Web Form Bot Security FAQ - Captcha

This article applies to:

What is a bot?

"Bot" is short for "robot" which-in the case of spam-is a program that is written to automatically deliver or retrieve information with malicious intent. Everyone has experienced email spam. A web form bot also delivers spam, but in a slightly different way and for a variety of reasons, such as:

  • They’re probing for vulnerabilities - often so they can hijack your mail server to relay their spam.
  • They’re attempting to get links to their spam sites published on your web pages.
  • They're out to cause trouble for trouble’s sake!

Most small businesses aren’t the targets of big nefarious crime syndicates, but their websites and forms get caught up in the wide net cast by these organizations. An automated bot doesn’t care if it gets just one in 100K attempts; their cost is negligible. However, the aggravation, wasted time, and software usage costs can make a real impact on you and your business.

What security function is Keap updating?

This most recent security update addresses an often-used bot tactic - submitting many spam-delivering email addresses via the same web form multiple times from the same location (IP address).

Why the change?

Over the last year Keap has seen an increase in bots submitting web forms with information that is either known to be bad or that is valid information submitted without the information owner's knowledge. In order to stop bad or stolen information from filling up Keap users' contact lists, Keap has enabled this process requiring a CAPTCHA if there is suspicion of bot activity from the same IP address.

What is "CAPTCHA"?

CAPTCHA is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart" - essentially it's a system to determine if the person submitting any information thru an online form is a bot or human. We want interested humans sharing their information with you and your business. We don't want bots simulating that with bogus information. CAPTCHA is a mechanism to distinguish the two from one another.

Why did Keap use Google's "reCAPTCHA"?

Choosing services provided by Google enables global ongoing support with the most current technologies, maintained by a trusted company that employes some of the best software engineers on earth.  Top notch security with minimal impact to your customer's experience-all maintained outside of Keap for free.  The algorithm for bot detection uses advanced machine learning/artificial intelligence to detect bot behavior. As bots get more advanced, the protection against them should too and Google's detection intelligence provides the highest level of security.

What’s in it for me? 

Added security against bot submissions with the new Google CAPTCHA means:

  • Better email deliverability.  When bots sneak bogus email addresses into your Keap application and your application automates emails to those addresses, those email addresses get identified on email compliance filters that flag email senders (like Keap) as "bad senders."  Even though the majority of email lists contain legitimate emails, the few bogus emails tend to ruin it for the rest of us.  Preventing bogus emails from entering and being sent from your application will keep Keap off the "bad senders" list and maintain healthy deliverability to inboxes that are waiting your marketing message.
  • Accurate list size and information.  You should only have to pay for email list sizes that contain legitimate emails.  Some customers find themselves with too many bogus emails which requires larger email list thresholds even though they're not all legitimate.  Having a "true" email list with legitimate emails may reduce your need to bump up to the next threshold of email size within Keap unnecessarily.

How is it being implemented in my Keap application?

CAPTCHA existed previously on your web forms.  The most recent update replaces the old, difficult, time-consuming version that requires users to type in hard-to-see numbers and letters with a simple checkbox.  Once the checkbox is clicked, the information from the form being submitted will pass to your contact list inside Keap.  This CAPTCHA checkbox will only appear when Google detects behavior that might indicate possible bot activity on your web form.

Will it apply to every web form?

The changes made will apply to every web form and existing landing page that gathers customer and prospect information-so long as you don't "opt-out" of this security feature in your web form settings.

Do I need to do anything to enable this updated security feature?

No. The Bot Detection (CAPTCHA) feature will default to “on” (unchecked box) in all Keap applications for web forms, legacy web forms, custom forms, and current landing pages.  You may turn off this feature for each form by checking the “opt-out” box in the “Settings” area of the web form setup process. See screenshot below:

Please Note: opting-out of this security feature may put your email deliverability at risk.  It may also corrupt your email database with bogus email addresses that are set to trigger you as a spammer-affecting the effectiveness of your email marketing.

In the near future this feature will no longer be optional and will be enabled for all Keap forms without the option to "opt-out."  For now, the “opt-out” box will allow users to select certain web forms to be exempted from this security enhancement so that if they need to make process changes there is ample time to do so.  If you are using HTTP post or other advanced automation to submit forms, please consult a developer and begin working towards re-creating this automation thru our API.

What if I am using the web form’s javascript/HTML code on my website?


  • The captcha will be displayed within the form frame or on a redirect page depending on the form settings.


  • The captcha will be displayed on a redirect page.

Javascript or HTML

  • Bot Detection is enabled by default for all hosted forms.
  • Once the captcha is entered successfully the thank-you page will be displayed or the contact will be redirected to the page depending on Thank-you page 

Pro-Tip! If there is already a CAPTCHA on the form, it will not prompt the CAPTCHA a second time.


How are web forms hosted with 3rd parties (ex. leadpages) handled?

  • Forms hosted through third parties are unaffected by this change. 
  • If using a 3rd party, we recommend to test your forms by filling out the form from the same computer multiple times in a row to see if the information goes through to Keap.

Who might need to make changes before enabling this feature?

Advanced or long-time users and partners who currently use HTTP posts to keep contact data updated in multiple systems should begin updating their processes to leverage the improved Keap API to achieve the outcomes they’re seeking.

Example 1:
I use Keap for marketing automation and another system for e-commerce. I have (or my developer has) set up a process such that when my customer submits a form/order in my e-commerce system, their contact info is pushed into Keap by an HTTP post to automatically fill out a web form in Keap.

Example 2:
I have multiple Keap applications and want to distribute contacts from the main app to the other application(s). When certain contacts are added to the main app, they’re added to a campaign that runs an HTTP post that then pushes that contact info into one of my other Keap applications by automatically filling out a web form in that application.

In each example (or in related use cases), the system running the HTTP post could submit the destination web form 10+ times in a 12 hour period and it would be posting from the same IP address. However, the HTTP post wouldn’t be able to complete the process when, after the tenth form submission, the form would redirect to the new CAPTCHA page.

What should I do in these situations?

Transition the way by which systems are sending information by using the improved Keap API. The API is created and maintained expressly for connecting other systems and information with Keap and is fully documented and maintained by our product teams at Keap with support available. For "How do I" or "How can this be accomplished" questions, we have an API Discussion section in the Keap Community and an API Facebook group . To ask questions about API throttling, error messages returned from an API call, or to report a bug with the API, you can go  here to create a support ticket.

For specific instructions on how to use the Keap API for a use case similar to the two examples given above, start here.

For general information on using the Keap API, start here.

Did this article answer your question?
Thank you for your feedback!