Honeypot Module for Contact Form 7 WordPress Plugin

This simple addition to the wonderful Contact Form 7 (CF7) plugin adds basic honeypot anti-spam functionality to thwart spambots without the need for an ugly captcha.

The principle of a honeypot is simple — bots are stupid. While some spam is hand-delivered, the vast majority is submitted by bots scripted in a specific (wide-scope) way to submit spam to the largest number of form types. In this way they somewhat blindly fill in fields, irregardless of whether the field should be filled in or not. This is how a honeypot catches the bot — it introduces an additional field in the form that if filled out will cause the form not to validate.

Get the CF7 Honeypot Plugin

Support

Please use the official CF7 Honeypot support forum for all support requests. Support requests in comments may not be answered. Also — before submitting a support request, be sure to confirm you are using the latest versions of: 1) Contact Form 7 WordPress Plugin, 2) The Contact Form 7 plugin, 3) WordPress.

Installation

  • Install using WordPress’ “Add Plugin” feature — just search for “Contact Form 7 Honeypot”
  • Activate the plugin
  • Edit a form in Contact Form 7
  • Choose “Honeypot” from the Generate Tag dropdown. Recommended: change the honeypot element’s ID.
  • Insert the generated tag anywhere in your form. The added field uses inline CSS styles to hide the field from your visitors.


The fine folks at RoseApple Media put the above video together detailing the simple process of getting up and running with CF7 Honeypot.

Advanced Customization

Should you wish to, you can change the outputted Honeypot HTML by using the wpcf7_honeypot_html_output filter.

Ex:

function my_honeypot_override( $html, $args ) {
    // [DO STUFF HERE]
    return $html;
}
add_filter('wpcf7_honeypot_html_output', 'my_honeypot_override', 10, 2 );

Frequently Asked Questions

Will this module stop all my contact form spam?
Probably not. But it should reduce it to a level whereby you don’t require any additonal spam challenges (CAPTCHA, math questions, etc.).

Are honeypots better than CAPTCHAs?
This largely depends on the quality of the CAPTCHA. Unfortunately the more difficult a CAPTCHA is to break, the more user-unfriendly it is. This honeypot module was created because we don’t like CAPTCHA’s cluttering up our forms. Our recommendation is to try this module first, and if you find that it doesn’t stop enough spam, then employ more challenging anti-spam techniques.

Can I modify the HTML this plugin outputs?
Yep! New in version 1.5 of the plugin you’re able to adjust the HTML by hooking the output filter for the plugin. See the Installation section for more details.

What is the plugin license?
This plugin is released under a GPL license.

Changelog

1.6.1
Small change to accommodate changes made in CF7 3.9.

1.6
Quite a lot of code clean-up. This shouldn’t result in any changes to the regular output, but it’s worth checking your forms after updating. Also, you’ll note that you now have the ability to add a custom CLASS and ID attributes when generating the Honeypot shortcode (in the CF7 form editor).

1.5
Added filter hook for greater extensibility. See installation section for more details.

1.4
Update to make compatible with WordPress 3.8 and CF7 3.6. Solves problem of unrendered honeypot shortcode appearing on contact forms.

1.3
Update to improve outputted HTML for better standards compliance when the same form appears multiple times on the same page.

1.2
Small update to add better i18n and WPML compatibility.

1.1
Small update for W3C compliance. Thanks Jeff.

1.0
Initial release.

80 Responses to Honeypot Module for Contact Form 7 WordPress Plugin

  1. Pingback: DaoByDesign på "Kontakt formular 7 Honeypot" - CyberMaster

  2. Pingback: Adding a little Honey to WordPress’ Contact Form 7 Plugin ~ Dao By Design

  3. Plugin: Contact Form 7 Honeypot] Is it compatible with Contact Form7 Recaptcha?

    I want to combine usage of this honey pot plugin
    http://wordpress.org/extend/plugins/contact-form-7-honeypot/

    with the Recaptcha add on for contact form 7.
    http://wordpress.org/extend/plugins/contact-form-7-recaptcha-extension/

    Recently i got sent a spam, not sure if it was manual or not, seeing i am already using recaptcha. So i wanted to know if honeypot can work together with recaptcha or will it bug out ?

    I posted my question also in the wp forum as well
    http://wordpress.org/support/topic/plugin-contact-form-7-honeypot-is-it-compatible-with-contact-form7-recaptcha?replies=1#post-2203941

  4. Man, this thing breaks my form….

    The part that’s breaking it is…

    $html = ‘<span class="wpcf7-form-control-wrap '…

    Not a coder, but when I leave this line in, the form loses styling below the honeypot entry, the honeypot input becomes visible, other styling issues….

    If I remove it, all looks fine – but obviously, there is now a missing line of code.

    So, this line of code seems to be wrapping the $html inside a span tag and appending some validation_error result… which for non-programmers like myself prompts the following questions:

    1) What does it do????" ;-)

    2) Any way to restructure this to make it less likely to conflict with my form???

    Thanks

    • Hi Steve, what are you naming this element? It’s difficult to tell what is causing the error with just a report of what line you believe is causing the problem, but not actually the output that is causing the problem. Can you send me the HTML (or a link) to info at daobydesign dot com.

  5. Hey, this is terrific! My client is getting quite a bit of what is obviously automated spam. Is there a fairly simple way to test the function. Would I need a bot? I don’t know how to get one and not sure if it would remain under my control. Seriously though, any ideas about how to test?

    • The plugin doesn’t actually differentiate between bot and regular visitor, it simply doesn’t display the honeypot form element to regular visitors, and thus they would have no reason to fill it in. Bots, which generally ignore CSS style in their reading of a page, will assume the form field needs to be filled out, and thus trigger the trap. Obviously there are ways to get around this, and as bots mature, prevention techniques will also need to evolve to keep up.

  6. Very interesting. My Really Simple Captcha gets cached by W3 Total Cache, and W3 has highest priority for our blog.

    So I installed this and generated the code.

    For example :

    [honeypot honeypot-123]

    I need clarification on what you mean by this :

    “Recommended: change the honeypot element’s ID”

    So do I change 123 to any number like 555 ?

    Thanks

    • Hi Joe, the element’s ID is the ID of the HTML element in the final rendered page. The ID takes its value from the “honeypot-123″ part of the shortcode [honeypot honeypot-123], so changing that whole value to something that doesn’t advertise “honeypot” to the spambots is a good idea. I suggest changing it to something tasty to spambots (url-123, email-123, etc.) so as to encourage catching them with the honey.

  7. Ryan,
    Is there a way to integrate this into a typical WP comment system (My Site My Way Infocus Theme, overall plain vanilla WP)so that the post-level comments are being honeypotted?

    • Hi Gerard, this was specifically designed to be a plugin for CF7, so won’t work with the standard WP comment form, but it wouldn’t be hard to make a plugin that does. I am pretty sure one exists already though, so you might want to check the plugin directory at wordpress.org.

  8. Excellent stuff Ryan, thanks for making this. Any plans on updating the WP compatibility in the Plugin Database? Probably get more installs that way.

    Thanks again. I am testing this for a week or two.

    Sincerely,
    Roger

  9. Apparently Honeypot Contact 7 is not working on my site. Many the generated tag is wrong or I am not embedding some more short tags in the form.

    Help Please.

    Ed

    • Hi Ed — it looks like you’re using the wrong CF7 Honeypot shortcode: [spambotpot-545]

      This honeypot plugin uses [honeypot THEID] — where THEID is a uniquely generated ID.

  10. Hi,

    just saw that it seems stopped working for me.

    Tried it with new ids. The form was sentable without being protected.

    Could it be because I updated wordpress today?

    wolle

    • Hi wolle, I just checked with the latest version of WP and it appears to be working fine. To test the honeypot, you’ll need to insert a value into the honeypot input (using a dev tool like Firebug, or just the stock DOM inspector in your browser).

      • Hi Ryan,

        thank you for the fast reply.

        After sleeping some hours I looked over it again. Okay, you won’t be able to reproduce it because I’ve got two blogs running on the same server and on one blog everything workds like a charm.

        The one which is running crazy doesn’t give me the “tag opportunity” in the contact form section at all. So I’m not able to generate a honeypot id at all.

        (I’m still thinking that I was able to do so before I went to sleep but sometimes I’m a bit confused. ;))

        I will have a look where are the differences between installed plugins on both blogs.

        I also do not think that it’s a question of the used language in both blogs. (One is in english and one in german.)

        I think you can’t do that much for me at the moment because of my individual konfiguration and it’s working on one blog.

        It’s sick that this “tag dropdown” is missing and the settings page of contact form 7 looks that much different on both blogs.

        Okay, I shut up now and will look where’s the point. ;)

        wolle

  11. It’s me again.

    The tag-generator is in the sources of the page of the admin section of contact form. There is also honepot in it.

    That’s why I think my fault hasn’t anything to do with honeypot.

    I’m sorry for wasting your time.

  12. All of a sudden I’m getting spam emails from my Contact Form 7 that’s protected with your honeypot, probably two dozen in the last 12 hours and still coming. The code on the pages looks good to me ( and ) for the two versions of the form I have on my WP site.

    You said “To test the honeypot, you’ll need to insert a value into the honeypot input (using a dev tool like Firebug…” I have Firebug installed and can find the honeypot line of code in Firebug, but don’t know how to enter a value into that field. Can you explain how?

    • Hi Malcolm — you’ll need to right click the input code and edit it:
      <input class="wpcf7-text" type="text" name="email-wpcf7-hp" id="email-wpcf7-hp" value="" size="40" tabindex="3">

      Then add a value to the “value” attribute — something like:
      <input class="wpcf7-text" type="text" name="email-wpcf7-hp" id="email-wpcf7-hp" value="something" size="40" tabindex="3">

      Then, fill out the form as you normally would and see if you can submit it. It should return an error, because validation should not allow the submission through if that field has a value.

      • Thanks, Ryan, that worked fine and did produce the validation error.

        So, any ideas about stopping the flood of spam that’s getting through :-)

      • The first thing I would do is change all the names of the various input fields in the contact form. I would also suggest getting a captcha (such as reCaptcha) installed in the form.

  13. I used this in addition to the honeypot
    [checkbox* humancheckbox label_first "Please Check the box if your human"]

    i was getting some spam that got through but now none since i added that line.
    Thanks for a great plugin..i hope this will help someone that is still getting a little spam..

  14. The flood of spam I was getting through the honey pot protection stopped about as suddenly as to began. For several weeks now, I’ve only had maybe one or two spam messages per week. I didn’t put in any additional protection.

  15. Thank you, thank you! Honeypot for Contact Form 7 has just stopped the spambots in their nasty little tracks. Yesterday I got slammed with more than 100 bot-generated spams on a contact form at our site… installed Honeypot and the spams have stopped cold. Not a single one since, but legit inquiries are getting through. I no longer dread checking the inbox!

  16. Is there a way for me to view the changes this plugin makes? It looks like it does something with CSS. I chose View Page Source & found my entry, but was just curious if I could see the field it adds. Also, I have heard that some tablets & phones are able to see these types of honeypot text. Are you aware of anything like this & does this plugin prevent that? Thanks

    • You’ll have to view the changes in the source of the page with the form on it. The element is hidden using CSS, but easily viewable in the source. As for tablets/phones — shouldn’t be a problem assuming it’s a modern browser being used. If you’re viewing the site (and form) on an old mobile phone browser that doesn’t load CSS, then the honeypot element would be visible. I would assume though that visitors using old phones like that are going to be a very very very small percentage of visitors. It will work in all typical smart phone browsers.

  17. Just installed it today – within 10 minutes I was hit by a literal *barrage* of bot-generated spam messages…
    :-/

    Is there any particular tweak I should be aware of?
    Could someone be targeting precisely this plugin in order to succeed in its efforts?

    Your opinion is kindly appreciated

    Paul
    unclegroove.com

    • I can’t think of a reason a form using a honeypot field would be targeted, as it certainly doesn’t open up a vulnerability to the form. If the spammer is smart, it can be avoided, but that wouldn’t be a target-like criteria. I checked the form on your site, did you disable the plugin? I couldn’t find any indication that it was active in the form.

      • Hi there. They are indeed activated (both CF7 + the HP plugin).
        Good news is that after that initial surge nothing has filtered through.
        The initial wave of emails appears to originate from Gmail accounts; if you’re interested I could forward you the incriminated addresses (for your spam databases, etc).
        Kind regards
        Paul
        unclegroove.com

      • Hi Paul — I took another look at your site just to confirm. Assuming that the form you’re talking about is the contact form in the sidebar, there’s no sign of the Honeypot field there. Are you sure you’ve added it to the form? See steps 3-5 in the Installation section above. If I’ve got it wrong, or its another site you’re referencing, please disregard.

  18. HI Ryan,
    Great plugin. Works very well with our CF7 forms.

    I need to add Honeypot to another theme however, I have to insert the code instead Tag in a .php form. Is there a way to do it? That would be fantastic.
    Thanks
    Gil

    • Hi Gil. The plugin is specifically built for CF7 forms, so it currently can’t be used outside of that. Of course, if you’re building a custom form, you can just build a honeypot into it yourself. It’s a pretty simple premise, and just requires that you have an extra input that is hidden using CSS and is checked before form submission to see if a value has been added to it.

  19. Hello. I cannot find the generate code dropdown. It should be where I create new contact 7 forms? I’m using WordPress 3.3.2. And the 1.1 version of honeypot downloaded at wordpress.org.

    Please help.

    • Yes, it is in the CF7 creator/editor page, in the same place as where all fields for CF7 are generated.

  20. Hi Ryan, I’m working on a site and wondered if I just copy and paste the code [honeypot email-123] , anywhere in the form? Do I have to add any tags that are shown in the form that’s generated? I’m relatively new to WP and have been searching for tutorials but no-one seems to elaborate on it as I saw something on inline css or hidden fields? Any advice appreciated

    • Hi Rich, yep, that should do. Just add that [honeypot email-123] tag anywhere in your form editor box and you should be all set.

  21. I have one web page with two Contact Form 7 forms. During testing, I set the “value” attribute of the honeypot input to something non-null, and it stops the form from being submitted as it should. But when I try the same thing for the other form, it doesn’t prevent the form from being submitted. Does your honeypot plugin only work on one CF7 form on a page?

    • @Forrest — I’ve never tried using it with two forms on the same page, but can’t think of why this wouldn’t work. All elements of an individual form should only relate to that form. It could be that CF7′s Ajax validation is getting tripped up. I’ll have to do some more testing to see.

  22. I just installed it, and then tested it twice by replacing a contact form7 with the honey pot on a new post, and a page that I knew spambots were sending their messages to my email from. Usually, any change to a post or page will trigger at least 20 or 30 immediate spambot nonsense messages. But not this time. So I decided to do a more extensive update on a page that I had posted photos of artwork, but little commentary. I wrote more about the subject, so that the spambots would be sure to be triggered, installed the edited contact form 7 with the honeypot, sent myself a test message to make sure the contact from was functional. And my message came through, but no spamalamdingdong….yet. But so far, so good. Thank you.

  23. Hi, first of all, thanks for this plugin – and for the latest update (1.3). I was running into validation errors since multiple use of on id, but that was solved now.

    Some improvements I like to see is a filter-hook for the “wpcf7_honeypot_shortcode_handler”, to change the output. I’d like to be able to choose if I use a css class for hiding the input.

    Another point is that the current version (1.3) outputs a label with for-attribute but missing an id for the input.

    Thanks again,
    Daniel

    • Hey Daniel, finally found some time to fix/add these features. See version 1.5 released today. I’ve added unique ID and FOR attributes to the input and label, and I’ve also added a filter hook which should give you the control you’re looking for (see the plugin instructions for details). If you’re able to test and confirm that the filter is working as expected, it’s very much appreciated (as was the coffee donation, thanks!).

  24. Seems there’s an issue with the latest version of Contact Form 7, v3.6 The honeypot shortcode is not getting converted and it just shows up on the page. Will this be addressed or is there a fix?

    • Hi Matt & Travis, this was due to a change in the most recent version of CF7. If you update your CF7 Honeypot plugin to the latest version (1.4 — now in the repository, so your WP update screen should indicate it), it should solve the problem for you.

      • Do you have a URL? Feel free to send me via the contact form on the Contact page (link up at the top of the page).

      • Your version of CF7 is way out of date. Try updating that. I’d also update WordPress asap, as you’re a number of significant versions behind, and there have been a number of security patches since then. If for some strange reason you can’t update anything, you’ll need to use an older version of the Honeypot plugin.

  25. Hiya,

    Thanks for such a valuable plugin.

    Can you just confirm for me which message is shown to the spambot when they are caught in the honeypot?

    I ask as I would like to specify my email address for the user in the “Sender’s message was failed to send” field – but only if this message is not going to be shown to a spambot.

    Thanks,
    James

    • Hi James, as of version 1.6 (releasing in the next 10 minutes or so), the message is the “# Submission was referred to as spam” error message.

  26. Hey, I have added the code, for example [honeypot honeypot-112] however all that is outputted onto the page is [honeypot honeypot-112] and not the html version, what would be the reason for this?

    • The only reason I can think of is that the plugin hasn’t been installed/enabled under the Plugins section of the WordPress admin area.

  27. Unfortunately the honeypot still shows in the form of one of my sites.
    It is strange because in another site the problem does not occur.

    I use the latest version 1.6 of the Honeypot plugin, version 7.3.2 of Contact Form 7 and WordPress 3.8.1.

    Please let me know if you need any additional information to solve this problem.

    Yannis

  28. Hi Ryan,

    When I install the plugin and add the Honeypot tag to my contactform the contactform breaks and doesn’t show any more on the page.

    Any idea what this can be?

    I’m on WP 3.8.2
    Contact Form 7 3.3.1
    Honeypot 1.6

    Thanks!

    Erik

  29. I generated the tag (and renamed it contact-us, which generated [honeypot contact-us] however if I put this in it made the entire form disappear from the page.

    When i changed to [contact-us] the page showed up again. Have I installed honeypot properly?

  30. I installed the plugin and did not have the option to add the honeypot tag. I do see an “enable anti-spam honeybot” option under form settings>form options. Our contact form is actually built on eloqua but incorporated onto our wordpress site. If that “enable honeybot” option is there, does it mean it is compatible for the plugin?

    • Hi Gina, this plugin is strictly for use in conjunction with Contact Form 7. If you are using a different plugin to generate your contact form, this is not the plugin for you.

    • Hi Gina, this plugin is strictly for use in conjunction with Contact Form 7. If you are using a different plugin to generate your contact form, this is not the plugin for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>