Kevinleary.net: Protecting WordPress Contact Forms with AI

If you have a WordPress website with a contact form you know how bad spam can get.

Contact forms, lead forms, and signups all attract fake messages. Honeypots, Akismet, reCAPTCHA and Turnstile all help, but none of them fully stop spam. They also make it harder for people to submit the form, and frustrating.

Gravity Forms spam email notification that passed through CloudFlare turnstile

Spam Checks with AI

But what if we test our form submissions with OpenAI, kind of like copying that spam email into ChatGPT and asking, “hey, is this form submission spam?”. It makes a lot of sense, and it works.

Instead of filtering spam based on fixed rules we can evaluate messages with an LLM. OpenAI offers models that understand natural language well enough to decide if a message looks like spam. We can use this as a back-end spam filter that runs invisibly on each submission.

In this example we use OpenAI’s gpt-4.1-mini-2025-04-14 model to process submissions from Gravity Forms. It is fast enough to run in real-time during a submission, and cheap enough to use on a relatively busy site (within reason).

If a submission looks like spam we mark it that way and show a generic success message to the sender. Real messages continue as usual. No visual blocks. No added fields. Just smarter spam filtering behind the scenes.

Technical Implementation

Here’s a basic way to do it for Gravity Forms in WordPress. The same could also be done with other popular forms like Ninja Forms as well just use different hooks.

OpenAI API Key

Create an account at platform.openai.com. Under your profile you will find the API keys section. Create a new key and store it securely.

Choose a Model

We recommend gpt-4.1-mini-2025-04-14 or o4-mini-2025-04-16. These are low-cost models that support chat completions. They perform well in classification tasks like spam detection and are much cheaper than full GPT-4.

WordPress Code

The following example can be run from your theme’s functions.php file or in a custom plugin. This runs before the form is submitted and checks the values using OpenAI.

Please understand though, this is mean’t to be a basic starting point only. If you use this in a production environment you need to add in safety precautions like limiting the number of allowed submissions per user and also budget caps.

/**
 * Filters Gravity Forms submissions using OpenAI GPT to detect spam.
 *
 * Submissions are sent to OpenAI's chat completion API using the GPT-4.1 Mini model.
 * If flagged as spam, the entry is stored as spam and the user receives a generic confirmation message.
 *
 * @param array $form The Gravity Forms form object.
 * @return array The (possibly modified) form object.
 */
function kevinleary_check_form_spam( $form ) {
    $api_key    = 'sk-xxxxxxx';
    $entry_data = [];

    foreach ( $_POST as $key => $value ) {
        if ( strpos( $key, 'input_' ) === 0 ) {
            $entry_data[ $key ] = sanitize_text_field( $value );
        }
    }

    $prompt = "You are a spam filter. Only respond with 'spam' or 'not_spam'. Is this message spam?\n\n" . print_r( $entry_data, true );

    $response = wp_remote_post(
        'https://api.openai.com/v1/chat/completions',
        [
            'headers' => [
                'Authorization' => 'Bearer ' . $api_key,
                'Content-Type'  => 'application/json',
            ],
            'body'    => wp_json_encode(
                [
                    'model'       => 'gpt-4.1-mini-2025-04-14',
                    'messages'    => [
                        [
                            'role'    => 'user',
                            'content' => $prompt,
                        ],
                    ],
                    'temperature' => 0,
                ]
            ),
            'timeout' => 20,
        ]
    );

    if ( is_wp_error( $response ) ) {
        return $form;
    }

    $body     = json_decode( wp_remote_retrieve_body( $response ), true );
    $decision = strtolower( trim( $body['choices'][0]['message']['content'] ?? '' ) );

    if ( 'spam' === $decision ) {
        add_filter( 'gform_entry_is_spam', '__return_true' );
        add_filter(
            'gform_confirmation',
            function () {
                return [
                    'message' => 'Thank you. Your message has been received.',
                ];
            }
        );
    }

    return $form;
}
add_filter( 'gform_pre_submission_filter', 'kevinleary_check_form_spam', 10, 1 );

Many Advantages

This adds no friction for users. There are no visual tests to pass and no CAPTCHA puzzles. The entire spam check happens on the server before the form is processed.

Using OpenAI gives you a powerful tool that understands context. It can catch spam that gets through basic field filters and bots that mimic real input patterns.

The spam is still stored so you can review or export flagged entries as needed.

AI API Safety

Each OpenAI request costs money. If you get a lot of submissions or if someone tries to abuse the form you want to stay protected. Here are some ideas

Track spam results by IP address and auto flag repeat offenders
Set a daily usage cap in the OpenAI dashboard
Add a fallback to use your existing spam filters if the API limit is reached

These safety checks help you stay in control without giving up the benefits of smarter filtering.

Final thoughts

Spam is not going anywhere. But smarter tools give us new ways to deal with it. Using OpenAI to classify form submissions is an easy upgrade. It works invisibly. It improves accuracy. And it makes no changes to the front-end experience.

At least for now, until the spammers start using AI to combat my AI spam protection…