A honeypot is a hidden form field that real visitors never see and never fill in, but spam bots do. When that hidden field comes back with something in it, the form quietly rejects the submission as spam. It costs nothing to add, and it's one of several simple, low-effort ways to keep a small site safer without hiring a security team.
The stakes are bigger than they sound. Imperva's 2026 Bad Bot Report found that automated bot traffic accounted for more than 53% of all web traffic in 2025, up from 51% the year before, with human visitors down to 47% and still falling. Some of that automation is harmless, like search engine crawlers and uptime monitors. A lot of it is spam bots hunting for exposed contact forms.
How a honeypot works
A developer adds an extra input to a form, often named something plausible like website or company, then hides it with CSS: position: absolute; left: -9999px is the common approach, paired with tabindex="-1" and autocomplete="off" so a keyboard user or password manager skips right past it. A real visitor never sees the field, so it stays empty.
Spam bots work differently. Most fill in every input they can find on a page, trying to maximize their odds of getting through, including the one that's invisible to a human. On submit, the server checks that field: empty means treat it as a real submission, filled means treat it as spam and discard it.
Honeypot vs. CAPTCHA
InspectWP's comparison lays out the tradeoff clearly:
| Criterion | Honeypot | CAPTCHA (reCAPTCHA) |
|---|---|---|
| User friction | None, invisible | Medium to high |
| Privacy / third-party scripts | None | Loads Google scripts, needs consent |
| Bot detection rate | ~95% of unsophisticated spam | ~99%, including smarter bots |
| Conversion impact | None | 3 to 29% drop in completions |
A honeypot wins on cost and user experience. CAPTCHA wins on raw detection power, particularly against bots built to get past a honeypot.
Where a honeypot falls short
A honeypot stops the lazy majority of bots, the ones that fill in every field they find. It doesn't stop the newer kind: bots running a real, headless browser that renders the page and reads its CSS the way a person's browser would. Those bots can see that a field is hidden and skip it on purpose.
Treat a honeypot as a first layer, not the whole defense, especially on a login page or anything tied to money. Pair it with a time check: reject any form submitted in under 2 to 3 seconds, since a real person takes longer to fill one out than a script does.
Other simple security methods worth pairing with it
- HTTPS everywhere. An SSL certificate encrypts data between your visitor and your server, and browsers now flag non-HTTPS pages as "not secure" right in the address bar.
- Keep software and plugins updated. Most breaches exploit a known vulnerability that already has a patch. Updating on a schedule closes that door.
- Back up your site on a schedule you control. Don't rely only on your host's default. A separate, tested backup is what lets you recover fast if something does get in.
- Use unique admin passwords plus two-factor authentication. A password alone is one guess away from a breach. 2FA adds a second lock a stolen password can't open.
- Add a login-attempt limit or rate limit. This stops a bot from quietly guessing passwords all day on your admin login.
How to add a basic honeypot to a form
- Add a hidden text input to your form with a plausible name, not literally
honeypot. Smarter bots skip fields that announce themselves. - Hide it with CSS, not
type="hidden". Some bots specifically look for and skiphiddeninputs, so a CSS-based hide catches more of them. - Add
tabindex="-1" autocomplete="off"and anaria-hidden="true"wrapper so real keyboard users and screen readers pass over it cleanly. - On the server, reject any submission where that field isn't empty. Return a normal success response instead of an error, so the bot doesn't learn to adjust.
A minimal version looks like this:
<p style="position:absolute;left:-9999px;" aria-hidden="true">
<label for="website">Leave this field empty</label>
<input type="text" name="website" id="website" tabindex="-1" autocomplete="off">
</p>
// Server-side check
if (!empty($_POST['website'])) {
// Bot detected, discard silently
}
The short version
A honeypot is a free, invisible trap that catches the bulk of spam bots hitting your forms, without adding any friction for real visitors. It won't stop the most sophisticated bots on its own, so pair it with a time check and the basics: HTTPS, updated software, real backups, and two-factor authentication on every login.
Want more explainers like this one? Read what an llms.txt file does for AI search visibility, or send me a question you'd like answered next.
Sources
- Imperva, "Bad Bot Report 2026: Bots in the Agentic Age" (April 29, 2026): https://www.imperva.com/blog/bad-bot-report-2026-bots-agentic-age/
- InspectWP, "What Is a Honeypot? Spam Protection Without CAPTCHA" (May 20, 2026): https://inspectwp.com/en/knowledge-base/what-is-a-honeypot