Spam Protection for Forms

Captchas & Co.

Poorly protected forms are one of the most popular targets for spammers. Many website operators have had painful experiences in this direction.

The use of captchas as spam protection is quite controversial. In addition, users often find the captchas to be just a hindrance. In this situation, Visforms now offers an alternative way to prevent spamming via forms. No captchas need to be entered here. You will not find this elegant protection in any other Joomla form component.

Note: Visforms comes with its own spam protection plugin.

On our own website we only use our spam protection plugin to protect the forms. With this alone, we usually receive a contact form containing spam less than once a month. As a website operator, we are completely satisfied with this. We have almost no maintenance work with the operation of the spam protection plugin. Because the actual work is done elsewhere and not by us at all.

The Visforms spam protection plugin

Online databases

In the fight against spam and spammers, various online spambot databases have been established on the Internet. These services of the so-called blacklist providers can be used free of charge to operate effective spam protection on your own website. These special web applications are actively searching for spammer IPs and spammer email addresses on a continuous basis. In some cases, they also accept suspected cases from those affected and check them for spam behavior. The results are stored in publicly accessible databases.

Spammers IPs and email addresses change frequently and constantly. That’s why there isn’t one database that lists all active spammers. That’s in the nature of things and if there were such a database, there would be no more spam problems.

Only hours to find and list

The online spambot databases are extremely effective in practice. New spammer IPs and spammer email addresses are usually found within a few hours and listed immediately. Therefore, using the databases offers a very high level of protection. Using multiple of these databases is exactly what our Visforms spam protection plugin does.

Sometimes spammers manage to find a whole new way to spread their spam. Then it can happen that the spammers get past the online spambot databases for several days. In this case, you can simply temporarily add a captcha to the form. Adding a captcha is just a small configuration intervention with Visforms.

Spam protection plugin enabled by default

Note: The use of the spam protection plugin is activated by default and set up with sensible default settings.

It checks the sender’s IP by default. And if the form has an Email type field, by default it also checks the entered email address against the and databases.

Another good spambot database is the database. However, this database requires its own free access key before it can be used. Therefore, it is not possible to enable by default.

All settings form specific

You can adapt all the settings for the spam protection plugin to your requirements separately for each form in the form configuration under the “Spam protection” tab.
The spam protection plugin also offers you the option of creating a whitelist and a blacklist.
The whitelist is a list of email addresses or IP addresses that will never be blocked.
The blacklist is a list of email addresses that are always blocked.

Peculiarity of

The provider has the peculiarity that it sometimes classifies entire IP sub-networks as spam. It sometimes does this even if there is only one IP within the sub-network from which spam is sent. According to Visforms users, this leads to far too many IPs being blocked under unfavorable conditions. At the moment we are in the process of following up these indications further.

Note: We currently advise against using as a provider if you experience such problems.

Special features of the email whitelist

Only in exceptional cases

In principle, it should only be necessary to put people on a whitelist in exceptional cases. If a large number of your users are blocked by the plugin by mistake, you will need to adjust the plugin settings. In particular, the providers used are decisive. See also ‘Specificity of’ above.

Email Whitelist offers two formats

It is occasionally necessary or desirable to whitelist certain users.
The email whitelist offers you two structurally different formats:

  • as a domain based list, i.e. a list of domains
    in the format,, or
  • as a list of email addresses
    in format This email address is being protected from spambots. JavaScript must be enabled to view this., This email address is being protected from spambots. JavaScript must be enabled to view this., This email address is being protected from spambots. JavaScript must be enabled to view..

First set the format

You must first specify which format you want to use with the “Email whitelist is domain based” option. This option used to be called “Allow generic email in whitelist?". You can then enter a comma-separated list of addresses in the correct format in the “E-Mail Whitelist” field. It is not possible to mix the two formats.

Difference between adjustment layers

Settings that you make in the global configuration for Visforms act as a template for defaults. They serve as a generation template when you create a new form and are only used at this point in time. Only the current settings from the form configuration are used when someone submits the form.

Show captchas in the form

Visforms supports both its own captcha and the Google Recaptcha favored for Joomla 4.
To use the Visforms Captcha, a simple setting in the form configuration is sufficient.
In order to use the Google Recaptcha option, the Joomla Recaptcha plugin must also be activated and correctly configured in the Plugin Manager.

alternative or cumulative

Captchas and spam protection plugin can be used alternatively or cumulatively (simultaneously). The settings are form options that you make in the form configuration on the “Spam protection” tab. They can therefore be set individually for each form.

Activate on the “Spam protection” tab

The use of captchas is activated via the “Use captcha” option in the form configuration on the “Spam protection” tab. The Use Captchas option offers three setting options:

  • No
  • Visforms Captchas
  • Recaptcha Plugin (for using the Google Recaptcha)

Special features of the Visforms Captcha

Compared to the Google Recaptcha, the Visforms Captcha is a little easier to decipher with the same security, making it more effective for the user.

It can be configured in a variety of ways for each individual form, including:

  • Choice between text task or arithmetic task,
  • choice of the degree of illegibility of the image,
  • and many other features.

The Visforms Captcha is completely GDPR-compliant.
In particular, the following points contribute to ensuring absolute conformity:

  • It does not use any external platforms, such as Google.
  • It does not store any data.
  • The code for the Visforms Captcha comes 100 % from Visforms and is not a third-party extension.
  • There are no external interfaces that we cannot control changing.

When using Visforms Captchas, the following two pitfalls do not occur.

Note: Please note that the Google Recaptcha was developed so that only one captcha can be displayed per page.

You can display Visforms forms as a module, in an article or as a component. The Google Recaptcha can also be used in the Joomla login and Joomla contact forms. So it’s easily possible that you generate a page that requests more than one Google Recaptcha. However, this doesn’t work in practice due to the lack of multi-instance capability of Google Recaptcha. Please ensure by configuring modules and components that only one Google Recaptcha form is displayed per page.

Note: The Google Recaptcha comes with a fixed width that can hardly be influenced.

This fixed width of the Google Recaptcha can mean that forms do not fit into the module area of your website.

Peculiarities of the Google Recaptcha Plugin

Activate plugin and enter your keys

Recaptcha is a free service from Google and is known for its very high level of security. You need two access keys from Google before you can use this service. Joomla has chosen to include this captcha system as a default in the CMS. It is made usable via a “Captcha” type plugin. You must activate this plugin and enter your access keys there before you can use a recaptcha in the form. Information on how to get the access keys can be found directly in the Joomla plugin.

Appearance set by Google

Note: The appearance of the recaptcha is determined by Google and there are few options for influencing the size of the captcha. If you use a form with recaptcha in a module, the recaptcha may not fit in it.

Not “multi-instance capable”

Important: Google Recaptcha is not "multi-instance capable" by default. It means that only one form using a recaptcha can be displayed on a specific page at a time.

However, you can display multiple forms on one page using the Visforms Captcha. And you can display one form with Recaptcha plus other forms with Visforms Captchas on one page. Several forms can be on one page, for example, if you display forms in modules and display several such form modules on one page.

Other captcha settings

In the form configuration in the Spam protection tab you can also assign an individual Captcha label or suppress the display of the label for the Captcha. The individual Captcha label is used instead of the default label “Captcha”.
You can also assign an individual Captcha Tip Text. This is displayed when the user moves the mouse over the input field of the captcha.
You can also assign an individual error message. This is displayed if the user forgets to enter the captcha.

You will also find a large number of options for the Visforms Captcha in the form configuration under the “Spam Protection” tab, with which you can configure this Captcha. For example, you can specify that a mathematical captcha is displayed instead of text.

The invisible reCaptcha

Joomla has added another Captcha with version 3.9, the so-called ‘invisible reCaptcha’. Please note that Visforms does not support this captcha. Due to the way this new captcha was implemented in Joomla, there are incompatibilities with Visforms. This happens when you activate the invisible reCaptcha in your Joomla installation and activate a Visforms Captcha in Visforms at the same time!

Reasons against integrating further captchas

Many Captcha versions

There are many Captcha versions. Visforms supports the Google ReCaptcha supplied with Joomla and Visforms’ own Captcha. Visforms also includes the Visforms spam protection plugin.

From time to time there is a request as to whether we could also integrate this or that captcha into Visforms.
We have decided against integrating further captchas for the following reasons:

  • Experience has shown that the integration is complex, especially the clean display across all supported UI frameworks.
  • The Captcha integration is a very high maintenance part of Visforms.
    This is also due to the fact that the Captcha interfaces unfortunately change quite frequently.
  • Captchas are generally perceived as annoying by website users and should be avoided if at all possible.
  • If the Visforms spam protection plugin is not sufficient, in our experience spambots can be stopped very effectively with simple means.
    For example, by storing a user-defined validation on a form field.

More options

The measures shown above are far-reaching and effective in that they largely protect the forms from spammers. There are also other simple ways to further intensify protection. The following examples show how spam protection can be further improved individually with little additional configuration effort.

Use of custom validation

This is particularly easy if you have a mandatory “first and last name” field. You can add custom validation there. This checks and ensures that the text entered contains a space.

This requirement does not affect the use of the form by real users at all. At the same time, in our experience, spambots absolutely fail at this simple hurdle.

The regular expression for this validation is ^\S+\s+.*\S$.

You can round off the feature with a suitable custom error message: Please enter your first and last name.

Set up your own spambot honeypot

A common and popular method is the individual and form-specific honeypot for automated spammers.
There is a ready-made example from the very flexible section Frontend Webassets: Setting up a spambot honeypot.