Today, I received a message from one of my connections on Instagram. He mentioned facing a huge problem with spam through his website’s contact form. His inbox was getting flooded with fake inquiries, and it was becoming harder to filter out the real messages. He asked me if there was a simple solution to stop this constant annoyance.
Spammers often use tools like Scrapebox or other automated bots to crawl websites and submit forms in bulk. They target contact forms to send spammy messages, promotional links, or malicious content, which can be very frustrating to deal with.
Then he asked me, “What can I do to protect my site from all this spam?”
Here’s what I suggested to him:
Honeypot Field Contact Form for Spam Prevention
One of the easiest and effective ways to stop these bots is by using a “honeypot” technique. The idea is simple. Bots often fill out all form fields, so by adding a hidden field (which real users won’t see), you can trap the bots. If the hidden field is filled out, you can safely assume it’s a bot, and the form can reject the submission.
Here’s how you can implement a honeypot in your contact form:
HTML Code for the Honeypot:
<div class="form-group" style="display:none;">
<label for="website">Website</label>
<input type="text" name="website" id="website" autocomplete="off">
</div>
This hidden field won’t be visible to real users because of the display:none; CSS. However, spam bots will try to fill it out, thinking it’s a valid field.
PHP Code to Check the Honeypot Field:
<?php
if (!empty($_POST['website'])) {
die("Spam detected. Submission rejected.");
}
// Continue with normal form processing...
?>
The logic behind this code is that if the hidden field has any value (filled out by bots), the form will reject the submission. Real users won’t see or fill this field, so their submissions will go through normally.
Full HTML Contact Form
Here’s a simple contact form with the honeypot field added:
<form action="process-form.php" method="post">
<div class="form-group">
<label for="name">Your Name</label>
<input type="text" id="name" name="name" required>
</div>
<div class="form-group">
<label for="email">Your Email</label>
<input type="email" id="email" name="email" required>
</div>
<div class="form-group">
<label for="message">Message</label>
<textarea id="message" name="message" required></textarea>
</div>
<!-- Honeypot Field -->
<div class="form-group" style="display:none;">
<label for="website">Website</label>
<input type="text" name="website" id="website" autocomplete="off">
</div>
<button type="submit">Submit</button>
</form>
With this honeypot technique, you can drastically reduce spam without needing CAPTCHAs or other more intrusive methods. It’s simple, effective, and doesn’t affect the user experience.
The code I provided above is specifically for PHP-based websites. The honeypot technique works perfectly with PHP because we can easily check the hidden field on the server side before processing the form. The same logic can be applied to other server-side languages, depending on what you are using for your website.
const express = require('express');
const bodyParser = require('body-parser');
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.post('/submit-form', (req, res) => {
// Check if the honeypot field was filled out
if (req.body.website) {
return res.status(400).send('Spam detected. Submission rejected.');
}
// Continue with normal form processing
res.send('Form submitted successfully!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
Whether you’re using PHP, Node.js, or any other server-side language, the honeypot field is a simple and effective way to combat spam without disrupting the user experience. By adding an invisible field to your form and checking it server-side, you can filter out bots while allowing genuine users to submit their messages smoothly.
This approach helps keep your inbox clean and ensures that you’re not overwhelmed by fake submissions. Plus, it’s a lightweight solution that works silently in the background.
