Blog Post

Login Honeypot to fight comments spam

There are many ways to fight spam. And, spam delivery method will largely influence the way to fight it. Honeypot on the login form is very effective if your website is free for anyone to register.

Before you go on with this post, check out the previous parts in this series about the comment spam:

What is honeypot?

Honeypot is a field added to a form that should be made invisible. Normal users, accessing the form through the browser, will not see this field, and will not fill it. But, bots, usually use own HTML parser to read the form, and fill in the data, and bots tend to always fill any field they find on the form. So, they will fill in the honeypot field too. So, when the form is submitted, you need to check if the honeypot field has some value, and if it does, it was filled by the bot and not the real user accessing the website through the browser.

Test setup

To test how effective this method is, I have used data gathered on Dev4Press blog between March 23, 2016, and April 5, 2016. The first 7 days no antispam methods were used, and all spam was allowed to arrive at Dev4Press blog (it was not displayed, but all spam messages were logged). After that, for 7 days, only Login Honeypot was used.

If you check out the comment spam analysis article, you will see that most spam on Dev4Press is delivered through registered user accounts. This might not be the case with other blogs, it all depends on how they are set.

First week: no honeypot

First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.

Date Spam
3/23/2016 2530
3/24/2016 2364
3/25/2016 2150
3/26/2016 2176
3/27/2016 2461
3/28/2016 2140
3/29/2016 2111
Total 15,932.00
Average 2,276.00

Login Honeypot

Login Honeypot Settings
Login Honeypot Settings

Login Honeypot is added using GD Security Toolbox Pro plugin. It is very simple to setup, and it requires you to choose the type of ban: temporary or permanent, set length for the temporary ban and if you want to get notifications or not.

Login Honeypot adds honeypot field into WordPress standard login form. Once it traps a Bot inside it (Bot tries to log in to post spam), it bans IP for that Bot for a period you have set in the settings, or it bans it permanently (or until you manually remove it from ban log). So, once banned, that IP can’t access website until the ban is in effect, and it can’t deliver any spam!

And, this works on two levels: you don’t get spam from banned IP’s and you save on the server performance since it will not serve these Bots. Unlike many other spam fighting methods, that must first accept spam to determine what it is, this method detects spam bots and prevents them from posting spam in the first place.

Second week: honeypot on the login page

Now, for 7 days, login honeypot was used. And here is the number of spam comments received in this period:

Date Spam
3/30/2016 77
3/31/2016 77
4/1/2016 85
4/2/2016 90
4/3/2016 66
4/4/2016 56
4/5/2016 64
Total 515.00
Average 73.57

As you can see, this is 96% difference, from almost 16,000 to only just over 500, with only one spam fighting tweak used! Here is the chart for both weeks:

Spam without and with login honeypot
Spam without and with login honeypot


Login Honeypot is a very simple method to stop bots from login to your website (even if they managed to get accounts made in the first place). And, if your blog receives a lot of spam from spam bot users that create accounts, this is a very good method to stop such spam delivery method.

There are other more efficient methods, and they will be introduced in the next few weeks with the new set of data. Some methods are better, some maybe not, but they can be used together to maximize the spam fighting effect.

Next article will focus on reCaptcha method used in the comments form.

Please wait...
GD Security Toolbox Pro plugin for WordPress
Proactive protection and security hardening

A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

license management

License Code Validation and Management

Dev4Press License validation system updates will soon be deployed, including license code management via the Dev4Press Account Dashboard. All updates will be deployed on April 14, 2024.
panel options

In Development: SweepPress Pro 5.0 and Lite 3.0

In about two weeks, brand new, significant updates to SweepPress Pro and Lite plugins will be released, bringing several game-changing features to WordPress cleanup and maintenance tools already included.

GD Press Tools Pro 6.3

The new major release for GD Press Tools Pro, version 6.2 is here, and it brings some major changes. First of all, the plugin has two addons less, one addon is added and one more addon has been deprecated (but still included for now).

Leave a Comment

WP Rocket - Make WordPress Load Fast in a Few Clicks
SiteGround - Managed WordPress Hosting