Skip to content

Spam Bot Honey Pots

Hidden Fields

Most spam bots won't evaluate CSS. This means that if you hide an input using CSS then the bot won't realise it's hidden. Real customers won't complete the field but spam bots will.


If you have a contact form that doesn't actually include a confirm email input you could add a trap as follows:

input[type=text][name="confirm_email"] {
    display: none;
<input type="text" name="confirm_email">

Now on the back-end you just need to check if this input includes any text. If it includes text then treat this contact form submission as spam.

No Javascript

Most spam bots also won't execute js. This means that if you manipulate your input names after the page has loaded using js then the spam bot will submit it's data with the wrong name.


jQuery(function() {
  jQuery('#comment').attr('name', 'real_customer_comment');
<textarea name="customer_comment" id="comment"></textarea>

Again, if you receive any data to the invalid name then treat this form submission as spam.

List of template files for honey pot implementation

You can get a list of forms that might need honey pot implementation, to do that. Change directory to for example app/design/frontend/base/default and execute this line grep -e "getFormKey\|formkey" $(grep -r 'email' template | cut -d ':' -f 1) | cut -d ':' -f 1 | sort -u This will bring you a list of template files which contains word email, and has a formkey. This narrows down your manual selection of template files that are potential for honeypot rule.