The plugin itself already has that feature (and the captcha is even stronger protection), but it can't protect you if the submissions are going to Salesforce directly (as they seem to believe?) as that bypasses the plugin completely.
In this case, you could simply add a custom field in SF and a hidden field in your form, called, say, LeadFromWebsite__c or something, set it to Yes, then 'filter out' any lead submissions that don't have that field set to the expected value.
Or use the existing Lead Source field -- which is always set and passed by the plugin. Set it to something unlikely to be submitted by a spam bot, then validate against that field.