Spam
How to Stop Google Form Spam (5 Fixes, Plus Their Limits)
Google Forms has no CAPTCHA setting. I walk through the 5 fixes that actually cut google form spam — sign-in, validation, unlisted links — and where each fails.
Google Forms has no CAPTCHA setting. None. So every fix for Google Form spam is really one of two things: restricting who can open the form, or adding friction that trips bots.
The five that work: require sign-in, limit responses to one per person, use response validation on text fields, keep the link unlisted, and close the form when you’re not collecting. That’s the whole toolbox.
I’ve cleaned up spammed-out Google Forms for clients more times than I’d like — signup sheets with 400 junk rows, feedback forms full of crypto links. The fixes below cut most of it, and I’ll be honest about where each one gives out.
One real signup, forty bot rows — the default state of a public Google Form.
Why Google Forms attracts spam
Google Form spam happens because a public form URL plus zero bot defenses equals an open door. Every Google Form lives at a predictable, publicly reachable URL. There’s no built-in CAPTCHA, no honeypot field, no rate limiting. A bot that finds the link can submit as fast as it can POST.
And bots do find the link. Crawlers harvest forms.gle and docs.google.com/forms URLs from public pages, social posts, and link aggregators. Once your form URL lands in one of those lists, submissions start arriving whether humans visit or not.
Google’s position is understandable: Forms is a free tool for classrooms and quick surveys, not a hardened public intake system. But that means the spam problem is yours to manage, with settings, not with a filter.
Fix 1: require sign-in
Requiring a Google sign-in is the single strongest fix for Google Form spam. In your form, go to Settings → Responses and turn on “Limit to 1 response.” That setting forces respondents to sign in to a Google account, and most bots won’t bother with a Google login just to spam your bake-sale signup.
Two wins in one toggle: signed-in users can only submit once, and anonymous drive-by bots are locked out entirely.
The cost is real, though. Anyone without a Google account, or anyone who won’t sign in to give feedback, bounces. For internal team forms, that’s fine. For “tell us anonymously what you think,” it kills the form’s purpose. Hold that thought for the limits section.
Fix 2: response validation on short-answer fields
Response validation rejects submissions that don’t match a rule, and sloppy bots fail rules constantly. On any short-answer field, open the field’s three-dot menu, choose Response validation, and set a rule: text must contain a certain word, a number must fall in a range, or the answer must match a pattern.
Practical rules I’ve used:
Require an email pattern on the email field. Bots that dump random strings get rejected before the response saves.
Set a length cap on message fields. Spam payloads tend to be long — links, pitch text, more links. A 500-character maximum blocks a surprising share of it.
Require a keyword. “Type the name of our school” as a validated field stops generic bots cold, because the rule is specific to your form.
Validation is free friction. It barely annoys legitimate humans and filters the laziest bots. It does nothing against a bot taught your specific rules.
Fix 3: don’t post the raw link publicly
An unlisted link can’t be spammed, and bots can’t submit to a form they never found. If the form doesn’t need to be on a public page, share it in closed channels only: email, Slack, a WhatsApp group, a members-only portal.
If it does need to be public, embed the form in a page on your own site instead of posting the bare forms.gle URL. Embedding doesn’t hide the form from a determined scraper — the iframe source is right there — but it keeps the URL out of the casual link-harvesting sweeps that feed most spam lists.
Treat the form URL like a house key, not a billboard. Once a crawler picks it up and it lands in a spam list, it doesn’t come out.
Fix 4: add a verification question
A verification question is a manual bot check you build yourself: one required short-answer field with a validated human-obvious answer. “What’s 3 plus 4?” with validation requiring the number 7. “What month is this event?” requiring the month name.
This is the closest Google Forms gets to a CAPTCHA, and you’re hand-rolling it. Bots fill fields mechanically and fail checks that need comprehension.
Keep the question trivial for humans. And know the ceiling: any human spammer, and any bot with an LLM behind it, answers “what’s 3 plus 4” instantly. This fix beats dumb automation, nothing smarter.
Fix 5: close or archive idle forms
A closed form gets zero spam, and most spammed Google Forms are forms nobody’s actively using. In Settings → Responses, toggle “Accepting responses” off the day your collection window ends. The event signup from March doesn’t need to accept submissions in July.
I’ve audited client Google Drives with a dozen live forms, half forgotten, all quietly collecting junk. Every idle open form is spam surface. Close them; reopen if you ever need them. Ten seconds per form, permanent result.
The honest limits
Every fix above trades something away, and stacked together they still don’t equal real spam protection.
Sign-in kills anonymous responses. The strongest fix is unusable for feedback forms, lead capture from cold visitors, or any audience that won’t authenticate. That’s a big slice of what forms are for.
Validation is weak against humans and smart bots. Regex-flavored rules stop scripts that spray random text. They don’t stop a human filling in spam by hand, and they don’t stop modern bots that read the field labels and produce plausible answers.
Unlisted links leak. One forward, one screenshot, one public repost, and your closed-channel form is public again.
There’s no layered defense. On a real anti-spam stack, no single check has to be perfect because the layers back each other up — I’ve written before about why Akismet alone isn’t enough and the same logic applies here in reverse. Google Forms gives you one layer at a time, and each layer costs you legitimate respondents or real effort.
If your form is a class survey, the five fixes are plenty. If it’s a business lead form, they’re a ceiling you’ll hit.
What a form on your own site does differently
A form on your own WordPress site can layer defenses that Google Forms structurally can’t. Core Forms stacks four: a honeypot field that’s invisible to humans but irresistible to bots, Cloudflare Turnstile for an invisible challenge that doesn’t make anyone click traffic lights, Akismet content filtering on what gets written, and rate limiting so a bot that beats the other three can still only submit a few times before it’s cut off.
None of those layers requires sign-in. Anonymous humans pass through without friction; bots hit four separate walls. That’s the structural difference — spam protection in Core Forms filters bots by behavior, while Google Forms can only filter by identity or by hiding.
You also get to choose your challenge. I’ve compared the options in the CAPTCHA comparison piece, and the short version is that invisible checks like Cloudflare’s Turnstile block bots without taxing humans — a choice Google Forms never offers you.
Google Forms is the right tool for internal surveys and quick signups among people you know. The moment a form faces the public internet and the responses matter, the no-CAPTCHA ceiling is the reason to move it to your own site.
FAQ
Does Google Forms have a built-in CAPTCHA?
No. Google Forms ships no CAPTCHA, no honeypot, and no rate limiting, and there’s no setting to add one. The closest options are requiring a Google sign-in, which blocks anonymous bots, or hand-building a verification question with response validation. Neither is a true bot challenge.
Why is my Google Form getting spam responses?
Your form’s URL is public and has been found. Crawlers harvest forms.gle and docs.google.com/forms links from public pages and feed them to spam bots, which submit directly to the form. Since Google Forms has no bot defenses by default, every submission goes straight into your responses.
Can I block specific people from submitting a Google Form?
Not by IP or email address on a public form. Your options are structural: require sign-in and restrict the form to your organization (Google Workspace), share the link privately instead of publicly, or close the form. Google Forms has no blocklist, so you filter junk after it arrives.
Will requiring sign-in stop all Google Form spam?
It stops nearly all automated spam, because bots rarely authenticate with a Google account to submit a form. It won’t stop human spammers with Google accounts, and it costs you every legitimate respondent who can’t or won’t sign in — which makes it wrong for anonymous feedback and public lead forms.