Security
Spam Protection
Protect your forms from bots and spam with reCAPTCHA, Cloudflare Turnstile, IP rate limiting, email domain blocklist, IP blocklist, and built-in honeypot.
Last updated June 15, 2026
SK Form Builder includes multiple layers of spam protection. You can combine these to match the level of protection your forms need.
Honeypot (always active)
Every form includes a built-in, invisible honeypot field (sk_website). It's hidden from human visitors but bots typically fill it in.
- No setup required it's always active on every form.
- If a bot fills in the honeypot, the submission is silently discarded and the bot receives a fake success response.
- Human customers are never affected.
reCAPTCHA
Three options are available, all configured in Global Settings → reCAPTCHA and enabled per form.
| Type | Behavior | Plan |
|---|---|---|
| reCAPTCHA v2 | Shows a visible "I'm not a robot" checkbox. Submit button is disabled until solved. | Basic+ |
| reCAPTCHA v3 | Completely invisible scores each visitor in the background. No customer interaction needed. | Basic+ |
| Cloudflare Turnstile | Privacy-friendly, invisible alternative to Google reCAPTCHA. GDPR-friendly. | Basic+ |
Setup
Get your keys
- For reCAPTCHA v2/v3: Register your site at google.com/recaptcha and copy the Site Key and Secret Key.
- For Cloudflare Turnstile: Go to the Cloudflare dashboard → Turnstile → add your site → copy the Site Key and Secret Key.
Configure in Global Settings
Global Settings → reCAPTCHA:
- Select the type (v2, v3, or Turnstile)
- Enter your Site Key and Secret Key
- Save
Enable per form
In each form's Settings → Security → toggle Enable reCAPTCHA on.
Submit button behavior
The submit button is only disabled while waiting for verification when reCAPTCHA v2 is used (the visible checkbox type). With reCAPTCHA v3 and Turnstile (both invisible), the submit button is always enabled.
IP Rate Limiting
Pro and Pro+ plans.
Limit how many submissions a single IP address can make per hour across all forms.
Setup: Global Settings → Storage & Limits → Rate Limit Per Hour set the maximum number of submissions allowed per IP per hour. Default is 10.
When a visitor exceeds the limit, their submission is rejected and they see an error message.
Email Domain Blocklist
Pro and Pro+ plans.
Block form submissions from specific email domains useful for blocking disposable/temporary email services.
Setup: Global Settings → Storage & Limits → Blocked Domains add comma-separated domains to block (e.g. mailinator.com, guerrillamail.com, tempmail.com).
When a customer submits a form with an email from a blocked domain, the submission is rejected.
IP Blocklist
Block specific IP addresses from submitting any form on your store.
Available on Basic and higher plans.
Setup: Global Settings → Storage & Limits → Block Form IPs:
- Add one or more IP addresses to block.
- Set a Block Message to show blocked visitors (e.g. "You are not permitted to submit this form.").
Combining protections
For maximum protection on high-traffic or public-facing forms, combine:
- Honeypot (always on)
- reCAPTCHA v3 (invisible, no friction)
- IP Rate Limiting (prevent flooding)
- Email Domain Blocklist (block disposable emails)
Was this page helpful?