How to stop bots with honeypots

Nowadays, bots are everywhere. Some of them are good but others are not and should be stopped. In a previous post, we talked about various methods you can use to detect and stop bots. In this article, we will focus on one of them: honeypots.

Honeypots are a powerful yet subtle method to stop bots and malicious actors by tricking them into interacting with fake or decoy elements on your website or application. The basic idea is to create a "trap" that only bots would interact with while human users remain unaffected.

In this article, we will explore how honeypots work, how you can add them to your app, advanced techniques you can use, and best practices to follow.

‍What is a honeypot?

‍Honeypots are fake or decoy elements (like a hidden form field or link) on your website or app that attract bots. Because human users shouldn’t normally find these elements, any activity on them likely comes from automated scripts.

These elements are designed to deceive bots into interacting with them. Bots typically fill out all available fields in a form or click on any links they find, while real users ignore the honeypot since they don’t see it.

How honeypots work

With honeypots, you set up your trap and wait. For example, you add a hidden field to your form or page that humans cannot see (usually via CSS) but bots that automatically crawl and fill out forms will detect and interact with it.

Eventually, bots, which do not render the page like humans, will attempt to interact with the honeypot field. When this happens, the request is flagged as suspicious or bot-driven and can be discarded or blocked.

Example: Add honeypot to a form

1. Add the honeypot element

Here's a basic implementation of a honeypot using a hidden field in an HTML form:

  
<form method="POST" action="/submit_form">
    <!-- Normal fields visible to human users -->
    <input type="text" name="username" placeholder="Username" required>
    <input type="email" name="email" placeholder="Email" required>
    
    <!-- Honeypot field (hidden from users) -->
    <input type="text" name="honeypot" style="display:none" autocomplete="off">
    
    <button type="submit">Submit</button>
</form>
  

• The honeypot field is hidden using style="display:none", which makes it invisible to human users.
• Bots that fill out every form field, including hidden ones, will submit the honeypot field.
• On the server side, check if the honeypot field contains any data. If it does, the request is likely from a bot, and you can reject or flag it.

2. Validate the form submission

Here is how you would validate the form submission in a PHP backend:

  
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    // Check if the honeypot field is filled
    if (!empty($_POST['honeypot'])) {
        // Log bot activity
        $log_message = "Bot detected: " . $_SERVER['REMOTE_ADDR'] . "\n";
        file_put_contents('honeypot_log.txt', $log_message, FILE_APPEND);
        
        // Respond with a 403 Forbidden error and message
        http_response_code(403);
        echo "Bot detected";
    } else {
        // Proceed with normal form handling
        $username = $_POST['username'];
        $email = $_POST['email'];
        // Respond with a 200 OK and welcome message
        http_response_code(200);
        echo "Welcome, human!";
    }
}

?>
  

If the honeypot field is filled, the server will stop processing and reject the request, treating it as a bot submission.

‍Advanced honeypot techniques

Time-based honeypots

Bots typically submit forms in milliseconds or a very short amount of time. Humans, on the other hand, take a few seconds to complete a form. You can create a time-based honeypot by recording the time when a form is first loaded and checking the time when it is submitted.

To implement a time-based honeypot, first add a hidden timestamp field to the form’s initial page load to store the time the form was loaded.

  
<input type="hidden" name="form_start_time" value="<?php echo time(); ?>">
  

Then, if the form is submitted too quickly (e.g., less than 5 seconds), flag it as bot-like behavior.

  
$formStartTime = $_POST['form_start_time'];
if (time() - $formStartTime < 5) {
    die('Too fast submission, bot detected!');
}
  

This helps prevent bots from filling out forms too quickly.

‍Multiple hidden fields

‍Sometimes, you can use multiple honeypot fields with different names or behaviors to confuse more sophisticated bots. For example, create several hidden fields with different names but similar content. Bots might fill out one or more of these fields, while human users will leave them untouched.

Example:

  
<input type="text" name="honeypot1" style="display:none" autocomplete="off">
<input type="text" name="honeypot2" style="display:none" autocomplete="off">
  

On the server side, check if any of these fields are filled in:

  
if (!empty($_POST['honeypot1']) || !empty($_POST['honeypot2'])) {
    die('Bot detected!');
}
  

This increases the difficulty for bots, as they must avoid filling multiple fields.

‍Honeypot links (deceptive links)

‍Another strategy involves adding hidden or decoy links (like a “Next” link) that bots might try to follow but that humans cannot see. These hidden links are set up with no visible text or placed out of the visible view area on the page.

Example:

  
<a href="http://example.com/dead-end" style="display:none">Next</a>
  

If a bot clicks on this link or tries to follow it, it indicates that the request is likely automated, and you can flag or block it.Honeypot with CAPTCHAYou can combine honeypots with CAPTCHA challenges to further reduce bot submissions. If the honeypot is filled in, the system can display an additional CAPTCHA challenge for extra verification.

Best practices for honeypots

• Ensure honeypots are hidden well: Use CSS (display: none or visibility: hidden) to make sure the honeypot fields are not visible to human users.
• Use decoy fields sparingly: Don’t overuse hidden fields, as they can sometimes trigger false positives or annoy legitimate users.
• Combine honeypots with other methods: While honeypots are effective, they should be used alongside other techniques, such as CAPTCHA, rate-limiting, or IP blacklisting, for stronger protection.
• Monitor for false positives: Occasionally review submissions flagged by the honeypot to ensure you’re not mistakenly rejecting legitimate users.
• Don’t rely solely on honeypots: Sophisticated bots may detect honeypots. Using a combination of behavioral analysis, CAPTCHA, IP monitoring, and other security tools will provide better protection.

Tools that create honeypots

If you prefer not to implement honeypots manually, there are tools and libraries that can automate the process:

• Spam Protection Plugins: For CMS platforms like WordPress, plugins like Antispam Bee or WP Armour provide built-in honeypot mechanisms.
• Bot Detection Services: Services like Cloudflare, reCAPTCHA, or PerimeterX also offer advanced bot management features that incorporate honeypot-like tactics.

Conclusion

Honeypots are a simple but effective way to stop bots from interacting with forms, submitting spam, or performing malicious actions on your site. You can trick bots into revealing themselves by using hidden fields, time-based traps, and decoy links while leaving human users unaffected. Combining honeypots with other methods like CAPTCHA and rate-limiting provides stronger bot protection.

For more advanced protection against bots, fraud, and abuse, check out WorkOS Radar.

Radar protects your app against AI bots, account abuse, credential theft, and more, using security insights from various sources, including data on user activity, network traffic, and other suspicious patterns. For more on what WorkOS Radar has to offer, see Introducing Radar — real-time protection against bots, fraud, and abuse.