In modern web applications, one of the pain points everyone faces at some point is spam submissions to forms by automated bots.

What happens is malicious entities or back actors submit unwanted information through online forms to phish or send abusive messages. So, there is no real human who is filling out the form. Instead, the bots will fill every field of the form with completely random data (which are eventually of no use) and submit the form.

There are a few ways to fix this kind of attack. One of the many ways is to use CAPTCHA. The good news is our standard plugin version support reCAPTCHA V2. But, spambots are now able to solve the captcha puzzle. So they are no longer effective. Here is where the “Honeypot” comes in.


The principle of a honeypot is simple — bots are stupid. While some spam is hand-delivered, the vast majority is submitted by bots scripted in a specific (wide-scope) way to submit spam to the largest number of form types. In this way, they somewhat blindly fill in fields, regardless of whether the field should be filled in or not. This is how a honeypot catches the bot — it introduces an additional field in the form that if filled out will trigger the honeypot and flag the submission as spam. While this works for a breeder form filler, there are chances some of the most advanced spambots can leave our honeypot field empty and this again brings the trouble.

So, we use several methods to identify spambots and block them.

1. When you are using our “Honeypot” technology, our plugin would add 2 hidden fields.

      — One from the server-side is hidden through CSS. A basic spam bot would fill this field. So, it’s caught by our server-side form validator and blocked as spam.

      — And, we add another honeypot field from the client-side (Javascript) and check if the honeypot field exists or not. Spambots can’t use javascript and the honeypot field is not available for them. This way we can better trap spambots.

2. A spam bot fills the form automatically (usually very fast). Mostly, if a form is submitted in less than 3 seconds, it’s typically spam. So, there is also a time-based validation that protects such quick form submissions.

All these are configurable from our plugin settings.

Blocking Spam bots using Honeypot:

Go to “Dashboard => Classifieds & Directory => Settings — Anti-Spam tab — Anti-Spam” from your WordPress admin panel.

Here you can configure Honeypot settings and protect your site from Spam.

We have used this technique as an experiment in several of our customer websites in the last 3 months and confirm they are SPAM-free now.

Do you still need a reCAPTCHA?

While “Honeypot” is good at blocking spam bots, it doesn’t work against manual form submissions. If your site is experiencing such kind of spam submissions, we would suggest using both our “reCAPTCHA” and “Honeypot” features.


ReCAPTCHA is an advanced form of CAPTCHA that can distinguish between robots and human users. Google has made reCAPTCHA publicly available, so that website owners can use it on their site forms to reduce spam.

Blocking Spambots with ReCAPTCHA:

Go to “Dashboard => Classifieds & Directory => Settings — Anti-Spam tab — reCAPTCHA” from your WordPress admin panel.

Here you need to provide Google reCAPTCHA API keys (site key and secret key). Please refer to create your site and secret keys.