Combat WordPress spam comments using Honeypot

It is no new thing to get lot of spam comments if you have enabled comment in post. There are many useful blogs explaining about trapping the spam comments. I will include some of them below.

You can find many other related blogs in internet. If you follow any one them thoroughly, you can prevent many spam comments.

However, there is one very simple way to trap the spam comments with honeypot technique. The basic idea of honeypot is to cheat the bot spammers by simply creating the trap form fields for them. These fields will be totally hidden for human user. The fundamental principle has been explained here.

How to implement in WordPress comment?

Simple plugin to handle the spam comments in WordPress comment

Generating honeypot form elements

Most importantly, we need to find the right hook from where we can add additional trap form elements.

if (!function_exists('hpwpc_render_honey_pot')) {
    function hpwpc_render_honey_pot() {
        ob_start(); ?>
        <style>
            .hpwc {
                opacity: 0;
                position: absolute;
                top: 0;
                left: 0;
                height: 0;
                width: 0;
                z-index: -1;
            }
        </style>
        <label class="hpwc" for="phone"></label>
        <input class="hpwc" autocomplete="off" type="text" id="phone" name="phone"
               placeholder="<?php _e('Enter your Phone', 'honeypot-wp-comment'); ?>">
        <label class="hpwc" for="confirm-email"></label>
        <input class="hpwc" autocomplete="off" type="email" id="confirm-email" name="confirm-email"
               placeholder="<?php _e('Confirm your Email', 'honeypot-wp-comment'); ?>">

        <?php
        echo ob_get_clean();
    }
}
add_action('comment_form', 'hpwpc_render_honey_pot');

In the above code, We have used comment_form hook and added two additional form fields. By creating the “honeypot” fields we will be able to identify the Spammer. Important to: Let the label empty, use your ‘hpwc’ class to hide all those fake inputs. Turn your fake input the most simple, generic and attractive as possible. Use simple and common names as “email, phone, name, etc”, disable the autocomplete (so, browser will not fill it), disable rules, but keep the types.

Trap spam comments

The next and final step is to trap the spam comments.For this, we will check the POST value of hidden honeypot elements.

/**
 * Function to check the honey pot value
 * If any of the "honeypot" fields came filled. If yes, congrats, you trapped a spam.
 */
if (!function_exists('hpwpc_check_honeypot')) {
    function hpwpc_check_honeypot($approved) {

        return empty($_POST['phone']) || empty($_POST['confirm-email']) ? $approved : 'spam';

    }
}

add_filter('pre_comment_approved', 'hpwpc_check_honeypot', 9999, 1);

Verify if any of the “honeypot” fields came filled. If yes, congrats, you trapped a spam. Most of them will fill all this fields without differentiate them. So, all you have to do is to check if any of your “honeypot” fields came filled, if yes, its a spam.

This is just a simple layer to prevent attacks in a simple way, some technologies can identify even this patterns, so use all the weapons you can against it. But i believe that this simple pattern can avoid at least 50% of spams in your comment.