Honeypot Technique: Fast, Easy Spam Prevention

Spam is one of those things we wish didn’t exist.  It’s annoying and serves no useful purpose.  Mail inboxes filled with junk mail, websites with bogus contact form submissions, and products hit hard by fake sign ups are only a few common victims of spam.  And unfortunately that’s here to stay.

You may have found yourself on the receiving end of those problems.  In fact, you may have reached this blog post in your research to rid or lessen your spam problem.  Fortunately you’ve arrived at an answer.  The Honeypot technique is a fast, easy, and effective means to prevent spam.

Before I go into detail on how to implement the Honeypot technique, I want to cover two other options that are still in use to prevent spam, and why you shouldn’t use them.

Two Spam Prevention Options I Avoid

The first is Captcha.  A captcha is an image that renders text in an not-so-easy-to-read way,  also known as challenge text.  By requiring users to type the challenge text into a text field, it verifies some form of human interaction and intelligence. So if what the user enters matches the challenge text, the user is said to have successfully completed the challenge and their form submission is allowed to proceed.

A captcha displayed as part of a login form.

A captcha displayed as part of a login form.

Spam bots, on the other hand, often lack the intelligence to defeat the challenge.  First because the challenge text appears in an image, not html markup, reducing their chances of reading it.  And second, because their often unaware that the form field attached to the captcha is looking for a specific entry.  Most spam bots fail captchas due to both of these reasons.

A second option is implementing a question and answer field.  For example, a sign up form may include the following question:  What color is an orange?  Humans can easily answer that question, whereas spam bots won’t be smart enough.  Once submitted, the answer to the question can be tested, if it’s correct the form was likely submitted by a human and can be handled accordingly.

Both Degrade The User Experience

While both options are easy and help prevent spam, I don’t recommend them because they interfere with the user experience.  Often times they can even be frustrating to deal with and prompt users to leave. A good example of that would be captchas that output text that’s too hard for humans to read.

For that reason I always recommend implementing the least invasive option available.

Enter The Honeypot Technique

The reason the Honeypot technique is so popupar is b/c, in addition to how easy and effective it is, it doesn’t interfere with the user experience.  It demands nothing extra of them.  In fact, your users won’t even know you’re using it!

To implement the Honeypot technique, all that’s required is adding a hidden form field to  the form in question.  The form field can have any name or id associated to it, but make sure to add a display: none CSS rule on it.  Here’s a brief example:

<input id="real_email" type="text" name="real_email" size="25" value="" />
<input id="test_email" type="text" name="email" size="25" value="" />
#test_email {
display: none;

Note that I have 2 email fields, real_email and test_email.  test_email is hidden via display: none, so it’s not visible, nor can it be submitted by real users.

And that’s what gives away whether the form submission is spam or not.  Real users won’t be able to see the field, or submit any value for it.  Spam bots, however, will still see the field in the form’s markup and submit it with the rest of the form.

So from there all that’s needed is to test whether the hidden field was submitted or not.  If it was, the submission can be treated as spam.

And remember, because the field is hidden and out of view, users don’t even know it’s there.  That’s a more user friendly approach to spam prevention vs. having them complete a captcha challenge, or answer silly questions.


Spam is here to stay, but fortunately the Honeypot technique offers a fast and effective way to prevent spam.  Even though there are other options to consider, keep your users in mind and always prefer the least invasive approach to mitigate spam.

All the Honeypot techniqure requires is adding a hidden field to the form in question.  With that,  just about any form can become spam free.

This entry was posted in General, PHP. Bookmark the permalink.

6 Responses to Honeypot Technique: Fast, Easy Spam Prevention

  1. Paul Bagosy says:

    I go just a bit further – instead of using CSS to hide the field, I use jQuery:

    And then, in order to prevent a legitimate user with a form populator plugin from tripping it, I add this to my submit button to clear that form on a legitimate submission:


    • mzarate says:

      Hi Paul,

      Thanks for commenting.

      That idea can work as well, at the expense of requiring jQuery and additional JavaScript. Although another option to consider is naming the #test_email element something more obscure (e.g. a hash or timestamp) so that form auto-populators don’t write to it. That way a simple rename addresses your improvement, vs. having to add JavaScript to the mix.

    • Pete says:


      Why would you use jQuery to hide an element that you always want hidden? Doing so is adding extra JavaScript processing to the page, and manipulates the DOM causing a redraw. Also, since jQuery.hide() adds inline styling

      style=”display: none”

      directly onto the selected element, a smart spam engine might be looking to NOT fill in elements marked with “display: none”. Sure the spam engine could still get the computed CSS, but that is much harder to get.

      The preferred approach is described in the tutorial above (i.e. using pure CSS).

      • Hank says:

        Using Javascript would rule out bots not reading Javascript, some may read CSS and see it’s hidden.

        Also if you’re using this technique and are not using jQuery for anything else on you’re page, just use vanilla Javascript

  2. Simon says:

    What about autofill of such fields? With a name like “email” this field is likely to get filled automatically and without manual action by the user. Usually, I use autocomplete=”off” in such fields/forms, but that’s still a bit problematic …

  3. Daniel G says:

    thanks it’s so simple and works easily on my site.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>