forms, insert {{ form.recaptcha.render }} inside your form template. As soon as this is added, Express Forms detects that you want reCAPTCHA validation and it will require and validate it in that form. A complete example might look like:

<div class="form-group{% if form.recaptcha.hasErrors %} has-error{% endif %}">
  <label class="required">
    Please confirm you're not a robot...
  {{ form.recaptcha.render }}
  {{ forms.renderErrors(form.recaptcha) }}
  • When disabling the reCAPTCHA Load Script setting and adding the reCAPTCHA script manually (e.g. to change the language), you need to also add recaptcha: true to your form.openTag to get the proper reCAPTCHA validation working.
  • If you're loading an entire form via AJAX, you'll need to load the reCAPTCHA JS yourself, since it's considered insecure otherwise and the browser blocks it. You should add this script tag anywhere on your page, preferably the footer:
<script type="text/javascript" src=""></script>