Partially. WP Ghost directly protects four WordPress forms from spam: the login form, signup form, lost password form, and comments form. These get WP Ghost’s built-in brute force protection and reCAPTCHA (Math, Google V2, or Google V3). However, WP Ghost does not integrate natively with third-party contact form plugins like Contact Form 7, WPForms, Gravity Forms, or Fluent Forms. For contact forms, enable your form plugin’s built-in reCAPTCHA, add honeypot fields, or use a dedicated anti-spam plugin like Akismet or Antispam Bee. WP Ghost still helps indirectly by blocking spam bots at the firewall before they reach any form.
Which Forms WP Ghost Protects Directly
WP Ghost’s Brute Force and reCAPTCHA features integrate natively with the WordPress forms that come with WordPress itself, plus WooCommerce:
| Form | WP Ghost Protection | Where to Enable |
|---|---|---|
Login form (/wp-login.php) | Yes, with reCAPTCHA | Brute Force > Settings > Login Form Protection |
| Signup form (registration) | Yes, with reCAPTCHA | Brute Force > Settings > Sign Up Form Protection |
| Lost password form | Yes, with reCAPTCHA | Brute Force > Settings > Lost Password Form Protection |
| Comments form | Yes, with reCAPTCHA | Brute Force > Settings > Comment Form Protection |
| WooCommerce login form | Yes | Brute Force > WooCommerce > WooCommerce Support |
| Contact Form 7, WPForms, Gravity Forms, Fluent Forms | Not natively | Use the form plugin’s own reCAPTCHA or anti-spam tool |
| Elementor, Divi, custom page-builder forms | Via shortcode | Add |
How WP Ghost Helps Contact Forms Indirectly
Even though WP Ghost does not add reCAPTCHA directly to Contact Form 7 or similar plugins, it still reduces contact form spam significantly through three indirect mechanisms:
The 7G/8G Firewall blocks malicious bot traffic at the server level. Many spam bots sending form submissions are the same bots doing automated scans for vulnerabilities. The firewall catches them before they can reach any form on your site. Less bot traffic equals less form spam.
Path security hides the contact form page URL from fingerprint scans. Spam bots often find contact forms by scanning for common WordPress page structures. When your WordPress paths are hidden, those scans fail and the bot never discovers your contact page.
IP blocking and country blocking stop repeat spammers. Enable Automate IP Blocking in the firewall settings to automatically ban IPs that repeatedly trigger security rules. Enable country blocking to restrict submissions from regions that are pure spam sources for your business.
Direct Spam Prevention for Contact Forms
For direct spam prevention on contact forms, pair WP Ghost with one of these approaches:
Option 1: Your Form Plugin’s Built-In reCAPTCHA
Every major contact form plugin supports reCAPTCHA natively. Enable it inside the form plugin’s settings:
Contact Form 7: Contact > Integration > reCAPTCHA. WPForms: WPForms > Settings > CAPTCHA. Gravity Forms: Forms > Settings > reCAPTCHA. Fluent Forms: Fluent Forms > Global Settings > reCAPTCHA. You can use the same reCAPTCHA API keys across WP Ghost’s protection and your form plugin’s protection, no conflicts.
Option 2: Dedicated Anti-Spam Plugin
Akismet is the most widely used. It analyzes submission content against a global spam database and filters based on patterns. Works with most contact form plugins automatically. Antispam Bee is a free alternative with similar functionality but no external API dependency. Both plug into contact forms transparently.
Option 3: Honeypot Fields
A honeypot is a hidden form field that humans cannot see but bots will fill in. If the field has content when submitted, the form knows the submission is a bot. Most form plugins (WPForms, Gravity Forms, Fluent Forms) have honeypot as a built-in option. It is completely invisible to real visitors, which makes it a great low-friction anti-spam layer.
Option 4: WP Ghost Shortcode for Page Builders
For forms built with Elementor, Divi, or other page builders that do not integrate with WP Ghost’s brute force protection natively, you can add the shortcode to the form. This activates WP Ghost’s reCAPTCHA on that specific form. See the Elementor integration guide for a walkthrough.
The Recommended Layered Approach
For maximum contact form spam reduction, combine all three layers:
- WP Ghost handles path security, firewall, IP blocking, and country blocking. This blocks most spam bots before they even reach your contact form.
- Your contact form plugin’s reCAPTCHA (or honeypot) catches bots that are sophisticated enough to find and submit to the form directly.
- Akismet or Antispam Bee filters based on submission content for anything that makes it through the first two layers.
Each layer catches what the others miss. Combined, they eliminate the vast majority of contact form spam without affecting legitimate submissions.
Frequently Asked Questions
Can WP Ghost prevent spam on contact forms?
Not directly. WP Ghost protects WordPress native forms (login, signup, lost password, comments) and WooCommerce login with built-in reCAPTCHA. For third-party contact forms (Contact Form 7, WPForms, Gravity Forms, Fluent Forms), use the form plugin’s own reCAPTCHA, add a honeypot field, or install Akismet. WP Ghost still helps indirectly by blocking spam bots at the firewall before they reach forms.
Which forms does WP Ghost protect with reCAPTCHA?
Four WordPress forms plus WooCommerce: login form, signup form, lost password form, comments form, and WooCommerce login. Each can be toggled independently under WP Ghost > Brute Force > Settings. For Elementor, Divi, or custom page builder forms, use the shortcode.
Does WP Ghost work with Contact Form 7, WPForms, or Gravity Forms?
WP Ghost is compatible with all major contact form plugins (no conflicts), but it does not add its reCAPTCHA directly to them. Use the form plugin’s own reCAPTCHA integration, which every major plugin supports. WP Ghost’s firewall, path security, and IP blocking still reduce contact form spam indirectly by blocking bots upstream.
Can I use the same reCAPTCHA keys across WP Ghost and my form plugin?
Yes. Google reCAPTCHA keys work site-wide, so you can paste the same Site Key and Secret Key into both WP Ghost’s Brute Force settings and your form plugin’s reCAPTCHA settings. No need to create separate keys.
Does changing the comments path stop comment spam?
Yes, it stops most of it. Many comment spam bots directly POST to /wp-comments-post.php without loading your page. When that path is changed, those bots hit a 404 and spam drops immediately. For the remaining sophisticated bots that scrape your form, enable Comment Form Protection with reCAPTCHA as a second layer.
What about spam signups on registration forms?
WP Ghost covers this directly. Enable Sign Up Form Protection under WP Ghost > Brute Force > Settings. This adds reCAPTCHA to the WordPress registration form and blocks bots attempting mass fake account creation. See the spam signups FAQ for details.
Does WP Ghost modify WordPress core files?
No. WP Ghost uses WordPress hooks and filters to add protection to native forms, and server-level rewrite rules for path changes. No core files, theme files, or contact form plugin files are modified. Deactivating WP Ghost restores every default instantly.