Enhancements to the Spam Honeypot

Note: This article was first published alongside the release of Gravity Forms 2.7 Beta.

Introduction

Honeypot is a spam prevention method often preferred because it doesn’t inconvenience users like a captcha field would. It works by adding a hidden field to the form. The field is typically hidden by either CSS or JavaScript. Although a user can’t see these fields, the spambots can. If the honeypot field is filled in, the submission is treated as spam.

The honeypot feature is not new to Gravity Forms, but we have made some enhancements to improve its effectiveness while also adding user controls that will allow you to specify how the honeypot handles spam submissions.

Enabling Honeypot

To enable, you will need to go to Form Settings for the forms you’d like this feature to be enabled on.

Like before, when enabled, the honeypot spam protection technique will function automatically and not require user interaction.

Honeypot Changes

Enhanced Implementation Technique

The current PHP honeypot adds a hidden field to the form when the page loads, and if that field is populated, the honeypot considers the entry spam. This still exists and is not being replaced.

Additionally, we’ve implemented an extra javascript input that is added to the POST request when the form is submitted, so a human would never see it, but submissions will fail validation if this extra input doesn’t contain the expected value.

New Setting

Once activated, a new setting will appear, allowing you to define what action you would like to take “if the honeypot flags a submission as spam“. The two options offered are

  1. Do not create an entry
  2. Create an entry and mark it as spam

If Do not create an entry is chosen, form submissions caught by the honeypot are not saved, and the form confirmations will display the default “Thanks for contacting us! We will get in touch with you shortly.” message instead of the forms configured confirmation.

If Create an entry and mark it as spam is chosen, form submissions caught by the honeypot are saved as entries but will be marked as spam on the entries list page. The form confirmation will display the default “Thanks for contacting us! We will get in touch with you shortly.” message instead of the forms configured confirmation.

New Filter

The gform_abort_submission_with_confirmation filter can be used to determine if submissions are aborted without saving the entry.

Troubleshooting

Because the new honeypot technique relies on JavaScript to populate an input when the form is submitted, any JavaScript error may cause the honeypot to fail validation. If the honeypot fails to pass validation, the entry will be discarded or marked as spam, according to your honeypot settings. Caching, script optimization, and theme or plugin conflicts may all cause the honeypot to fail. You can check for conflicts that prevent the honeypot feature from working correctly using these steps.