I think this post will be short and useful. The goal here is to demonstrate a simple technique to help you block spammers and bots that could attac...
For further actions, you may consider blocking this person and/or reporting abuse
I think it's also good to place tabindex="-1" on the honeypot input fields
Good job, now LastPass won't fill my form data into your site and you lost a customer.
I highly recommend no one do this.
If the functionality of LastPass on a webpage is the basis of your judgment on whether you purchase a product or not then maybe there is something questionable about your judgment criteria itself.
I understand your point, but i believe you can drive it to your needings, without lose a customer. If you want to integrate with last pass, for example, just keep the inputs you need and creating only one to use as honeypot (phone for example, i dont know), which is hidden, not required and not used by anything. One single input is enough to catch some spammers : )
Then LastPass will fill the invisible field, especially after the lengths you went through to make them hidden in a special way, not the conventional way.
It's basically the same thing as your bots π
so, what i mean is to you to use names that lastpass didnt use or adapt the core ideia on the post to your needings. last pass will not fill your entire form, and you can configure autofill on lastpass or use flags from their api like 'data-lpignore' which will tell the lastpass to not fill some fields. however, hope this to be useful to someone.
I think this is great. Question about accessibility: What is your opinion on using an aria attribute to hide this, so that screenreaders don't come across this and confuse users? Do you think bots are smart enough to recognize and skip this field altogether? Is there some sort of flag we could use instead?
Thats a great question Danielle. I think that the most configurations you add to the elements, the most hints you give to bots and spammers. So, we have to balance. Once we are talking about accessibility, there is no way to say no, we have to be careful.
Some alternatives i can think are:
Wrap the elements on a fieldset element that is aria-hidden and has . ohnohoney can be a good approach.
But, to tell you the truth, i dont see a problem with the aria. The "hidden" attr means hidden to everyone, but "aria-hidden" means hidden to screen readers and similar tools. I think the aria should not warm the technique cause bots should consider those elements too.
Would be cool to let a test running for a while. A form with aria and one without, and compare the spam incidence. If i was writing a bot, i would consider the aria-hidden inputs also, cause we never know the possible pages architectures, but im just guessing.
Sorry if my answer was not so complete as you could be expecting :/
No, I think it's a great thing to consider and have a discussion about. I'm just implementing something similar and thought it was something I should throw out there. Thanks!
I added only the CSS to my Wordpress honeypot installation because I have a custom built form though contact form 7 but I had to build according to the client's spec.
And whenever I add the honeypot line; it shows up in the form; so this CSS really helped hide it.
I do hope this works from preventing the bots.
What if the bot checks for required field? in that case this would fail
thats true, and thats can be a good point to think about how to solve. i use this code in a lot of systems, and it works well for most of cases. but, with no doubt, it has a lot of lacks, as more complex bots would be able to submit the form. i like to think in it as an extra layer of security.
If you want to remove the "required" HTML keyword, you could use javascript to implement the feature instead.
I have implemented honeypot using this technique. Not a single bot could interact so far, great! But the problem is, my real human customers are also facing problem submitting form. Basically messenger web view and chrome are silently auto filling the honeypot fields. Is there any solution to this?
This has been a problem, indeed. You can try two techiniques:
1 - stackoverflow.com/questions/157382...
2 - gist.github.com/niksumeiko/3601647...
Let us know if all gone well :D
What do I have to add in the php to check, if the honeypots are filled?
I would like to add a honeypot to an existing form but I am just a php-noob.
Hello das FarbCafe.
I made this repository implementing a simple example of this techinique:
github.com/felippe-regazio/php-hon...
:)
I think, adding autocomplete="off" to ohnohoney inputs might fix the autofill issue. (like lastpass etc.)
type="emaillkjkl" ?
haha omg. fixed.
Was implementing some of your ideas this morning and noticed. Thanks for article!
Kachin 've been here
Relying on normal spam protection that doesn't impact usability?
Thanks, It's very helpful technique.
Great ππΏππππΏ
Thanks for this thing. Just implemented it for 2 sites, using a phpmailer script where I basically just put it above the phpmailer code. Now waiting if spam happens/stops.
Thank you!
Kachin have been here