Block contact-form spam without compromising user privacy or accessibility. Works with Contact Form 7, Gravity Forms, Formidable, Cognito Forms, JotForm, and any custom form.
The people contacting you through your contact form are, almost by definition, people who want to hear from you. They're prospects, customers, journalists, partners, applicants. The cost of a CAPTCHA that hurts conversion on this surface is direct revenue loss; the cost of spam is mostly wasted time. Getting the balance right matters more here than almost anywhere else.
This is why the TrustedCaptcha smart-click default exists. For the great majority of legitimate contact-form submitters, the experience is: click a checkbox, done. No image grid, no audio puzzle, no friction. The risk engine only escalates to a visible challenge when the signals genuinely warrant it.
Install the TrustedCaptcha WordPress plugin. From the form editor, drag in the "TrustedCaptcha" tag (or paste [trustedcaptcha] into the form template). That's it. The plugin handles the verification automatically — no PHP changes required.
The plugin adds a "TrustedCaptcha" field type to the Gravity Forms field picker. Drag it into any form. Validation runs automatically on submit. No code required.
All three popular form builders are supported by the plugin via their standard validation hooks. Drop the field in via the visual builder.
Hosted form builders that don't run on your own server require a different integration pattern. Most of them support a "redirect on submit" or "webhook on submit" feature; configure that to POST to a small endpoint on your own server which performs the TrustedCaptcha verification before processing the form. Sample webhook receiver:
// /verify-captcha-webhook.php
$token = $_POST['trustedcaptcha-response'] ?? '';
// ...verify, then forward to your real form-handler if successful<form method="POST" action="/contact">
<input type="email" name="email" required>
<textarea name="message" required></textarea>
<div class="trustedcaptcha" data-sitekey="0x..."></div>
<button>Send</button>
</form>If your form is a pure HTML form posting to a backend with no client-side JS, you can use TrustedCaptcha's invisible PoW mode with a tiny shim. The widget computes the proof of work and submits the token in a hidden field; your server verifies it. This is the "graceful degradation" path for users with strict NoScript settings — the smart-click default falls back to a visible math challenge automatically.
In typical contact-form deployments, customers report: spam reduced by 95–99%, false-positive rate (legitimate submissions blocked) under 0.5%, and median additional friction of zero (smart-click passes most users without a visible challenge). Time-to-value: under five minutes from signup to deployed.
Auto-detects from <html lang>, override with data-language. Currently: en, de, fr, es. Other languages fall back to English.