Registration Honeypot: A Simple WordPress Plugin to Combat Spam

photo credit: riekhavoc - cc
photo credit: riekhavoccc

If you’re new to WordPress, the sudden onslaught of spam that you receive upon opening registration can take you by surprise. Unless you have a solid plugin in place, open registration comes with the wearisome task of wading through new signups to put the axe to spammers who got through.

One of the common ways of combatting registration spam is to lay a snare at the doorstep of your site by creating a hidden field. Human registrants cannot see the field and therefore leave it blank. Spambots, however, will automatically fill out the field and get caught chasing the “honeypot.”

Registration Honeypot is a new free plugin that combats spambots using the tried and true honeypot method. There’s nothing to configure and no settings panel – simply activate it and leave it. Spammers caught in the act will see the following message:

spammer-message

While Registration Honeypot isn’t built around an original concept, it’s the simplified implementation that counts here. Justin Tadlock, founder of Theme Hybrid, created the plugin because he couldn’t find a simple honeypot plugin that wasn’t loaded down with extra, unnecessary settings.

“It’s an overly simple method for catching one type of spam,” Tadlock said in his plugin announcement post. “But it’s useful and handles a good 99% of all spam registration issues I’ve seen.”

If you’re on the hunt for a new plugin to combat registration spam and you want a quality plug-n-play solution, give Registration Honeypot a try. Like all other Theme Hybrid plugins, it’s available for free on WordPress.org. It’s not going to stop 100% of spam registrations but it will shut down the bots who cannot resist the honey.

12 Comments


  1. Excellent! I wrote something almost identical to this a while back, but it was buggy and I hadn’t gotten around to optimising it yet. Just always writes briliant code, so I might just need to fork Justin’s code instead of fixing my own :)

    Report


    1. Actually, the two plugins are very different and fight spam for different things. My plugin is for user registration spam. The other plugin is for comment spam.

      Report


  2. Very cool tool. Spam is a… well, you know.

    Love the name too, very fitting. Bots are like Winnie the Pooh.

    Report


  3. The simple solutions are usually the best. This plugin should go right up there with Cookies for Comments.

    Report


    1. Just installed this plugin last night and so far it has stopped the spam on my site. Simple and sweet solution indeed.

      Report


  4. Sarah, thanks for the writeup. You actually found more to say about the plugin than I could in the plugin announcement post. I’ve been successfully using a less-polished version of this plugin for a couple of years on a few sites. It’s worked well for me so far. I hope some other folks get some use out of it.

    Report


    1. Between this, Cookies For Comments and Akismet, you’ve got to be dealing with little to no spam!

      Report


      1. Usually. I’ve seen some sites which get slammed even with that setup. If you throw in WP Hashcash, it kicks out a few more too, although in that situation you should use my plugin instead, as it combines Cookies for Comments and WP Hashcash into a single plugin which is slightly more efficient, since they don’t launch their payloads separately … http://wordpress.org/plugins/spam-destroyer/

        Thankfully most bots are stupid and rely on the site having very little protection, but more aggressive ones can bypass these (as Otto calls them) “sporting methods”. At that point you are in spam hell and the best I’ve come up with is to use a CAPTCHA. Thankfully even a very basic CAPTCHA has been enough to stop all the spam I’ve seen, but I’m guessing more heavily targeted sites would need to jump through a lot of hoops to block the bots.

        Report


  5. Going to have to give this plugin a try. Great feedback given here in the comments guys. Keep it up. :)

    Report


  6. Thanks for the plugin. Since our site will not have additional users self registering, in addition to this plugin I have changed the new user process to require a 600 character password. I’ll see if that stops the bogus new user registrations.

    Report


  7. I definitely need to try something new. I installed mailgun plugin to verify the email accounts are active. My captcha is only setup for 4 numbers as a requirement. Wish me luck

    Report

Comments are closed.