Dev4Press No Script
Blog Post

Login Honeypot to fight comments spam

There are many ways to fight spam. And, spam delivery method will largely influence the way to fight it. Honeypot on the login form is very effective if your website is free for anyone to register.

Before you go on with this post, check out the previous parts in this series about the comment spam:

What is honeypot?

Honeypot is a field added to a form that should be made invisible. Normal users, accessing the form through the browser, will not see this field, and will not fill it. But, bots, usually use own HTML parser to read the form, and fill in the data, and bots tend to always fill any field they find on the form. So, they will fill in the honeypot field too. So, when the form is submitted, you need to check if the honeypot field has some value, and if it does, it was filled by the bot and not the real user accessing the website through the browser.

Test setup

To test how effective this method is, I have used data gathered on Dev4Press blog between March 23, 2016, and April 5, 2016. The first 7 days no antispam methods were used, and all spam was allowed to arrive at Dev4Press blog (it was not displayed, but all spam messages were logged). After that, for 7 days, only Login Honeypot was used.

If you check out the comment spam analysis article, you will see that most spam on Dev4Press is delivered through registered user accounts. This might not be the case with other blogs, it all depends on how they are set.

First week: no honeypot

First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.

Date Spam
3/23/2016 2530
3/24/2016 2364
3/25/2016 2150
3/26/2016 2176
3/27/2016 2461
3/28/2016 2140
3/29/2016 2111
Total 15,932.00
Average 2,276.00

Login Honeypot

Login Honeypot Settings
Login Honeypot Settings

Login Honeypot is added using GD Security Toolbox Pro plugin. It is very simple to setup, and it requires you to choose the type of ban: temporary or permanent, set length for the temporary ban and if you want to get notifications or not.

Login Honeypot adds honeypot field into WordPress standard login form. Once it traps a Bot inside it (Bot tries to log in to post spam), it bans IP for that Bot for a period you have set in the settings, or it bans it permanently (or until you manually remove it from ban log). So, once banned, that IP can’t access website until the ban is in effect, and it can’t deliver any spam!

And, this works on two levels: you don’t get spam from banned IP’s and you save on the server performance since it will not serve these Bots. Unlike many other spam fighting methods, that must first accept spam to determine what it is, this method detects spam bots and prevents them from posting spam in the first place.

Second week: honeypot on the login page

Now, for 7 days, login honeypot was used. And here is the number of spam comments received in this period:

Date Spam
3/30/2016 77
3/31/2016 77
4/1/2016 85
4/2/2016 90
4/3/2016 66
4/4/2016 56
4/5/2016 64
Total 515.00
Average 73.57

As you can see, this is 96% difference, from almost 16,000 to only just over 500, with only one spam fighting tweak used! Here is the chart for both weeks:

Spam without and with login honeypot
Spam without and with login honeypot


Login Honeypot is a very simple method to stop bots from login to your website (even if they managed to get accounts made in the first place). And, if your blog receives a lot of spam from spam bot users that create accounts, this is a very good method to stop such spam delivery method.

There are other more efficient methods, and they will be introduced in the next few weeks with the new set of data. Some methods are better, some maybe not, but they can be used together to maximize the spam fighting effect.

Next article will focus on reCaptcha method used in the comments form.

Please wait...
GD Security Toolbox Pro WordPress Plugin
Proactive protection and security hardening

A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

plugins relase corsecurity 2.1

coreSecurity Pro 2.1

coreSecurity Pro version 2.1 brings one big new feature for enhancing user management and adding a powerful control to disable (and later enable) user accounts with a wide range of settings. There are many more important updates, improvements, and tweaks.
reviews important update bbpress 2 6 11

Important update: bbPress 2.6.11

After a long wait, new minor update for bbPress 2.6 is now available, and it is highly recommended to update your website to this latest version of bbPress as soon as possible.
plugins relase gd power search pro 2 7 lite 2 1 upd

GD Power Search Pro 2.7 & Lite 2.1 for bbPress

Both Lite and Pro version of GD Power Search for bbPress have been updated to fix several issues, discovered after testing with bbPress 2.6.11, including a fix for a bug that is present in bbPress plugin itself.

Leave a Comment

GeneratePress - The perfect lightweight theme for your next project
SiteGround - Managed WordPress Hosting