I like to use Contact Form 7 on most of my WordPress sites. It’s a powerful form manager that suits all my needs. I don’t like to use external calls to protect the forms from spam submissions though (like reCaptcha or hCaptcha) and don’t want to present a manual captcha to a user (math or other puzzle). Since I couldn’t find a really basic honeypot script that works on most entries, I created one here. Hopefully it’s useful to someone else also.
Setup
- Install the plugin using the regular plugin setup routine or upload the entire apiosys-honeypot-cf7 folder to the /wp-content/plugins/ directory.
- Activate the plugin through the “Plugins” menu in WordPress, you MUST have Contact Form 7 AND Flamingo installed and enabled.
- Add the following shortcodes to your Contact Form 7 forms:
[honeypot] – Adds the hidden honeypot field [timestamp] – Adds time-based validation
- Complete the rest of the options which you can find in Admin > Contact > Honeypot. A generally good working set of values is enabled by default there.
What tests are used?
- A Honeypot Field
- A Checkbox Trap
- Time-Based Validation
- Email domain Check
- Basic Content Analysis
Does it really work?
It has been tested on several high-traffic WP sites. I see a return of ~ 1 ‰ (i.e. 1 in a thousand) of spam going through. That usually corresponds to humans paid to fill forms or sophisticated bots. Please feel free to contribute to make it even better. You can contribute directly here.