Select an Account to Sign In


Text & Email, Appointment Scheduling, Customer Database

MyDex Account

Pay Bills, View Reporting, Manage Your Listings

Honeypot Technique of Blocking Spam

By | 05.29.13
Honeypot Technique of Blocking Spam

UPDATE: Check out Kim’s newest post on “How to Spam Proof Your Website Forms” for the latest info on blocking spam.

In an earlier post I discussed the mystery of forms. Preventing spam on your blog or website can be difficult for anyone as bots and spammers are relentless. However, with the right techniques the battle can be won! One of my favorite techniques to use against bots trying to spam a form is the honeypot technique, because it doesn’t hinder the user from completing the form. Anti-spam techniques should not interfere with a user filling out the form, it could decrease lead conversions. An example of this kind of technique is Captcha.

When a spam bot comes to a form, it fills out EVERY input field, and ignores the CSS, which is a behavior we can exploit. One of the input fields can be hidden with CSS, display: none;, and then use JavaScript when the form is submitted. If the input field is empty submit the form, else, do nothing (or popup an alert message). Easy, right? The user is none the wiser, and we prevent spam bots from submitting the form with junk data.

The CSS:
Let’s get a little technical and show two different ways of handling the CSS. The first example is with a CSS3 attribute selector. Please note that IE7 and IE8 support attribute selectors only if a !DOCTYPE is specified, which should be standard practice. Attribute selection is not supported in IE6 or below.

input[type="text"]#website { display: none; }

The old school way of doing things, but supported by IE6.

input#website { display: none; }

Let me explain the difference. There are several types of inputs: submit, button, password, text, and so on. Now with HTML5 there are even more: tel, number, date, etc. Using input with our unique id allows this style to be set on ANY input type that has this id. By adding [type="text"] it is limiting the style to input types of text that contain this unique id. It’s just a matter of personal preference which method you use and how global the style needs to be.

The JavaScript (jQuery):

        if ($('input#website').val().length != 0) {
            return false;


<form method="get" action="/">
<input name="firstname" type="text" value="First Name" />
<input name="lastname" type="text" value="Last Name" />
<input id="website" name="website" type="text" value=""  />
<input type="submit" value="Submit" />

In the example above the website field is hidden with CSS because of id="website". A user enters first and last name and submits the form. If the website field has text in it then the form will do nothing when submitted as you can see by the return false in the JavaScript function. If the field is empty the form will submit as expected.

Things to remember for the novice.
Script and CSS references go in the <head> tag, HTML goes in the <body> tag. Classes can be used throughout the web page and referenced unlimited times, but id’s are unique and used only once. Using a jQuery function requires the jQuery library reference, which can be found here. Always declare a !DOCTYPE if using CSS3 so less modern browsers behave properly. Remember, the web is fun. Enjoy!

Update: The above technique will work on spammers that do not ignore JavaScript. However, spammers that do ignore JavaScript, a server side technique would be a better solution.

(Visited 6,652 times, 14 visits today)
  • I might be missing something here.. but bots don’t use javascript so how is this going to stop the form from being submitted?

    • Kim Perry

      The honey pot technique is good for stopping bots because they don’t see what humans see when the page is rendered. With a hidden input field, or a field set to display:none with CSS, the bot thinks this field should be filled in. All the JavaScript is doing is checking to see if that hidden field has information in it. If it doesn’t, the form will submit. The bots only care about the input fields; the JavaScript is what keeps the form from submitting when the bot adds text to a field that we set to hidden.

      • “if it doesn’t the form will submit” – but my point is the form will submit either way for the bot since it will not have JS enabled. You need to be checking if the field is filled out using your server side (php or whatever) and stop it there. You follow?

        • Kim Perry

          Yes, that is a good point. With the submit action being set with HTML it won’t catch the bots since they see HTML. However, if the submit action is being set using JavaScript then the form will not submit with JavaScript disabled, essentially catching the spam. Sadly, if an attacker is bound and determined to target your website there isn’t much you can do to prevent it. This is one of many steps to take to prevent spam. Someone could run Selenium and circumvent the JavaScript validation you have on your forms. This isn’t a sure fire way to prevent spam but its a step in the right direction.

          • Well setting the form action with javascript is not mentioned in the article and is not the standard. This is another likely effective spam prevention option, however, as your article is stated most people will implement this on a normal form and I don’t think it will stop any spam.

  • As Jesse mentions, the validation should also be done server side as the bot may have JavaScript disabled so for example using PHP it would be:
    if ($_POST[“website”] != “”) { //Bot detected }
    else { //Bot not detected }

  • cC

    This post doesn’t seem to make any sense. For the form to be disabled according to the above you would have to have js enabled and spammers don’t have javascript enabled so this would accomplish nothing as currently written above. Please remove this article or rewrite it as to not misguide users.

    • Kim Perry

      Thank you for reading and pointing this out. I have updated the blog post.

  • tim

    I have tried to implement your honeypot solution above but the form submits even if the honeypot “website” field is filled. This means the javascript is not working right. Jquery references are in the head section.

    To test I removed the invisible CSS tag so I can fill the “website” input field.

    here is the form:

    Could you please point me in the right direction?

    • Kim Perry

      Instead of having the form submit in a separate function from your validation, include it and add this:
      if ( == “”)
      return (false);
      You can alert it to make sure its working then remove the alert. Hope this helps! Thanks!!

  • MacK

    I think this technique is obviously obsolete, I guess bots are smart enough now to detect whether a field should be filled or not.

    • Not necessarily. I believe the key is to name the honeypot field something that looks tasty to a spam bot, like zip code or address, as long as those aren’t necessary fields for your form. A spam bot isn’t going to interpret your JavaScript code or even be able to access your php to see which fields are legitimate. You can also add “required” somewhere in the form field tag as an extra little incentive for the nasty little spambot.

  • Hideki

    Honeypot with CSS (display:none) worked pretty good for me.
    I use honeypot with extra program to add bots IP address to .htaccess file so next time they try to sneak in they are blocked. I know they change their IP address but they seems to try to sneak in with same IPs several times.
    This blocking package using .htaccess really worked for me and now I see that they are discouraged to sneak in. I have 0 attempt now. It took about 10 days to discourage them.
    99% of their IPs are from China and rest is from Russia. I don’t have any customer from those regions but just in case I trim .htaccess file daily with cron so it will leave only about 30 IPs to block.

    • Kim Perry

      Hideki, thanks for the comment. Takes multiple tricks to prevent spam, glad this worked out for you. Keep on fighting!

      • Hideki

        Thanks Kim for sharing the great idea. Most bots seems to try several different ways of filling the fields in sequence with same IP address. They are testing to see which one works. We just have to detect their patterns and catch all of them.

  • Roi

    Few things to note here…

    Your CSS selector: input[type=”text”]#website { display: none; }
    is total overkill. It will work going across all browsers/versions with just #website { display:none; } (or better yet, have a generic class that hides things so you can re-use). You don’t need the element selector, attribute selector, ect. This is especially true since “id’s” are only to be used once per page. Overscoping is a common fail in CSS.

    Further into the overscoping, when you’re using jquery you also do not need to overscope the selector. input#website is not needed. however, here we will disregard just to make the point of maybe in this case it’s nice to know it’s an input field you’re targeting.

    Using Javascript:
    Completely pointless. There is no check the length and not submit the form. You actually DON’T want to to this, as some bots will know the form didn’t submit and try some other techniques to try n validate the form.

    Server side only:
    Before running whatever “save” function to the database or “email” function, whatever… Just wrap it in a conditional which checks the value of the website param & ensure it’s empty. Continue to process the form as normal, giving the illusion it was successful.

    Why I’m actually here:
    It appears bots have since found a way around this technique, so I am researching any possible new methods. I have had a very successful script in place for the last 2-3 years with no bot activity. Just got some last week. Yay.

    • Sébastien Guy

      Totally agree. This article is very misleading. What is the point to do validation only client side! Client side validation should be use to dumb-proofing a website -­> NEVER for security reasons. The best way is a to combine both : client and server side validation (js and then php).
      This technique still very usefull tho. Honey pot is def the way to deal with spam. But indeed its not 100% safe. You may want to use a captcha if this is of a big concern. The problem with captcha is that your real users may be frustrated with it.

  • Daniel Rice

    Use a hidden form field also. Then you don’t have to resort to any CSS trickery. And the form should be validated Server side also. Client side is fine – but the spam bot just needs to disable javascript and it will submit to your server regardless. Client side JS and CSS is not the whole solution.

  • Why not let the bots have their way?
    I always wondered why I would need ~100 email accounts that most web hosting services allow. Now that I am choosing to use a honeypot my server-side validation will allow the bots to send all the form submissions they want but it will be to an email account that functions as a trashbag.

Like what you see?
get more free content.

Next Up In Business Websites

Demystifying Landing Pages – How They Differ from Your Website, and When to Use Each

“Why do I need a website for my small business when I have social media business profiles?” If you’ve...

Read More

3 Business Website Trends to Consider in 2018

In past years, we’ve loved talking about business websites. Why? It was (and still is) one of the core...

Read More

The Silent SEO Killer: Site Load Time

Laundry. After a weekend of knocking out chores, running errands, and cleaning the house, it always seems to be...

Read More

Explore the Blog