Trash bin GitHub logo Information Right arrow Staticman title Staticman

Home / Documentation /

Handling spam

Whenever you accept user content, you’re bound to receive some spam entries that you wish to reject before they end up on your site. Luckily, Staticman offers a few solutions for handling such spam.


The simplest and most effective way to cut down spam is to enable moderation in your site config. With moderation enabled, Staticman will not automatically add submissions to your site and you will instead have to approve each submission by accepting the pull request created by Staticman.

Of course, moderation won’t stop spam from being submitted. If you find yourself receiving a lot of spam pull requests, consider adding a honeypot or additional trivial question field (e.x. ‘What is 5 + 2’) to your form.


Another effective method of combating spam is to use reCAPTCHA. If you enable Akismet, Google will collect some telemetry.

  1. Sign up for reCaptcha v2 and note your Site key and Secret key
  2. Use the Staticman encryption endpoint to encrypt the secret and add the reCAPTCHA options to your staticman.yml site config file
     enabled: true
     siteKey: ""
     secret: ""
  3. Add the reCAPTCHA credentials to your form
    <input type="hidden" name="options[reCaptcha][siteKey]" value="{SITE-KEY}">
    <input type="hidden" name="options[reCaptcha][secret]" value="{ENCRYPTED-SECRET}">
  4. Follow the reCAPTCHA documentation to add either a checkbox or invisible challenge to your form.


Another option for dealing with spam is to use the Akismet API. Akismet is a spam detection service offered by WordPress. If you enable Akismet, data from your form submissions will be forwarded to Akismet to determine if it’s spam.

  1. Sign up for an Akismet account. Note your Akismet API key and give Akismet your static site’s URL
  2. Add the Akismet API key and URL to the API config
  3. Add the Akismet config to your staticman.yml site config file, making sure that the values below match the name properties of your form’s fields
     enabled: true
     author: "name"
     authorEmail: "email"
     authorUrl: "website"
     content: "message"

Note: Staticman currently uses one Akismet account for all its calls as compared to reCAPTCHA which can be configured per site. If many sites use a single Staticman instance this can be problematic.