Last updated 9 February 2016. Created on 28 July 2011.
Edited by geerlingguy, mfernea. Log in to edit this page.

Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site. These methods are effective against many spam bots, and are not as intrusive as CAPTCHAs or other methods which punish the user [YouTube].

Honeypot form protection

Honeypot form protection means that an invisible field is added to a form. If this invisible field is filled out (bots will usually put in a value), then the form will return an error. Normal users (read: human beings) won't ever see the field, so they won't fill it out. Even if they do, the field is labeled in such a way as to indicate the human shouldn't fill out the field.

This is not foolproof, though, as many spam bots can detect hidden fields, and they can also be adapted to work around a particular field on your site (this isn't typically the case for smaller sites, though). To prevent against this, you are able to change the field's name from the default, 'homepage', to whatever you'd like.

Time restriction

Humans usually take a few seconds (at least) before they are able to complete a form. Honeypot requires at least 5 seconds to pass (by default) before the form can be successfully submitted. This deters spam bots because they can't afford to sit around waiting until a time limit is up before resubmitting the form. You can change or disable the time restriction for the Honeypot module by visiting the Honeypot configuration page at admin/config/content/honeypot (Drupal 7/8) or admin/settings/honeypot (Drupal 6).

Bypass Honeypot Protection

For many users (administrators, for example), you might want to have honeypot protection turned off. You can go to the permissions page to grant the 'bypass honeypot protection' permission to trusted roles. The permissions page is located at admin/people/permissions (Drupal 7/8), or admin/user/permissions (Drupal 6).

Using Honeypot in your own forms

If you want to add honeypot to your own forms, or to any form through your own module's hook_form_alter's, you can simply place the following function call inside your form builder function (or inside a hook_form_alter):

  honeypot_add_form_protection($form, $form_state, array('honeypot', 'time_restriction'));

Note that you can enable or disable either the honeypot field, or the time restriction on the form by including or not including the option in the array.

You can also use Honeypot's API to modify the time delay for forms, add or remove protections for certain forms, etc.

Log blocked form submissions

If the "Log blocked form submissions" option is checked in the configuration page the blocked submissions are added to watchdog. The "type" for the log entries is "honeypot".

Looking for support? Visit the forums, or join #drupal-support in IRC.