Contact Form 7: block all URL’s in contact forms

Contact Form 7: block all URL's in contact forms

As someone who maintains multiple websites for my employer, which use Contact Form 7 for form functionality, I have been struggling with spam submissions, despite using Google Recaptcha, Akismet, and Honeypot for Contact Form 7, I was still getting a crap ton of link spam through our website forms.

The existing spam prevention measures outlined above blocked most of the bot spam, but unfortunately not all spam, either more sophisticated bots or real people filling out the forms were still getting past the trio of spam prevention systems. I had been searching for a while, when I came upon this WordPress functions.php snippet on Github, linked from a Stack Overflow thread, I found from a Google search!

However, it was not perfect out of the box, it stopped anything with ‘www’, https’ and ‘https’ in the URL, but if would allow yourdomain.tld (i.e. .com) through, so I added ‘.com’, ‘.net’, ‘.org’, ‘.xyz’, ‘.ga’, ‘.ly’ to the array, which are the most common URL extensions I receive spam from, see my altered code below;

add_filter( 'wpcf7_validate_text', 'no_urls_allowed', 10, 3 );
add_filter( 'wpcf7_validate_text*', 'no_urls_allowed', 10, 3 );
add_filter( 'wpcf7_validate_textarea', 'no_urls_allowed', 10, 3 );
add_filter( 'wpcf7_validate_textarea*', 'no_urls_allowed', 10, 3 );
function no_urls_allowed( $result, $tag ) {

	$tag = new WPCF7_Shortcode( $tag );

	$type = $tag->type;
	$name = $tag->name;

	$value = isset( $_POST[$name] )
		? trim( wp_unslash( strtr( (string) $_POST[$name], "\n", " " ) ) )
		: '';

	// If this is meant to be a URL field, do nothing
	if ( 'url' == $tag->basetype || stristr($name, 'url') ) {
		return $result;

	// Check for URLs
	$value = $_POST[$name];
	$not_allowed = array( 'http://', 'https://', 'www.', '[url', '<a ', ' seo ', '.com', '.net', '.org', '.xyz', '.ga', '.ly' );
	foreach ( $not_allowed as $na ) {
		if ( stristr( $value, $na ) ) {
			$result->invalidate( $tag, 'URLs are not allowed' );
			return $result;
	return $result;

With the exception of my additional code for expanded functionality, I claim no credit for the above code, but I am very thankful to Gal Baras, who put this code up on Github. The battle with form spam has gotten out of hand, with dozens of spam messages received daily through our contact forms.

Finally, I did a test to make sure partial word matches are not blocked, for example, ‘complete’ or ‘network’, so you can use this script safely without fear of legitimate messages being blocked.

5 thoughts on “Contact Form 7: block all URL’s in contact forms

  • Please let me know where to put this function.

  • Rashid, this code needs to be added to your functions.php file, which you can find in your wp-content > themes > yourthemename directory.

  • Thanks for posting this Jason. Will this block legitimate email addresses entered into email and email* fields? Does there need to be an exception for email-type fields as well if you are screening for TLDs?

  • I didn’t write the original code, I just altered it for my needs, but reading the code, it seems to target the textarea and text fields only, so the URL, email, and tel fields should not be checked by the function. I’ve certainly had no issues with emails being blocked.

  • Andras Gera
    September 14, 2023 at 06:51

    Works like a charm. Thanks for sharing.

Have Something To Say About This Post? Please Comment Below!