I’m a Honey Pot

Side note: Yes, the title of this post is a throwback to the 418 status code in the HTTP protocol. My sense of humor is just odd that way.

I thought I’d kick things off on my new blog with a quick post on something I did while getting it set up.

Before switching to this new blog, I’d moved to using the spamhoneypot plugin on my old Habari blog to capture spam. I had a great amount of success in that switch, but in deciding to move to using WordPress on this new blog, I noticed that it had no equivalent plugins. There were several anti-spam plugins, but they all required use of a third-party service. I hadn’t seen consistent success with plugins that used this approach in the past, so I wanted to avoid repeating those experiences.

So, I decided to try my hand at writing a WordPress plugin. After wading through the filter and action documentation and googling around for a bit, I came up with a fairly simple plugin that seems to do the job.

The plugin works by adding a textarea field to the comment form that’s hidden using a CSS style. Since bots don’t generally detect CSS like this, they proceed to fill out the field like any other field. This implies that they aren’t a human being using a browser, in which case the plugin marks the comment as spam. I’ve found this catches the vast majority of spam comments with very few false results.

I’ve submitted to have the plugin hosted on the WordPress site, but until then, you can grab a copy off of a Github repository I’ve set up for it. Hope you find it useful!

Update 1/2/10 8:41 AM CST: The plugin is now available for download from the WordPress site.


  1. Joe LeBlanc says:

    Got it installed, I’ll let you know how it goes :)

  2. Adam B. says:

    Giving it a test myself.

  3. Evert says:

    The honeypot approach has worked great for me as well.. The big problem though, is that if your plugin reaches critical mass, spambot writers will account for it and adapt.

    The only reason the filter has worked so well for you, is because you’re under the radar.

    I’m sure you knew this, but just wanted to point it out for other readers as well :)

  4. @Joe, @Adam: Great! Thanks guys! :)

    @Evert Yup, I’m aware of that. Any suggestions on how to improve the plugin to make it more difficult to detect or adapt to would be most welcome. :)

  5. FractalizeR says:

    Please consider adding a good README to your plugin according to WP coding standards: http://wordpress.org/extend/plugins/about/readme.txt

    Your plugin page now seems very deserted ;) This needs to be corrected.

  6. fox says:

    i love your new blog!

    wait, no i don’t. next time don’t start out by pointing out how clever you are.

  7. In rereading the opening line, I see how it could have come off as snarky and have reworded it. It wasn’t my intention to offend and in hindsight I didn’t realize its potential to do so at the time that I wrote it. I apologize and hope that it won’t deter you from reading this blog in the future.

  8. […] just hacked up a little code snippet based on Matthew’s Honeypot WordPress plugin. It’s basically just a Validator for a Zend Form element which is hidden from the user via […]

  9. […] to complete and post a Zend_Form form. I just hacked up a little code snippet based on Matthew’s Honeypot WordPress plugin. It’s basically just a Validator for a Zend Form element which is hidden from the user via CSS. […]

  10. John says:

    Hi Matthew,
    I like your plugin, but I think it could use some work. I hacked it to streamline the functionality. If you’d like the code, I’d be happy to send it to you. Please just email me at the address I used for this comment, and hopefully we can work together for a more spam-free internet!