CAPTCHA is effective at blocking spam bots but terrible for user experience, it introduces friction for every legitimate commenter, including accessibility challenges for users with visual impairments. A honeypot is a different approach: add a form field that’s invisible to human visitors (hidden via CSS) but visible to bots that blindly fill in every field they find. When a submission arrives with the honeypot field populated, it’s almost certainly from a bot, and the submission is rejected.
Honeypots aren’t foolproof against sophisticated bots that parse CSS before submitting, but they catch the vast majority of automated spam with zero friction for legitimate users.
The Code
Add this to your functions.php or a site-specific plugin. Two hooks work together: one adds the honeypot field to the comment form, the other validates submissions before they’re processed.
The Honeypot Field
The field is hidden using display:none!important inline rather than a CSS class, because a bot that reads external stylesheets won’t see the class definition. The !important ensures the hiding survives any theme CSS that might accidentally show the field. aria-hidden="true" hides it from screen readers. tabindex="-1" prevents keyboard users from accidentally focusing it. The label text, “Leave this field empty”, provides a fallback instruction if the field is somehow visible.
The field uses a generic but non-obvious name, comment_trap. Avoid names like honeypot or trap that some sophisticated bots are programmed to skip. A name that looks like a legitimate field, website_confirm, email_verify, is more effective because it blends in with other fields a bot would expect.
The Validation Hook
preprocess_comment fires before WordPress saves any comment data to the database. If the honeypot field contains any non-empty value, the hook calls wp_die() with a 403 Forbidden status, stopping the submission entirely. The back_link option adds a browser back button to the error page so legitimate users who somehow triggered it can retry.
Combining with Akismet
The honeypot catches bots that submit forms mechanically. Akismet (and similar spam services) catches more sophisticated spam that bypasses honeypots by having a human appearance. The two approaches complement each other well, honeypot as the first line of defence for mechanical bots, Akismet as the second for more intelligent spam. Using both together significantly reduces the volume of spam that reaches the moderation queue.
Effectiveness Over Time
Honeypots are most effective on sites that don’t publicise their implementation. Avoid naming the field in public documentation or theme files in a way that reveals it’s a honeypot. Rotating the field name periodically, changing comment_trap to something else every few months, can also help if a specific bot learns to skip your field name.
// Add a hidden honeypot field to the comment form
add_filter( 'comment_form_fields', function( $fields ) {
$fields['honeypot'] = '<p style="display:none!important" aria-hidden="true">
<label for="comment_trap">Leave this field empty</label>
<input type="text" name="comment_trap" id="comment_trap" value="" autocomplete="off" tabindex="-1">
</p>';
return $fields;
} );
// Reject the comment if the honeypot field is filled in
add_filter( 'preprocess_comment', function( $data ) {
if ( ! empty( $_POST['comment_trap'] ) ) {
wp_die(
'Your comment could not be submitted.',
'Comment Submission Error',
[ 'response' => 403, 'back_link' => true ]
);
}
return $data;
} );