A honeypot in web forms is an invisible input field that is hidden from human users via CSS but remains visible to automated bots that parse the HTML. Because legitimate users never see (or fill) the field, any submission with a non-empty honeypot value is rejected as spam. The technique was popularised around 2007 by anti-spam blogs and the WordPress plugin "Honeypot for Contact Form 7", and is the privacy-friendly alternative to CAPTCHAs like Google reCAPTCHA — no third-party scripts, no cookies, no accessibility issues, no impact on conversion.
How does a honeypot work?
The server adds an extra input (often named website, url, email_confirm or similar) to the form. The field is hidden using display: none, visibility: hidden, position: absolute; left: -9999px, an empty <label> or a tabindex="-1" autocomplete="off" wrapper. Spam bots indiscriminately fill every input they find — including the trap. On submit, the server checks the honeypot:
- Field empty → treat as human, process the form.
- Field filled → treat as bot, silently discard or return 200 OK without saving (so the bot doesn't retry).
Honeypot vs CAPTCHA: which is better?
| Criterion | Honeypot | CAPTCHA (reCAPTCHA) |
|---|---|---|
| User friction | None (invisible) | Medium–high |
| Accessibility (WCAG 2.2) | Compliant | Needs audio fallback |
| Privacy / GDPR | No third-party calls | Loads Google scripts, requires consent |
| Performance cost | ~0 KB | ~200 KB JS |
| Bot detection rate | ~95 % of dumb spam | ~99 % including smart bots |
| Conversion impact | None | 3–29 % drop |
For most WordPress sites, a honeypot plus a time-based check stops more than enough spam — without the legal and UX cost of CAPTCHA.
How do I add a honeypot to a WordPress form?
Contact Form 7
Install the free plugin "Honeypot for Contact Form 7" (1+ million active installs) and add the [honeypot website] tag to your form. The plugin handles the CSS hiding and the server-side check automatically.
WPForms / Gravity Forms / Fluent Forms
All three include a built-in honeypot option in the form settings — enable it with one click; no extra code needed.
Custom WordPress form
<p style="position:absolute;left:-9999px;" aria-hidden="true">
<label for="website">Leave this field empty</label>
<input type="text" name="website" id="website" tabindex="-1" autocomplete="off">
</p>Server-side PHP check:
if ( ! empty( $_POST['website'] ) ) {
// Bot detected — discard
wp_die( 'Spam detected', 'Error', array( 'response' => 200 ) );
}What are honeypot best practices?
- Use plausible field names like
website,url,company— nothoneypot. Modern bots skip obvious traps. - Hide via CSS, not
type="hidden"— smart bots ignore hidden inputs. - Add
tabindex="-1"andautocomplete="off"so keyboard users and password managers skip it. - Add
aria-hidden="true"for screen readers. - Combine with a time check — reject forms submitted in under 2–3 seconds (real users take longer).
- Return 200 OK on rejection so bots don't learn to bypass.
When is a honeypot not enough?
Sophisticated bots that execute JavaScript and respect CSS visibility (e.g. headless Chrome / Puppeteer scripts) will skip the honeypot. For high-value targets — login pages, payment forms, lead-gen with cash bounty — combine honeypot + time check + Cloudflare Turnstile or rate limiting on the server. The other distinct meaning of "honeypot" — a deliberately vulnerable server set up to study attackers — is a separate cybersecurity concept unrelated to spam forms.
What InspectWP checks
InspectWP scans every form on the crawled page and flags missing spam protection on contact and login forms. It also detects loaded Google reCAPTCHA scripts under the GDPR section so you can compare honeypot vs CAPTCHA usage on your site.