There are many ways to fight spam. And, spam delivery method will largely influence the way to fight it. Honeypot on the login form is very effective if your website is free for anyone to register.

Before you go on with this post, check out the previous parts in this series about the comment spam:

What is honeypot?

Honeypot is a field added to a form that should be made invisible. Normal users, accessing the form through the browser, will not see this field, and will not fill it. But, bots, usually use own HTML parser to read the form, and fill in the data, and bots tend to always fill any field they find on the form. So, they will fill in the honeypot field too. So, when the form is submitted, you need to check if the honeypot field has some value, and if it does, it was filled by the bot and not the real user accessing the website through the browser.

Test setup

To test how effective this method is, I have used data gathered on Dev4Press blog between March 23, 2016, and April 5, 2016. The first 7 days no antispam methods were used, and all spam was allowed to arrive at Dev4Press blog (it was not displayed, but all spam messages were logged). After that, for 7 days, only Login Honeypot was used.

If you check out the comment spam analysis article, you will see that most spam on Dev4Press is delivered through registered user accounts. This might not be the case with other blogs, it all depends on how they are set.

First week: no honeypot

First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.

Date Spam
3/23/2016 2530
3/24/2016 2364
3/25/2016 2150
3/26/2016 2176
3/27/2016 2461
3/28/2016 2140
3/29/2016 2111
Total 15,932.00
Average 2,276.00

Login Honeypot

Login Honeypot Settings
Login Honeypot Settings

Login Honeypot is added using GD Security Toolbox Pro plugin. It is very simple to setup, and it requires you to choose the type of ban: temporary or permanent, set length for the temporary ban and if you want to get notifications or not.

Login Honeypot adds honeypot field into WordPress standard login form. Once it traps a Bot inside it (Bot tries to log in to post spam), it bans IP for that Bot for a period you have set in the settings, or it bans it permanently (or until you manually remove it from ban log). So, once banned, that IP can’t access website until the ban is in effect, and it can’t deliver any spam!

And, this works on two levels: you don’t get spam from banned IP’s and you save on the server performance since it will not serve these Bots. Unlike many other spam fighting methods, that must first accept spam to determine what it is, this method detects spam bots and prevents them from posting spam in the first place.

Second week: honeypot on the login page

Now, for 7 days, login honeypot was used. And here is the number of spam comments received in this period:

Date Spam
3/30/2016 77
3/31/2016 77
4/1/2016 85
4/2/2016 90
4/3/2016 66
4/4/2016 56
4/5/2016 64
Total 515.00
Average 73.57

As you can see, this is 96% difference, from almost 16,000 to only just over 500, with only one spam fighting tweak used! Here is the chart for both weeks:

Spam without and with login honeypot
Spam without and with login honeypot


Login Honeypot is a very simple method to stop bots from login to your website (even if they managed to get accounts made in the first place). And, if your blog receives a lot of spam from spam bot users that create accounts, this is a very good method to stop such spam delivery method.

There are other more efficient methods, and they will be introduced in the next few weeks with the new set of data. Some methods are better, some maybe not, but they can be used together to maximize the spam fighting effect.

Next article will focus on reCaptcha method used in the comments form.

Please wait...

About the author

Dev4Press owner and lead developer

Programmer since the age of 12 and WordPress developer since 2008 as freelancer and author of more than 200 plugins and more than 20 themes.

Learn More

GD Security Toolbox Pro
A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.
GeneratePress - Importable demo sites to kickstart your next project


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to the Newsletter

To get all the latest news and promotions.

Subscribe We will not send you any spam. Newsletters are sent once or twice every month.