phpFormProtect allows you to protect a form from spammers without using a captcha. It uses a number of different techniques to assess a given submission, and then scores the submission similar to email spam filters, but much simpler. It could certainly be overcome - but in our experience it provides all the protection needed for most sites. It i…
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


phpFormProtect protects forms from spammers in a way that doesn't annoy users. It is an alternative to a CAPTCHA, and could also be used to prevent comment spam. It works by running each submission through a number of tests, and then scoring the submission. Any one of the tests by itself has flaws, but working together they provide a high quality indicator of the spamminess of a given form submission. The last two tests by default cause failure based on the points assigned. This is easily configurable.

This project is a port of CFFormProtect. We found that when switching from ColdFusion to PHP, there wasn't anything similar. Many thanks to the folks at CFFormProtect, especially for fp.js, which is a copy of cffp.js.

The tests are as follows:

  • Hidden Form Field - If hidden form field is filled in, this is an indicator of spam
  • Time Form Submission - If form is filled out too fast or too slow, this is an indicator of spam
  • Too many URLs - If the comment field has too many URLs (Number is configurable) this is an indicator of spam
  • Mouse Movement - If the user does not use their mouse, this is an indicator of spam
  • Used Keyboard - If the user does not use their keybaord, this is an indicator of spam
  • Validate Referer - If the HTTP referer does not match the form URL, we shouldn't accept the submission.
  • Validate Email - If the email address provided in the form is not valid from a syntax perspective, we shouldn't accept the submission.


Dan McCarthy (



Installation Via Composer

Warning: The composer install doesn't work currently.

Require the package within your composer.json:

"require": {
    "mccarthy/phpFormProtect": "master"

Update Composer:

$ composer update

Manual Installation

  • Copy the phpfp folder into the same folder that contains the form and form processing page on your web host

Instructions for Use

  • Put this line of code between the form tags of the form you want to protect:
<?php include 'phpfp/phpfp.php'; ?>
  • On the form processing page, do something like the following:
$fp = new FormProtect;
$fpResult = $fp->testSubmission($_POST);

if($fpResult[pass]) {
	//echo "Passed, looks like a valid submission.  Process as normal, send email, etc.";
else {
	//echo "Failed.  Looks like spam.  Log, block IP, email, etc.";

###Sample Code

  • The files "contact.php" and "contact-process.php" contain sample code showing how to use phpFormProtect.
  • You can either use the sample code files, or add similar logic to your form processing page.


Research & Inspiration


This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at