How to use Email Honeypot Traps to Fight Email and WordPress Spam

Illustration by Sènga la Rouge Bear attracted to honeypot trap
7 min read 3

Spam is the scourge of the internet. It swamps inboxes with requests from Nigerian princes, floods blog comments with unintelligible garbage, and is an all-around annoying waste of time to have to deal with.

In the constant battle between email service providers (ESPs) and spammers, legitimate folks who send out email newsletters to their subscribers, such as MailPoet users, get caught up somewhere in the middle.

The problem is, email subscribers tune out when they get overwhelmed with spam, impacting the overall effectiveness of email marketing. Though spam rates are slowly decreasing, it remains a problem. In fact, according to Statista, more than half of all email sent every month is spam.

Fortunately, there’s a solution you can employ to catch annoying spambots in the act: honeypot traps.

Here is everything you need to know about what the two different types of honeypot traps, how they work, and how you can implement your own honeypot trap to combat spam.

What are honeypot traps and how do they work?

There are thousands of spambots right now scouring websites. They follow every link they come across, looking for email addresses they can automatically add to their databases, and forms they can fill out so they can spread their spammy links.

A honeypot trap is a kind of spam prevention technology designed to trick spambots into revealing themselves. Just like a real honeypot attracts bears, email honeypot traps attract and catch spambots in the act. Once a bot falls into your trap, you can use the information you receive about the spammer or bot (i.e. their IP address) to block that user and prevent further spam.

There are two types of honeypot traps:

1. Email honeypot traps

Spambots scour the internet, collecting email addresses and sending them spam. Of course, part of a spammer’s revenue comes from selling those email addresses to other spammers. Quickly, any email published on the internet will receive hundreds of unwanted spam messages every day.

Email honeypots are email addresses set up specifically to catch spammers in action. Most honeypot traps are dormant email accounts that, the logic being that if a dead email inbox can’t opt-in to receive email, anyone sending to that email must be a spammer.

ESPs regularly review their email accounts and disable accounts that have been inactive for a long period of time. They let email addresses sit disabled for six to 12 months, during which time any legitimate senders should notice the hard bounces and clean their email lists.

After this time, ESPs then re-activate these address and they become honeypot traps to catch spammers. The idea behind this is that anyway who sends to these honeypot emails must’ve bought an email list or doesn’t routinely perform basic email list hygiene.

For more on spammy email lists and why they’re a bad idea, check out Should You Buy Email Lists?

2. Form honeypot traps

Spambots typically fill out website forms with nonsense sentences filled with spammy links. Form spam is easy to control if you have a small site, but for high traffic or large sites that get targeted by multiple bots, it can be a real headache to clean up.

A form honeypot trap is a trap that adds a hidden field to your form. Human visitors can’t see the hidden field and will leave it blank. Spambots, however, will fill out every field, including the honeypot field, because they can’t “see” it. This tells the form plugin on your WordPress site (more on this below) that the submitter is a spammer and the form will block the submission.

Depending on the form plugin you use, the spam bot may automatically get blacklisted from your site, preventing them from returning and trying to spam you again in future.

Why do spambots fill out forms?

Whether you’re getting spam in your blog comments or contact form, there are many reasons why spambots target forms:

  • They want to send you spam about their product or service. They figure at least a few people will buy, making it worth their time.
  • They are looking for a security loophole that will allow them to use your contact form to send spam to others, giving them an even broader reach for their spammy message.
  • They are trying to get to your server, where they can then add software to make your server into another spam bot. This will allow them to send more spam, and can get you into trouble with your web host.
  • They are trying to leave a spam comment in the hope that at least a few URLs will stay live, allowing them to earn backlinks to their own site. This can help them rank higher in Google, or so they think. Other site viewers may also follow the links.
  • They are attempting a DoS attack, where they overwhelm your server with too much data. A successful DoS attack can crash your site, causing you to lose sales and traffic.

Since bots are all automated, these attacks don’t require much effort on the spammer’s part. Therefore, it is worth their time to send all this spam. As a site owner, however, bots can be a massive headache or even a major security risk.

Honeypots can protect you from spam bot attacks, help to keep your site secure and online.

How to avoid getting caught in an email honeypot trap

So how can you avoid falling victim to email honeypot traps? Simple: don’t buy email lists and regularly clean your email list.

It’s important to be aware that even legitimate senders can end up with honeypot traps in their email list. Regardless of your intent, sending unwanted email is a violation of the CAN-SPAM Act.

There are a few more steps you can take to protect your email and sender reputation:

  • Never buy email lists. It is far more profitable and effective to build an organic email list using opt-in, like a downloadable guide or template. This way, you know everyone on your list wants to hear from you.
  • Remove any hard bounces immediately. Most ESPs will automatically remove hard bounces for you.
  • Use double opt-ins. Double opt-ins require subscribers to confirm their subscription to an email list. Most email solutions, like MailPoet, offer and recommend this practice.
  • Clean your email quarterly. Follow email hygiene best practices and remove any inactive subscribers. Send a re-engagement email to anybody who has not opened your emails in more than six months and if they don’t respond, remove them from your list. MailPoet is the only email marketing solution that has an inbuilt inactive subscriber feature!

How to use honeypot traps with your WordPress forms

The good news is that most WordPress form plugins have anti-spam features — Gravity Forms, Ninja Forms, and Caldera Forms all have honeypots built-in.

If you use the free Contact Form 7 plugin, install and activate the Contact Form 7 Honeypot plugin. The plugin generates tags that, when added to a field in your form, turn it into a honeypot trap field.

If you’re using another forms plugin, or your WordPress theme comes with its own custom-built forms, and you’re not sure if a honeypot is built-in, contact the plugin or theme developer to find out.

If you know for sure that your contact form plugin doesn’t have a built-in honeypot feature, you could try coding it yourself. If you are tech-savvy, this resource outlines how to code honeypots for form fields.

Project Honey Pot

Project Honey Pot homepage.

Project Honey Pot is an organization fighting the good fight against email spam. It is the first and only distributed system for identifying spammers and the spambots they use to scrape email addresses from websites.

If you want to join Project Honey Pot, you need to install software on your website. It works by setting up email addresses on your site that are custom-tagged to the time and IP address of a visitor. If one of these address starts receiving email, the project instantly knows that the messages are spam, but also can tell the exact moment when the address was harvested and the IP address that gathered it.

The easiest way to use Project Honey Pot with your WordPress site is to install and activate the free Honeypot Toolkit plugin, which you can download from the WordPress.org plugin repository. The plugin automatically adds the required software to your site and blocks IP addresses reported as bots by Project Honeypot. You can also use it to create rules to block IP addresses that take specific actions.

In addition to helping Project Honey Pot, this plugin also protects your site from spammers and brute force attacks by allowing you to block users that engage in suspicious behavior.

Anti-Spam plugins for WordPress

Honeypot traps can be used to trap spammers, but there are several other methods you can use to keep bots from filling out your WordPress forms. Here are a few of the top spam plugins for WordPress

  • Antispam Bee is a popular anti-spam plugin that blocks spam comments and trackbacks effectively, without captchas and without sending personal information to third-party services.
  • Akismet is one of the oldest and longest-serving in the WordPress.org plugin repository. Originally created to stop comment spam, many form plugins integrate with Akismet to check their form submissions too.
  • Cerber Security, Anti Spam and Malware Scan protects your forms from spam, monitors logins, allows you to restrict access to IP addresses, and protects against DoS attacks.
  • Spam protection, AntiSpam, FireWall by CleanTalk stop spam in comments, registrations, WooCommerce, bookings, and more. It also provides real-time email validation.
  • Anti-spam is a simple and easy-to-use plugin that automatically blocks comment spam.

Lastly, I’ll throw this one in for good measure: Blackhole for Bad Bots is a free plugin that adds a virtual black hole trap to your site. It works by adding a hidden link to your pages, which you can then specify in your robots.txt file. Bots that ignore or disobey your robots rules will crawl the links and fall into the black hole. Once trapped, the bot’s IP address will be blacklisted from accessing your site.

Wrapping up

Protecting your site and forms from spam is a necessary step in today’s digital world where spam is an unfortunate and annoying reality. Luckily, WordPress makes it very easy to keep your site, server, and data safe and secure.

Now that you understand how honeypot traps work, it’s time to implement one. I recommend cleaning your email list if you haven’t done so recently, and putting in place a schedule for email list hygiene. Also, check your website forms to make sure they have honeypot features built-in, and if they don’t, consider signing up for Project Honey Pot or using some other anti-spam measure for your site.

Is spam a problem on your site? How often do you clean your email list? Share your thoughts in the comments below!