There are many ways to fight spam. And, spam delivery method will largely influence the way to fight it. Honeypot on the login form is very effective if your website is free for anyone to register.
Before you go on with this post, check out the previous parts in this series about the comment spam:
What is honeypot?
Honeypot is a field added to a form that should be made invisible. Normal users, accessing the form through the browser, will not see this field, and will not fill it. But, bots, usually use own HTML parser to read the form, and fill in the data, and bots tend to always fill any field they find on the form. So, they will fill in the honeypot field too. So, when the form is submitted, you need to check if the honeypot field has some value, and if it does, it was filled by the bot and not the real user accessing the website through the browser.
Test setup
To test how effective this method is, I have used data gathered on Dev4Press blog between March 23, 2016, and April 5, 2016. The first 7 days no antispam methods were used, and all spam was allowed to arrive at Dev4Press blog (it was not displayed, but all spam messages were logged). After that, for 7 days, only Login Honeypot was used.
If you check out the comment spam analysis article, you will see that most spam on Dev4Press is delivered through registered user accounts. This might not be the case with other blogs, it all depends on how they are set.
First week: no honeypot
First 7 days, the website received the total of 15,932 spam comments. Here is the list of spam comments for each day.
| Date | Spam |
|---|---|
| 3/23/2016 | 2530 |
| 3/24/2016 | 2364 |
| 3/25/2016 | 2150 |
| 3/26/2016 | 2176 |
| 3/27/2016 | 2461 |
| 3/28/2016 | 2140 |
| 3/29/2016 | 2111 |
| Total | 15,932.00 |
| Average | 2,276.00 |
Login Honeypot
Login Honeypot is added using GD Security Toolbox Pro plugin. It is very simple to setup, and it requires you to choose the type of ban: temporary or permanent, set length for the temporary ban and if you want to get notifications or not.
Login Honeypot adds honeypot field into WordPress standard login form. Once it traps a Bot inside it (Bot tries to log in to post spam), it bans IP for that Bot for a period you have set in the settings, or it bans it permanently (or until you manually remove it from ban log). So, once banned, that IP can’t access website until the ban is in effect, and it can’t deliver any spam!
And, this works on two levels: you don’t get spam from banned IP’s and you save on the server performance since it will not serve these Bots. Unlike many other spam fighting methods, that must first accept spam to determine what it is, this method detects spam bots and prevents them from posting spam in the first place.
Second week: honeypot on the login page
Now, for 7 days, login honeypot was used. And here is the number of spam comments received in this period:
| Date | Spam |
|---|---|
| 3/30/2016 | 77 |
| 3/31/2016 | 77 |
| 4/1/2016 | 85 |
| 4/2/2016 | 90 |
| 4/3/2016 | 66 |
| 4/4/2016 | 56 |
| 4/5/2016 | 64 |
| Total | 515.00 |
| Average | 73.57 |
As you can see, this is 96% difference, from almost 16,000 to only just over 500, with only one spam fighting tweak used! Here is the chart for both weeks:
Conclusion
Login Honeypot is a very simple method to stop bots from login to your website (even if they managed to get accounts made in the first place). And, if your blog receives a lot of spam from spam bot users that create accounts, this is a very good method to stop such spam delivery method.
There are other more efficient methods, and they will be introduced in the next few weeks with the new set of data. Some methods are better, some maybe not, but they can be used together to maximize the spam fighting effect.
Next article will focus on reCaptcha method used in the comments form.
