Tag: security

If you’re planning to become a WordPress developer, you’ll come across something called ‘REST API.’ This is an interface that expands the functionality of WordPress and enables you to connect the platform with other applications. Some developers find it really helpful as part of their process — especially if they’re looking to implement advanced functionality. 

Fortunately, you don’t need to be an experienced developer to gain expertise with the WordPress REST API. Once you have a solid understanding of the interface and how it works, you can easily implement it into your web-building projects.

In this post, we’ll provide an in-depth guide to the WordPress REST API. We’ll discuss what it is, how to use it, and how to protect it against threats. We’ll also show you how to fix common REST API errors, how to use the interface with other frameworks, and how it compares to other WordPress API solutions.

What is the WordPress REST API?

To understand the WordPress REST API, we’ll need to break down its various components. Let’s start with an introduction to APIs.

What is an API?

An application programming interface (API) is a program that enables two applications to communicate with one another. It serves as an intermediary between two pieces of software, facilitating a seamless collaboration. 

For example, if you wanted to display a Google product on your site, like maps, you’d need to use the Google Maps API.

This enables your WordPress site to communicate with Google Maps, so it can pull all the relevant data and features needed to display those maps. 

Like Google, other companies have APIs and provide them to web developers. These products can be very appealing, as they eliminate the need to code a feature (like a map) from scratch. Instead, you can use third-party software and connect it to your site via API.

What is REST?

Representational State Transfer (REST) is a set of guidelines that developers must follow when creating APIs. Therefore, a REST API is an interface that was built with these standards in mind.

Typically, a REST API follows these principles:

• Client-server separation: The API should enable the client (or website) and the server to remain separate from one another and continue functioning independently of each other.
• Caching: REST APIs should use cacheable data, when possible, to improve performance and let the website know which information can be cached.
• Statelessness: REST APIs can’t store any information about the website they’re connected to on their server, and only the information needed to process a request should be provided.
• A uniform interface: Requests for resources should be processed in the same way, regardless of their origin. 
• Layered architecture: REST APIs are built around a layered system, with each layer fulfilling a specific role and working separately from others. This makes the API more secure and easier to update.

Since a REST API meets these standards, it can provide more security and efficiency. 

What does the WordPress REST API do?

WordPress has its own REST API. This enables the platform to communicate with almost every other web application and website, regardless of the programming language they use.  

With this API, a third-party app will be able to access your WordPress database and pull data from it. In fact, most WordPress plugins and themes use the platform’s REST API to function properly. 

The WordPress REST API was released as part of the core software in version 4.7. Before then, it was only available as a plugin.

While the WordPress software is built with PHP, the REST API sends and receives data as JSON (JavaScript Object Notation) objects, which opens up new possibilities for developers.

What are the most common REST API commands?

REST APIs are designed to receive and respond to particular requests via HTML commands. 

The most common commands you’ll use are:

• GET: You can use this command to fetch a particular resource from the server, like a post or piece of data. 
• POST: This command lets you modify a resource on the server by adding code.
• PUT: With this command, you can edit a resource that’s already on the server.
• DELETE: This command removes a resource from the server.

These commands are followed by a line that gives more information about the request. These are known as endpoints.

For instance, if you wanted to retrieve a list of published posts on your site, you would use the following endpoint:

GET http://mysite.com/wp-json/wp/v2/posts/?status=published

Let’s look at another example. If you want to add a new page, you would use the following command:

POST http://mysite.com/wp-json/wp/v2/posts/page

There are many things you can do with these four commands. You can find a list of endpoints on the WordPress Developer Resources page. 

Real-world examples of the WordPress REST API

Now that you have a basic understanding of how the WordPress REST API works, let’s look at some real-life examples, starting with WordPress.com.

The WordPress.com admin dashboard (called “Calypso”) is built entirely in JavaScript through the REST API.

Calypso is a web and desktop app that enables users to add new content, edit existing posts, and more. It uses the REST API to access the data on your WordPress.com site. 

Another example is the Block Editor. In self-hosted WordPress, the Block Editor uses the REST API to interact with your database and create blocks.

Many online publications like USA Today also use the WordPress REST API. This enables them to automatically publish articles on other news apps, like Apple News. 

How to enable and disable the REST API in WordPress

You don’t need to do anything to enable the REST API — it comes built into WordPress. Later in the post, we’ll show you how to access it.

While the REST API is a powerful tool for building apps with WordPress, it can make your site susceptible to Distributed Denial-of-Service (DDoS) attacks and malware. Plus, hackers might be able to access your data through the connection with other apps. 

Disabling the WordPress REST API is not recommended. That’s because doing so can lead to issues with the Block Editor and any plugins on your site.

If you still want to go ahead and disable it, the easiest way to do this is with a plugin like WPCode.

Once you install and activate the plugin on your site, navigate to Code Snippets → Library in your WordPress dashboard.

Here, look for an option called Disable WordPress REST API. When you find it, hover over it and select Use snippet.

This will launch a page with a preview of the code.

If you scroll down to the Insertion box, you can select the Auto-Insert option so that the plugin will automatically apply this code to your site.

Then, scroll back to the top and move the toggle switch from Inactive to Active. Finally, click on Update to make these changes live. 

How to use the WordPress REST API

Now, let’s look at how to use the WordPress REST API. We’ve already covered some examples above, but in this section we’ll show you exactly how to access and fetch data. 

Step 1: Access the REST API

If you want to fetch data from a live WordPress site, you can access the REST API straight from your browser. All you have to do is enter the following address into the search bar (substituting in your own domain name and extension):

mysite.com/wp-json/wp/v2

This will bring up the JSON file of your WordPress site.

You can then add elements to this URL to access specific data, as we’ll show you in the next step.

Step 2: Make requests to the REST API

As we mentioned earlier, you can use endpoints to access particular data on your site. If you want to retrieve a list of all your posts, simply add the endpoint /posts to your address:

mysite.com/wp-json/wp/v2/posts 

If you want to retrieve a specific post, you can just add its ID (you’ll find this on the Posts page in your WordPress dashboard):

mysite.com/wp-json/wp/v2/posts/4567

Meanwhile, if you want to fetch data about your users, you would use the following request:

mysite.com/wp-json/wp/v2/users

These are just simple examples, but there’s a lot more you can do. For instance, you can fetch posts that contain specific terms, change a post’s status from “draft” to “publish,” and more. 

Step 3: Authenticate your requests

The WordPress REST API enables you to fetch any type of data on your website, but not all of it is publicly available. In some cases, you’ll need to authenticate your request. 

To make authenticated requests to the WordPress REST API, you’ll first need to obtain an API key. To do this, navigate to Users → Profile in your WordPress dashboard.

Then, scroll down to the Application Passwords section. Here, you’ll need to enter a name for your password (for reference) and click on Add New Application Password.

This will generate an API key for you, which you’ll need to use in your requests. For instance, if your API key is “1234567890,” you can include it in an Authorization header like this:

https://mysite.com/wp-json/wp/v2/posts?Authorization=Bearer1234567890

Remember to replace the code 1234567890 with the API key you’ve copied and remove any spaces. 

You can also retrieve a list of posts written by a particular author, with their user ID. You can find their ID by going to the Users section in your WordPress dashboard and clicking on the author’s name. The ID will be displayed in the URL of their author page.

Let’s say an author’s name is “Joe” and their ID is “123.” In this scenario, you can use the following URL to retrieve a list of all posts written by Joe:

https://mysite.com/wp-json/wp/v2/posts?author=123&Authorization=Bearer1234567890

If you can’t find the user’s ID, their profile might have been modified in such a way that the ID is no longer displayed. In this case, you can retrieve a list of all posts written by the user using their login name or email address instead of the ID.

To do this, you’ll have to use the “slug” parameter instead of the “author” parameter in your request:

https://mysite.com/wp-json/wp/v2/posts?slug=joe&Authorization=Bearer1234567890

The “slug” parameter enables you to specify the user’s login name or email address. The WordPress REST API will return a list of all posts written by the user.

When to use the WordPress REST API

The WordPress REST API can be used for a wide range of projects. Here are a few examples:

• Integrating a WordPress site with a mobile app. If you’re a developer, you can use the REST API to retrieve and edit data on a WordPress site from a mobile app. This enables you to build custom apps that interact with your site.
• Creating custom integrations. Using the WordPress REST API, you can create custom integrations with other software like CRM tools.
• Building custom scripts. You can use the REST API to automate certain tasks on your WordPress site, like scheduling posts or updating user profiles.

As you can see, the REST API enables you to integrate WordPress with apps or sites built on other platforms. 

When not to use the WordPress REST API

While the WordPress REST API can be a powerful tool, it may not always be the right one for your project. Let’s look at a few reasons why you might not want to use it. 

As you may recall, the WordPress REST API is built with JavaScript. Therefore, if you’re developing an app that doesn’t support JavaScript, it won’t function properly if you’re using the REST API. 

Additionally, apps built on JavaScript may not be very accessible. For instance, the way it renders dynamic content may be incompatible with screen readers. As a result, it could make your content inaccessible to users with visual impairments.

How to secure the WordPress REST API from exploits

As mentioned earlier, using the WordPress REST API can make your site vulnerable to threats. The API acts as a bridge between two platforms, and hackers may find a way into your website through this connection.

As such, before you start using the WordPress REST API, it’s important to create a backup of your WordPress site. This way, if something goes wrong, you can restore a recent version of your content. 

Additionally, you’ll want to make sure that you have sufficient security measures in place. This means using a tool like Jetpack Protect.

This plugin comes packed with security features, including malware scanning, vulnerability scanning, and a web application firewall (WAF).

Furthermore, it’s a good idea to use the REST API on a WordPress staging site before making your changes live. This way, if you accidentally break your website, it won’t affect the user experience on the front end. 

How to fix common REST API errors and issues

You may run into some errors when using the WordPress REST API. So, let’s look at some of the most common issues and the steps you can take to resolve them.

Slow response times and timeouts

When calling the WordPress REST API, you may encounter slow response times and timeouts. These issues are usually caused by the following factors:

• Insufficient server resources. Your server might not have enough resources to handle requests made through the REST API. In this case, you’ll need to upgrade to a more powerful WordPress hosting plan.
• Plugin or theme conflicts. WordPress plugins and themes can sometimes conflict with the REST API. When this happens, try disabling all plugins and switching to a default theme to see if this resolves the issue. If it does, you can reactivate your plugins one at a time to identify the culprit.
• Size of data. Large data transfers during API calls can cause timeouts. To prevent this, you can try reducing the number of items displayed per page (we’ll show you how to do this later in the post).
• Database issues. If your WordPress database is not optimized, it can lead to slow response times and timeouts when calling the REST API. You can optimize it by removing unnecessary data and installing an optimization plugin.

Additionally, you may want to track the performance of your API with a tool like Google Cloud’s operations suite (formerly Stackdriver) and Microsoft’s Application Insights. These tools can provide insight into the performance of the WordPress REST API and help you identify the causes of slow response times.

403 Forbidden error when calling the REST API

The 403 Forbidden error is an HTTP status code indicating that the client is not authorized to access the requested resource. Let’s look at some common causes of this error and potential solutions:

• Incorrect API Key. If the request requires an API key, make sure that the key you’re using is valid and that it’s being passed in the request headers correctly.
• Invalid nonce. A ‘nonce’ is a random number used once to prevent request forgery. If it’s invalid, it may result in a 403 forbidden error.
• User permissions. You’ll also want to make sure that you have the necessary permissions to access a specific API endpoint. If you’re not the owner of the website, you may need to ask the administrator to give you the right permissions. 
• Security plugins. Security plugins can block an API call because it sees it as a security threat. You can whitelist the API endpoint in your plugin settings to resolve this type of issue.
• Firewall. You might be using a firewall that’s blocking the API request. Make sure that the firewall is set up correctly, or try to disable it while using the API.
• Server configuration. Some servers are not configured to handle certain API calls, so you might want to reach out to your hosting provider for assistance.

You can also use your browser’s developer tools to inspect the network requests and request headers. If you use Chrome, simply press Ctrl+Shift+C to open DevTools.  

Additionally, you can check your server logs for more information about the error. You should be able to access them through your hosting account. If not, you can ask your hosting provider for help. 

REST API encountered an unexpected result

The “REST API encountered an unexpected result” error is a common issue. It’s typically caused by the following factors:

• Permissions. You might not have the right permissions to access the requested resource. If that’s the case, you’ll need to contact the site’s administrator. 
• URL configuration issue. This error can occur if the API endpoint URL is configured incorrectly. Double-check the URL to ensure that it is correct and that all necessary query parameters are included.
• Incorrect command. You may be using the wrong command (e.g. GET, POST, PUT, DELETE) for the request. Check the API documentation to make sure that you’re using the correct command for the specific endpoint.
• Incorrect request format. Make sure that you’re using the right format in your request. In the WordPress REST API, data must be sent as JSON.
• Wrong endpoint. You might be trying to call an endpoint that doesn’t exist. In this scenario, double-check the endpoint URL to make sure it’s correct.
• Server-side issues. Your server might be experiencing issues. This is more common with shared hosting plans. If this happens to you, it may be time to upgrade to a server with more resources.

You may also want to disable your plugins to see if the issue is resolved. As mentioned earlier, some tools may cause compatibility issues with the WordPress REST API. 

rest_api_init not working

The “rest_api_init not working” error is another common WordPress REST API error. It’s usually caused by plugin and theme conflicts, as well as limited server resources.

Still, there are other factors that can lead to the WordPress REST API not working, like:

• Custom REST API endpoints. If you’re making requests with custom endpoints, make sure that you’re using the correct hooks and functions.
• .htaccess file. You may need to check your .htaccess file to ensure that it’s set up correctly.
• CORS error. If you’re trying to make Cross-Origin Requests (CORS) and the WordPress REST API is not working, it might be that the server is not configured to accept them. You may want to contact your hosting provider to see if the server accepts CORS.

Additionally, you could be using an old WordPress installation that doesn’t support the API. If so, it’s important that you upgrade to the latest version.

Basic authentication not working

The “Basic authentication not working” error may occur when trying to call the WordPress REST API using Basic Authentication. Basic Authentication is a simple authentication scheme built into the HTTP protocol. It utilizes a username and password to authenticate someone. 

Here are some common causes of this error (and how to resolve them):

• Incorrect credentials. Check the username and password in the request headers to ensure that they’re correct.
• Secure Sockets Layer (SSL) issue. Make sure that you have a valid SSL certificate installed and that it’s configured correctly. If it isn’t, take a look at our step-by-step guide on how to get a free and valid SSL certificate.
• HTTP to HTTPS redirects. Some websites are configured to redirect HTTP requests to HTTPS. If the browser is trying to authenticate on HTTP, you might run into this error. Therefore, you’ll want to make sure that you’re running a request on an HTTPS endpoint.

Like other REST API issues, this error can also be caused by theme and plugin conflicts. Once again, you’ll want to switch to a default theme and deactivate your plugins to troubleshoot the issue.

If that doesn’t help, you might want to disable your firewall temporarily. This could be blocking your authentication request. 

If you’re making a CORS, your server may not be configured to accept them. It’s worth checking with your hosting provider to see if there’s anything they can do on their end. 

Finally, if you’re not the admin of the site, you may not have the correct permissions or role to complete the request. In this case, you’ll need to reach out to the owner of the website. 

Advanced use cases of the REST API

Thanks to the WordPress REST API, you can retrieve data from your site using popular frameworks and other programming languages. Let’s take a look at a few examples. 

How to use the WordPress REST API with React

React is a popular JavaScript library for building user interfaces. You can use the Node-WPAPI client to make HTTP requests to the WordPress REST API. 

For instance, to retrieve a list of posts on your WordPress site, you would need to enter the following into Node-WPAPI:

import WPAPI from 'wpapi';

const wp = new WPAPI({ endpoint: 'http://example.com/wp-json' });

wp.posts().then(posts => {

  console.log(posts);

});

For more information on using the WordPress REST API with React, you can check out the Node-WPAPI documentation.

How to use the WP REST API with Angular

Angular is a JavaScript framework for developing web applications. To use it with the WordPress REST API, you’ll need to use the @angular/common/http module.

For instance, you can input the following code to retrieve a list of posts:

import { HttpClient } from '@angular/common/http';

@Injectable()

export class PostService {

  constructor(private http: HttpClient) {}

  getPosts(): Observable<any> {

    return this.http.get('http://mysite.com/wp-json/wp/v2/posts');

  }

}

You can check out the Angular documentation for more information on using its HttpClient to make requests to the WordPress REST API. 

How to use the WordPress REST API with Python

You can also use the WordPress REST API with Python. This is a popular programming language that can be used to build web applications and other software. 

To get started, you’ll need to use the Requests library. If you wanted to fetch a list of your WordPress posts, you would enter the following:

import requests

response = requests.get('http://example.com/wp-json/wp/v2/posts')

posts = response.json()

print(posts)

You can read the Requests library documentation for more detailed instructions.  

How does the REST API compare to other WordPress API solutions?

You may be wondering how the REST API differs from other WordPress API solutions. To give you an idea, we’re going to compare it to some of the most popular alternatives. 

WordPress REST API vs. AJAX

The WordPress REST API provides an efficient way to access WordPress data. It enables developers to build custom applications and integrations with WordPress.

Meanwhile, the WordPress AJAX API is an older method of accessing WordPress data. It was introduced in WordPress 2.0 and enables developers to make asynchronous requests from the front end of the site, using JavaScript. 

The WordPress AJAX API can be a bit restrictive in terms of functionality, so it’s not recommended for use in complex projects.

WordPress REST API vs. WPGraphQL

WPGraphQL is a GraphQL implementation for WordPress that provides an alternate way to access WordPress data. GraphQL is a query language for your API. It enables clients to request exactly the data they need, and nothing more. 

Unlike the WordPress REST API, WPGraphQL requires a separate application password to be generated for each user who needs access. Plus, it can be a bit slow in delivering content because it uses a more complex query language.

WordPress REST API vs. XML-RPC

Introduced in WordPress 1.5, the WordPress XML-RPC API enables you to make remote requests to WordPress using the XML-RPC protocol. 

XML-RPC is simple and lightweight, and can therefore deliver results faster. The problem is, that like Ajax, it has limited functionality compared to the WordPress REST API. 

Frequently asked questions about the WordPress REST API

In this guide, we’ve covered most of the essentials when it comes to the WordPress REST API. But, just in case, let’s look at a few frequently asked questions regarding this powerful tool. 

Does the WordPress REST API have a return limit?

By default, the WordPress REST API has a maximum return limit of 100 items per page. That means, if you make a request to an endpoint that returns a list of items (like posts, pages, or users), the API will only display a maximum of 100 items in the response. 

Fortunately, you can use the “per_page” parameter to increase the limit to a maximum of 500 items per page.

For example, if you want 200 items per page, you can use the following:

https://mysite.com/wp-json/wp/v2/posts?per_page=200

Keep in mind that you can also decrease the number of items displayed per page.

Can I use the REST API with WooCommerce?

WooCommerce has its own REST API. The WooCommerce REST API enables you to access and modify data from your WooCommerce store. This includes information on products, orders, and customers. Plus, you can use the WooCommerce REST API to integrate WooCommerce with other ecommerce platforms.

Get started with the WordPress REST API

The WordPress REST API enables you to integrate your site with other apps and third-party tools. Web developers can use it to fetch data for single-page applications, connect WordPress to a mobile app, and much more.

Additionally, you can use the WordPress REST API with other frameworks and programming languages, including React, Angular, and Python. Although the WordPress REST API is a powerful and dependable tool, it’s still important to back up your site and use a security tool to prevent attacks through these connections.

With Jetpack Protect, you can secure your WordPress site against malware and hackers, and use the WordPress REST API in a safer environment. 

Most websites — including those using WordPress — deal with spam on a daily basis. Even if you just created your first site a few weeks ago, chances are you’re already facing the reality of spam comments, queries, account sign-ups, and more. 

CAPTCHAs can effectively mitigate unwanted spam, especially if it’s coming from your contact forms. But while one can help alleviate problems with spam, you’ll likely encounter the unintended consequence of a more difficult experience for your real visitors.  

That’s why many sites have chosen to use Akismet — a more streamlined anti-spam solution for WordPress — instead. 

So, which option is right for your site?

In this article, we’ll start by talking about the downsides and alternatives to using CAPTCHAs, so you get the full picture. Then, we’ll show you how to protect your WordPress contact forms both with and without CAPTCHAs.

What is a CAPTCHA? 

CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” Phew!

The earliest versions presented users with distorted text they’d have to decipher. Because it was difficult to complete, it could fairly accurately tell humans and computers apart. 

What are the downsides of using a CAPTCHA?

To put it simply, people hate CAPTCHAs. That’s not a matter of opinion, either. A Stanford study shows that only 71 percent of users attempt to solve CAPTCHAs when they run into them. The rest of them outright leave the page. 

Another study from Moz confirms those numbers. It shows that, on average, 30 percent of users leave pages with CAPTCHAs, either while trying to solve them or before trying. The same study states that simply adding a CAPTCHA can lower your site’s conversion rates by 3.2 percent.

If you’re relatively tech-savvy, you probably don’t struggle at all with solving CAPTCHAs. But, a lot of the users that decide to leave a page when they see one do so because CAPTCHAs are designed to be difficult to solve.

According to Stanford, solving a video CAPTCHA can take up to ten seconds on average and audio CAPTCHAs have a staggering failure rate of 50 percent. Even regular image CAPTCHAs can be difficult to solve since they intentionally obfuscate letters and symbols. Some pages even ask you to resolve multiple CAPTCHAs before letting you proceed.

To be fair, CAPTCHAs work. They provide a functional solution to a problem that most websites struggle to deal with. 

The problem is, using a CAPTCHA shifts the responsibility to users. It’s like asking store customers to prove they’re not thieves before they can make a purchase. Furthermore, it’s not a good option when it comes to accessibility standards. That’s because it might alienate users with vision or hearing impairments. Since there are indeed alternatives to CAPTCHAs, you might want to consider which option to use before implementing them.

What are the different kinds of CAPTCHAs?

There are lots of types of CAPTCHAs. Most websites use reCAPTCHA, which is a free solution (for up to 1,000,000 assessments per month) from Google. When you run into a contact form that uses reCAPTCHA, you’ll need to check a box that says, “I am not a robot.”

If the service detects any suspicious movement or activity with your connection, you’ll need to solve an image puzzle. In most cases, the puzzle will ask you to identify multiple similar elements from a cluster of images. Depending on the case, you might need to solve multiple image puzzles before submitting a form.

Aside from reCAPTCHA, you might also run into audio or video CAPTCHAs. These tend to be worse (from a user standpoint) because you’re required to watch and/or listen in full before you can solve the puzzle. In a lot of cases, this might not even be possible if you’re somewhere where you can’t listen to audio, don’t have a pair of headphones on hand, or have an impairment.

The ideal CAPTCHA is one that requires very little work from users while still providing a solid level of protection from spam. It should also be accessible to as many people as possible. Some CAPTCHA alternatives, like Akismet, can provide this.

What’s the best CAPTCHA alternative?

If you want to eliminate spam from your WordPress site, but don’t want to push away visitors with complicated, annoying tests, the best CAPTCHA alternative is Akismet. 

Meet Akismet: The non-intrusive spam blocker

Akismet is one of the most popular WordPress tools on the market. It’s designed to help you prevent spam without adding complications for visitors, by identifying spam and malicious comments submitted through your site’s forms. 

It’s ‘non-intrusive’ because Akismet can protect your website from spam without using CAPTCHAs. The service analyzes every comment and form submission on your website to see if it matches known spam or malicious IP addresses, or if it follows patterns that raise red flags (like linking to unrelated third-party sites).

You can configure Akismet to automatically delete these submissions or let you review them to check if they’re from real visitors. In either case, visitors never see a CAPTCHA when you’re using Akismet. Your site remains protected, and the user experience improves drastically.

Everything happens in the background. There’s nothing special for visitors to fill out. No puzzle, no audio to listen to, no stop signs to identify. Real visitors can go on their way none-the-wiser. Spam submissions are then identified and deleted or sorted for you to review later. 

How to add Akismet to a WordPress contact form

Adding Akismet to WordPress contact forms is easy. You can do it in just a few steps. Still, the process can vary slightly depending on the type of contact form or plugin you’re using, so let’s discuss how it works!

Step 1: Install and activate Akismet

Non-commercial sites can use Akismet for free to stop spam comments and nefarious contact form submissions. To get started, you’ll need to install and activate the plugin. 

Go to the Plugins tab in your WordPress dashboard. Then, click on Add New and use the search tool to look for the Akismet plugin. In a lot of cases, it will be an option among the top ‘featured’ plugins.

When you find the plugin, click on Install → Activate. Once the plugin is active, go to Settings → Akismet Anti-Spam. Under the Settings section, you’ll see a field where you need to enter an API key.

To get this key, go to the Akismet website and sign up for an account. After you sign up, you’ll get access to the Akismet dashboard. Go to the My Account tab and select the Add Subscription option.

On the next page, you’ll be able to choose which plan you want to use. The Personal plan uses a pay-what-you-want model, so you can sign up for free and use it for a single website. Keep in mind that you can only sign up for this free plan if you don’t run ads, sell products, or promote a business through your website.

After confirming your subscription, you’ll get access to an API key, which you can see in the My Account tab. Copy the key and return to the Settings → Akismet Anti-Spam screen in the WordPress dashboard. Paste it in the API Key field.

Click on Save Changes and that’s it. By default, Akismet will block comment spam and send it to a queue where you can review submissions in the dashboard. There’s an extra step involved if you want to use Akismet with a contact form.

Step 2: Integrate Akismet with your contact form

WordPress doesn’t offer contact form functionality out-of-the-box. That means most users rely on plugins to implement these types of forms on their websites. This step will depend on what contact form plugin you’re using. 

Akismet works with most popular WordPress contact form plugins. Some plugins, like Formidable Forms and WPForms include built-in support for Akismet. With either plugin, you just need to enable the Akismet spam protection setting for each individual form.

Other plugins, like Gravity Forms, require you to set up Akismet add-ons to add spam protection to their forms. Finally, there are some tools, like Contact Form 7 and Ninja Forms which require you to add code snippets to your forms to enable support for Akismet. Fortunately, all three of these methods are pretty straightforward.

For the easiest solution, consider using Jetpack’s WordPress contact form functionality. 

Read more: How to use Akismet with WordPress contact forms. 

Step 3: Configure Akismet’s anti-spam settings

Akismet is pretty much a plug-and-play tool, which can be appealing if you’re looking for something quick and easy. In any case, it also gives you control over how you want to handle contact form spam. 

By default, the plugin sends comments it flags as spam to a special ‘queue’ where you can review them (in the Comments section of the dashboard). Alternatively, you can configure Akismet to discard spam completely, so you don’t have to deal with it. 

To do this, go to Settings → Akismet Anti-Spam and search for the Settings section. The option you’re looking for appears under Strictness.

Akismet does a great job of separating spam messages from real ones. That means you can choose to discard contact form spam without worrying too much about it. If you want to preserve every message to play it safe, opt for the Always put spam in the Spam folder for review setting.

Keep in mind that Akismet only stores spam comments for 15 days. After that, it deletes them automatically. This means you’ll want to review the queue every week or every two weeks at the most.

How to add CAPTCHA to a WordPress contact form

The process of adding CAPTCHAs to WordPress contact forms will depend on what service you’re using. Since reCAPTCHA is the most popular CAPTCHA solution on the web, we’ll show you how to integrate it with a WordPress contact form.

Step 1: Sign up for a reCAPTCHA account

If you already have a Google account, you can access reCAPTCHA right away. Simply visit Google.com/reCAPTCHA and select the v3 Admin Console option in the primary navigation menu.

Click on the plus sign icon in the reCAPTCHA dashboard and enter a label for your website. This can be any unique identifier. Then, choose what type of reCAPTCHA you want to use for your site. 

The most common type of CAPTCHA is reCAPTCHA v2, which forces users to solve a challenge or a puzzle to make a submission.

Next up, look for the Domains field. Enter the domain of the website where you want to use reCAPTCHA.

After entering the domain, you’ll need to review reCAPTCHA’s terms of service, agree to them if you do, and submit the form. Then, reCAPTCHA will provide you with a site and a secret key. You’ll need both for the following steps, so keep the tab open or copy and paste them somewhere safe.

Step 2: Find a plugin that’s compatible with reCAPTCHA

There are a handful of WordPress contact form plugins that are compatible with reCAPTCHA. But, not all of them support it out-of-the-box. Some plugins will simply need an add-on, but a lot of them require you to add custom code directly to individual contact forms in order to display challenges.

What’s more, reCAPTCHA doesn’t offer documentation showing which WordPress plugins are compatible with it. However, the most popular contact form plugins will likely have an integration method.

If you’re not sure whether the plugin you’re using is compatible with reCAPTCHA, you should check its documentation. If you discover that it’s compatible, you should be able to find instructions on how to implement the anti-spam system with your contact forms.

Frequently asked questions about CAPTCHA and WordPress forms

If you have any questions left about CAPTCHAs and how they work, this section will answer them. Let’s start by reviewing what CAPTCHAs are.

What is CAPTCHA?

A CAPTCHA is a kind of test designed for users to prove that they’re humans and not bots. This is necessary because most websites with comment sections or contact forms have to deal with a lot of bots and spammers.

These bots tend to leave spam comments pointing toward other websites or try to find vulnerabilities in forms. CAPTCHAs help stop them since they require some level of human ingenuity to solve. Typically, CAPTCHAs involve image puzzles, but they can also use video or audio.

What is reCAPTCHA?

reCAPTCHA is a CAPTCHA tool offered by Google. It functions as a ‘freemium’ service that provides up to 1,000,000 assessments per month in as many forms as you need. 

If you implement reCAPTCHA, visitors need to check a box before submitting a form to confirm they are human. The service may request additional confirmation in the form of visual tests if it detects any anomalies.

What is contact form spam?

Spam is everywhere online, from comment sections to contact forms. Every time you create a form, you open another venue for spam. There are a lot of bots and people dedicated to using forms to submit spam, ranging from promoting their own content to sharing links to malicious sites.

Contact form spam is any submission that’s not designed to fulfill the purpose of the form but to bypass it or to trick you into taking an action with negative consequences. This type of spam is typically easy to spot, but dealing with it can take up a lot of time you could otherwise spend responding to legitimate queries.

Is CAPTCHA the best solution for contact form spam?

CAPTCHAs are an effective way to reduce contact form and other types of spam. But, research shows that users react very negatively to CAPTCHAs. On average, 30 percent of users leave a page when they see a CAPTCHA.

Although CAPTCHAs work, you need to decide whether they’re worth the loss of legitimate visitors and potential conversions. Moreover, there are alternatives to CAPTCHAs that are less intrusive, like Akismet. Alternative anti-spam tools that don’t force visitors to solve puzzles will offer a much better experience than CAPTCHAs.

Akismet vs CAPTCHA: Which one should I choose?

The answer to this question depends on what type of website you’re running and the user experience you want to offer. For ecommerce sites, the loss in visitors and conversions that CAPTCHAs often cause can result in a significant loss of revenue.

For contact forms specifically, using regular CAPTCHAs means you’ll lose out on some potential queries. Solutions like Akismet are less intrusive and just as effective. If you’re using WordPress, implementing Akismet is remarkably simple, which makes it a better solution than CAPTCHAs.

Will Akismet work with my contact form plugin?

Akismet works with most WordPress contact form plugins (at least the well-known options). Some plugins offer out-of-the-box compatibility with Akismet whereas others require you to install add-ons. For some plugins, you may need to add custom code to your forms, but the process is usually very simple.

How many WordPress websites trust Akismet?

Akismet is one of the most popular WordPress plugins in the world, bar none. There are over five million active installations of Akismet at the moment, and that number keeps rising.

In fact, many web hosts offer Akismet as one of a handful of plugins that come pre-installed with their WordPress setups. That’s because using Akismet from the get-go can help you reduce the level of spam you deal with and, thus, secure your website.

If you want to implement an anti-spam solution that doesn’t require you to force visitors to solve puzzles, Akismet is the way to go. Millions of users already trust Akismet to protect their sites, and it’s free for non-commercial sites. That’s why we listed it as one of the must-have plugins for WordPress sites.

Use Akismet to prevent spam in WordPress

If you have a website with forms, you probably need to implement some sort of spam protection. For a long time, CAPTCHAs have been the industry go-to. They’re relatively easy to implement, and they get the job done. Still, it’s unwise to ignore the negative effect they have on the user experience. Simply put, people do not like CAPTCHAs.

For the best spam protection without annoying site visitors, you should consider an alternative like Akismet. It’s cost-effective and simple to get started.

Want to keep your customers happy while also protecting your WordPress site from spammers and bots? Sign up for Akismet today!