Prevent WordPress comment spam with a honeypot

So what’s a honeypot?

A honeypot is a trap to detect bots from humans. Its principle is that bots will typically fill in all the fields when submitting spam, for example, a spam comment.

Based on this, we can add an extra textarea element, and mark the comment as spam.

Let’s trap some bees

This code can be added to your functions.php file or similar:


 * Add the honeypot, a hidden textarea field.
function elio_add_honeypot() {
	echo '<p style="display:none!important"><textarea name="additional-comment"></textarea></p>';

 * Check if the more_comment field is set. If it's not empty, it's spam. Otherwise, return the status already set.
 * @param bool|string $approved The approval status that will be modified if the honeypot is filled.
 * @return string
function elio_check_honeypot( $approved ) {
	return empty( $_POST['additional-comment'] ) ? $approved : 'spam';

add_action( 'comment_form', 'elio_add_honeypot' );
add_filter( 'pre_comment_approved', 'elio_check_honeypot' );

A honeypot is a nice way to make your forms user friendly and keep spam low, there are plugins that make this automatically, and there are also ways to add it to the login form.

However, do not rely on this as an absolute method to fight spam. In addition to professional services like Akismet, there are other techniques like simple mathematical captchas, or captchas that ask a question for you to click on the correct image. Think of honeypot as a complement, rather than a replacement.

Leave a Reply