Honeypot Technique: Fast, Easy Spam Prevention

Spam is one of those things we wish didn’t exist.  It’s annoying and serves no useful purpose.  Mail inboxes filled with junk mail, websites with bogus contact form submissions, and products hit hard by fake sign ups are only a few common victims of spam.  And unfortunately that’s here to stay.

You may have found yourself on the receiving end of those problems.  In fact, you may have reached this blog post in your research to rid or lessen your spam problem.  Fortunately you’ve arrived at an answer.  The Honeypot technique is a fast, easy, and effective means to prevent spam.

Before I go into detail on how to implement the Honeypot technique, I want to cover two other options that are still in use to prevent spam, and why you shouldn’t use them.

Two Spam Prevention Options I Avoid

The first is Captcha.  A captcha is an image that renders text in an not-so-easy-to-read way,  also known as challenge text.  By requiring users to type the challenge text into a text field, it verifies some form of human interaction and intelligence. So if what the user enters matches the challenge text, the user is said to have successfully completed the challenge and their form submission is allowed to proceed.

A captcha displayed as part of a login form.

A captcha displayed as part of a login form.

Spam bots, on the other hand, often lack the intelligence to defeat the challenge.  First because the challenge text appears in an image, not html markup, reducing their chances of reading it.  And second, because their often unaware that the form field attached to the captcha is looking for a specific entry.  Most spam bots fail captchas due to both of these reasons.

A second option is implementing a question and answer field.  For example, a sign up form may include the following question:  What color is an orange?  Humans can easily answer that question, whereas spam bots won’t be smart enough.  Once submitted, the answer to the question can be tested, if it’s correct the form was likely submitted by a human and can be handled accordingly.

Both Degrade The User Experience

While both options are easy and help prevent spam, I don’t recommend them because they interfere with the user experience.  Often times they can even be frustrating to deal with and prompt users to leave. A good example of that would be captchas that output text that’s too hard for humans to read.

For that reason I always recommend implementing the least invasive option available.

Enter The Honeypot Technique

The reason the Honeypot technique is so popupar is b/c, in addition to how easy and effective it is, it doesn’t interfere with the user experience.  It demands nothing extra of them.  In fact, your users won’t even know you’re using it!

To implement the Honeypot technique, all that’s required is adding a hidden form field to  the form in question.  The form field can have any name or id associated to it, but make sure to add a display: none CSS rule on it.  Here’s a brief example:

<input id="real_email" type="text" name="real_email" size="25" value="" />
<input id="test_email" type="text" name="email" size="25" value="" />
#test_email {
display: none;

Note that I have 2 email fields, real_email and test_email.  test_email is hidden via display: none, so it’s not visible, nor can it be submitted by real users.

And that’s what gives away whether the form submission is spam or not.  Real users won’t be able to see the field, or submit any value for it.  Spam bots, however, will still see the field in the form’s markup and submit it with the rest of the form.

So from there all that’s needed is to test whether the hidden field was submitted or not.  If it was, the submission can be treated as spam.

And remember, because the field is hidden and out of view, users don’t even know it’s there.  That’s a more user friendly approach to spam prevention vs. having them complete a captcha challenge, or answer silly questions.


Spam is here to stay, but fortunately the Honeypot technique offers a fast and effective way to prevent spam.  Even though there are other options to consider, keep your users in mind and always prefer the least invasive approach to mitigate spam.

All the Honeypot techniqure requires is adding a hidden field to the form in question.  With that,  just about any form can become spam free.

This entry was posted in General, PHP. Bookmark the permalink.

17 Responses to Honeypot Technique: Fast, Easy Spam Prevention

  1. Paul Bagosy says:

    I go just a bit further – instead of using CSS to hide the field, I use jQuery:

    And then, in order to prevent a legitimate user with a form populator plugin from tripping it, I add this to my submit button to clear that form on a legitimate submission:


    • mzarate says:

      Hi Paul,

      Thanks for commenting.

      That idea can work as well, at the expense of requiring jQuery and additional JavaScript. Although another option to consider is naming the #test_email element something more obscure (e.g. a hash or timestamp) so that form auto-populators don’t write to it. That way a simple rename addresses your improvement, vs. having to add JavaScript to the mix.

    • Pete says:


      Why would you use jQuery to hide an element that you always want hidden? Doing so is adding extra JavaScript processing to the page, and manipulates the DOM causing a redraw. Also, since jQuery.hide() adds inline styling

      style=”display: none”

      directly onto the selected element, a smart spam engine might be looking to NOT fill in elements marked with “display: none”. Sure the spam engine could still get the computed CSS, but that is much harder to get.

      The preferred approach is described in the tutorial above (i.e. using pure CSS).

      • Hank says:

        Using Javascript would rule out bots not reading Javascript, some may read CSS and see it’s hidden.

        Also if you’re using this technique and are not using jQuery for anything else on you’re page, just use vanilla Javascript

    • Ryan Djebrouni says:

      Like Pete said, a smart bot can detect whether or not a form element is hidden. That’s why I prefer not to hide the honeypot but move it out of sight.

      position: absolute;
      left: -999em;

      Depending on the form/site, I also check the time between when the page is ready and the form submission. Then I determine the minimum time a human needs to fill and submit the form, if it’s too quick, I reload the page without submitting the form.

      • koj says:

        That last solution is not acceptable for users that use assistive technologies. The field is only hidden for users that can see the page, but what about blind or partially blind people?
        However, the js click function excludes ‘de facto’ users that use only the keyboard to fill in and validate the form.

  2. Simon says:

    What about autofill of such fields? With a name like “email” this field is likely to get filled automatically and without manual action by the user. Usually, I use autocomplete=”off” in such fields/forms, but that’s still a bit problematic …

  3. Daniel G says:

    thanks it’s so simple and works easily on my site.

  4. Alex says:

    Is honeypot still reliable? What’s to prevent a bot script from just determining whether a field is hidden or not?

    • mzarate says:

      Some may argue that it’s not, but try it’s easy enough to try and it’s been proven to work well for a lot of people. In our case it’s helped filter out just about all spam submissions to our sites and apps.

  5. Bill says:

    Another method, which I used with success on a high traffic site, is to treat all submissions that contain links as spam. Obviously this won’t suit the times when you want people to submit links, but if you’re expecting just a comment, and inform your users that links are not allowed, then you’re covered. Pretty much all spam contains links. Have the form submit “successfully” but really it’s not because the javascript found links and didn’t apply the true form action URL – which you should only add to the form with JS on load, then remove it on submit if links found. We got zero spam for 2 years on a high traffic site using this very uncomplicated method. UX is superb, just “write your name, write comment, submit”. No other steps, and doesn’t interfere with screen readers or other accessible problems, just needs simple javascript/jquery alone. Server side doesn’t need to do anything different either, it never sees the spam because it’s never submitted.

  6. Dave says:

    Thanks for the article. I implemented honeypot using gravity forms for one of my client websites and it has reduced spam to nearly zero. Within the last 2 weeks, we’ve been getting 1-2 spam emails a day that are all similar in nature. They contain statements in the comments like…”My hobby is mainly Book collecting.
    I try to learn Swedish in my free time.” All of them have bogus emails and phone numbers. Have you heard of this type of spam? I can’t imagine a human typing these in and have no idea what their goal is? Any suggestions to stop these would be appreciated! Thanks again for your great content!

    • mzarate says:

      Hi Dave,

      No, I’ve never received those particular spam submissions.

      Though as Ryan mentioned above, you may have luck timing the problematic form. E.g. if it’s submitted in less than a second, then chances are it’s a spam submission.

  7. Pingback: How To Stop Website Spam

  8. Dave says:

    I’m not a web programmer, so don’t entirely understand what you’re trying to do. Does this result in the spammer submitting a form with this javascript code? Where does it go?

    What do you do with the info once you’ve gathered it? How do you use it to block future attempts at your mail server?

    • mzarate says:

      Hi Dave,

      Does this result in the spammer submitting a form with this javascript code?

      No. The spam bot will indeed submit the form, but not with or through any of the JavaScript options other comments have mentioned. It sounds like JavaScript has been mentioned only as a way to hide the honeypot field. And as others have commented, that’s probably unnecessary since the same thing can be done with CSS.

      Where does it go?

      When the spam bot submits the form, it still routes to whatever server side script you specify for the form. The test comes in detecting if a value was submitted for the hidden field or not. If there was, then it’s most likely a spam submission b/c real users wouldn’t have filled anything in for the field since it was hidden.

      What do you do with the info once you’ve gathered it? How do you use it to block future attempts at your mail server?

      I haven’t heard of wide spread gathering of spam submissions, other than underlying spam prevention plugins or software (e.g. Akismet for WordPress, or IP Board’s spam control). Rather, if a spam submission is detected, it’s simply ignored instead of processed. That’s the scope of this technique.

      As far as blocking future spam attempts, best of luck, b/c unfortunately spam will always be with us. :( I will say that this technique has been very successful in helping us ignore spam submissions. But if you wind up needing something more thorough, try seeking out spam prevention plugins.

      Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>