Honeypot vs reCAPTCHA vs hCaptcha: form spam protection compared
If your form is on the open internet, it gets spam. The question is which combination of defenses you use, what tradeoffs you accept, and how loud the friction is for legitimate users. This post compares the three most common layers - honeypot, reCAPTCHA, and hCaptcha - and explains why most production setups use all three, in order, with one or two more behind them.
What each one actually does
Honeypot
An invisible field that bots fill in and humans don't. Catches the most basic class of spam - automated form submitters that fill every visible input - at zero user-facing cost. Implementation is one CSS rule and one PHP/JS check.
<form action="https://formspring.io/f/abc123" method="POST">
<!-- visible fields -->
<input type="email" name="email" required>
<textarea name="message" required></textarea>
<!-- honeypot: hidden from humans, visible to bots -->
<div style="position:absolute;left:-9999px" aria-hidden="true">
<label>Leave this empty: <input type="text" name="website" tabindex="-1"></label>
</div>
<button>Send</button>
</form>
Server-side: if website is non-empty, drop the submission silently.
Catches: ~70% of low-effort bot spam.
User friction: Zero. Invisible.
Accessibility: Excellent - screen readers respect aria-hidden.
Privacy: Perfect. No third-party calls.
Bypass: Trivial for any bot that reads CSS or DOM order.
reCAPTCHA (Google)
Google's challenge-response system. v2 shows a checkbox that may escalate to image puzzles. v3 is invisible and returns a 0.0-1.0 score you act on.
Catches: 90%+ of bot spam (combined with risk scoring). User friction: Visible (v2) or invisible (v3, but still tracking). Accessibility: Mediocre - image puzzles are hostile to screen readers. v2 has an audio fallback. Privacy: Significant. Loads Google scripts that fingerprint the visitor across sites that use reCAPTCHA. GDPR fragile. Bypass: 2captcha-style farms exist for $1-3 per 1,000 puzzles.
hCaptcha
The drop-in alternative to reCAPTCHA, founded specifically because of reCAPTCHA's privacy and accessibility complaints.
Catches: 90%+ of bot spam, comparable to reCAPTCHA. User friction: Similar visible challenge to reCAPTCHA v2. Accessibility: Better than reCAPTCHA. Audio fallback works reliably. Privacy: Better than reCAPTCHA. No cross-site fingerprinting; data not used for ad targeting. Bypass: Same farm problem as reCAPTCHA.
What none of them catch alone
- Sophisticated bots that solve CAPTCHAs via human farms.
- AI-driven spam that crafts plausible content (LLM-generated lead-gen spam is 2025's growth area).
- Targeted abuse where the attacker has a person doing the submission.
For these, you need content-based filtering: Akismet, custom rules, or AI moderation.
The five-layer setup
The strongest production setup runs all of these in order:
honeypot → hCaptcha → custom rules → Akismet → AI moderation
A submission has to pass all five to land in your inbox.
- Honeypot - free, silent, drops the dumbest 70%.
- hCaptcha - only triggers on suspect submissions (or always, if you prefer). Drops bots that pass honeypot.
- Custom rules - block by IP, regex on field values, country code, time-of-day. Catches targeted abuse you can pattern-match.
- Akismet - content-based scoring against a global spam corpus. Catches anything with known-spam phrasing.
- AI moderation - flags toxic content, doxxing, scams, abuse. Catches AI-generated spam that passes content scoring because it's grammatically clean.
Formspring runs all five by default on Pro+, in this order, with the option to disable any layer per form.
When to use which combination
Tiny personal site, no abuse history
Honeypot only. Don't add user friction for a contact form that gets 5 submissions a month.
Marketing site, moderate volume
Honeypot + hCaptcha. The captcha barely fires (skip it for trusted regions if your provider supports geo-rules) but stops the obvious bots.
High-volume form (newsletter, signup, RSVP)
All five layers. The cost of a single bad submission scales with volume.
Compliance-sensitive (healthcare, finance, government)
Honeypot + hCaptcha + custom rules + AI moderation. Skip Akismet if its data-sharing model conflicts with your compliance posture (Akismet sends submissions to a third-party scoring service).
Privacy positioning matters
For EU audiences, reCAPTCHA is increasingly hostile. The Belgian and Italian DPAs have flagged it; some courts have ruled against sites that use it without explicit consent. hCaptcha sidesteps most of that by design.
Formspring uses hCaptcha by default and intentionally doesn't ship a reCAPTCHA integration. If your audience is EU-skewed, this matters more than the tiny accuracy difference.
Concrete cost comparison
| Layer | Per submission cost | Per false positive cost |
|---|---|---|
| Honeypot | $0 | $0 (it's invisible) |
| hCaptcha | $0 (free tier) | User retries with audio or fallback |
| reCAPTCHA | $0 (free tier) | User retries with image puzzle |
| Akismet | $0.0001-ish | Submission marked spam, you check inbox |
| AI moderation | $0.001-ish | Submission marked, you check |
Why "just use Cloudflare Turnstile" isn't the obvious answer
Cloudflare Turnstile is the newer entrant - privacy-respecting, free, accurate. It's a good choice if your site is already on Cloudflare. The reasons it isn't the universal default:
- It requires a Cloudflare account.
- Its accuracy on edge-case bots isn't as battle-tested as hCaptcha at high volume.
- Its detection model relies on Cloudflare's overall traffic graph, which means weaker results on sites with low traffic that don't contribute to the model.
For most teams: hCaptcha is the safer cross-platform default. Turnstile is great if you're committed to Cloudflare's ecosystem.
What this means for your form
Pick a hosted form backend that bundles spam protection. The DIY route - honeypot + reCAPTCHA + custom rules + Akismet + AI - is achievable but expensive in maintenance time. Formspring runs all five by default on Pro+ for $19/mo, with hCaptcha (not reCAPTCHA) as the visible challenge layer.
Try the free tier and see your spam-pass-through rate after a week. Most teams are surprised how clean their inbox gets.
Florian Wartner
Founder of Formspring and Pixel & Process. Senior Laravel and Vue engineer based in Lübeck, Germany. Building developer-first SaaS with EU data residency and honest pricing.
Related posts
File uploads from HTML forms without S3 keys
The four ways to handle file uploads from a static-site form. Tradeoffs, code, and why most teams pick option 4.
How to verify HMAC webhook signatures in Node, PHP, and Python
Constant-time HMAC verification in three runtimes - with the bugs that get past code review.
Astro form handling without serverless functions
How to receive form submissions in an Astro site without writing an API route, server endpoint, or serverless function.