Honeypot Module for Contact Form 7 WordPress Plugin

This simple addition to the wonderful Contact Form 7 (CF7) plugin adds basic honeypot anti-spam functionality to thwart spambots without the need for an ugly captcha.

The principle of a honeypot is simple — bots are stupid. While some spam is hand-delivered, the vast majority is submitted by bots scripted in a specific (wide-scope) way to submit spam to the largest number of form types. In this way they somewhat blindly fill in fields, irregardless of whether the field should be filled in or not. This is how a honeypot catches the bot — it introduces an additional field in the form that if filled out will cause the form not to validate.

Get the CF7 Honeypot Plugin

Latest v1.13 / WordPress.org / Support


Please use the official CF7 Honeypot support forum for all support requests. Support requests in comments may not be answered. Also — before submitting a support request, be sure to confirm you are using the latest versions of: 1) Contact Form 7 WordPress Plugin, 2) The Contact Form 7 plugin, 3) WordPress.


  • Install using the WordPress “Add Plugin” feature — just search for “Contact Form 7 Honeypot”.
  • Confirm that Contact Form 7 is installed and activated. Then activate this plugin.
  • Edit a form in Contact Form 7
  • Choose “Honeypot” from the CF7 tag generator. Recommended: change the honeypot element’s ID.
  • Insert the generated tag anywhere in your form. The added field uses inline CSS styles to hide the field from your visitors.

The fine folks at RoseApple Media put the above video together detailing the simple process of getting up and running with CF7 Honeypot. NOTE: This video was not produced by the CF7 Honeypot developer.

Altering the Honeypot Output HTML [ADVANCED]

While the basic settings should keep most people happy, we’ve added several filters for you to further customize the honeypot field. The three filters available are:

  • wpcf7_honeypot_accessibility_message – Adjusts the default text for the (hidden) accessibility message.
  • wpcf7_honeypot_container_css – Adjusts the CSS that is applied to the honeypot container to keep it hidden from view.
  • wpcf7_honeypot_html_output – Adjusts the entire HTML output of the honeypot element.

For examples of the above, please see this recipe Gist.

Frequently Asked Questions

Will this module stop all my contact form spam?
Probably not. But it should reduce it to a level whereby you don’t require any additional spam challenges (CAPTCHA, math questions, etc.).

Are honeypots better than CAPTCHAs?
This largely depends on the quality of the CAPTCHA. Unfortunately the more difficult a CAPTCHA is to break, the more unfriendly it is to the end user. This honeypot module was created because we don’t like CAPTCHA’s cluttering up our forms. Our recommendation is to try this module first, and if you find that it doesn’t stop enough spam, then employ more challenging anti-spam techniques.

Can I modify the HTML this plugin outputs?
Yep! See the Installation section for more details and this gist for examples.

What is the plugin license?
This plugin is released under a GPL license.


Added do-not-store for when forms are stored in the DB (i.e. Flamingo). Improved wrapper ID masking and customization.

Additional functionality to improve spam-stopping power.

Introduces ability to force W3C compliance. See here for details.

Addresses accessibility concerns regarding a missing label and disables autocomplete to prevent browser autocomplete functions from filling in the field.

Updates for Function/Class changes related to CF7 4.6. Removed plugin local language support, instead use translate.wordpress.org.

Added i18n support, French language pack. Thx chris-kn

Added wpcf7_honeypot_accessibility_message and wpcf7_honeypot_container_css filters, i18n support.

Provides backwards compatibility for pre-CF7 4.2, introduces ability to remove accessibility message.

Quick fix release to fix PHP error introduced in 1.6.3.

Updates to accommodate changes to the CF7 editor user interface.

Small change to accommodate validation changes made in CF7 4.1.

Small change to accommodate changes made in CF7 3.9.

Quite a lot of code clean-up. This shouldn’t result in any changes to the regular output, but it’s worth checking your forms after updating. Also, you’ll note that you now have the ability to add a custom CLASS and ID attributes when generating the Honeypot shortcode (in the CF7 form editor).

Added filter hook for greater extensibility. See installation section for more details.

Update to make compatible with WordPress 3.8 and CF7 3.6. Solves problem of unrendered honeypot shortcode appearing on contact forms.

Update to improve outputted HTML for better standards compliance when the same form appears multiple times on the same page.

Small update to add better i18n and WPML compatibility.

Small update for W3C compliance. Thanks Jeff.

Initial release.

97 thoughts on Honeypot Module for Contact Form 7 WordPress Plugin

  1. Pingback: DaoByDesign på "Kontakt formular 7 Honeypot" - CyberMaster
  2. Pingback: Adding a little Honey to WordPress’ Contact Form 7 Plugin ~ Dao By Design
  3. Plugin: Contact Form 7 Honeypot] Is it compatible with Contact Form7 Recaptcha?

    I want to combine usage of this honey pot plugin

    with the Recaptcha add on for contact form 7.

    Recently i got sent a spam, not sure if it was manual or not, seeing i am already using recaptcha. So i wanted to know if honeypot can work together with recaptcha or will it bug out ?

    I posted my question also in the wp forum as well

  4. Just found out about this plugin yesterday, when I was looking for a simple way to add a newsletter widget using cf 7 so let’s see

  5. Man, this thing breaks my form….

    The part that’s breaking it is…

    $html = ‘<span class="wpcf7-form-control-wrap '…

    Not a coder, but when I leave this line in, the form loses styling below the honeypot entry, the honeypot input becomes visible, other styling issues….

    If I remove it, all looks fine – but obviously, there is now a missing line of code.

    So, this line of code seems to be wrapping the $html inside a span tag and appending some validation_error result… which for non-programmers like myself prompts the following questions:

    1) What does it do????" 😉

    2) Any way to restructure this to make it less likely to conflict with my form???


    • Hi Steve, what are you naming this element? It’s difficult to tell what is causing the error with just a report of what line you believe is causing the problem, but not actually the output that is causing the problem. Can you send me the HTML (or a link) to info at daobydesign dot com.

  6. Hey, this is terrific! My client is getting quite a bit of what is obviously automated spam. Is there a fairly simple way to test the function. Would I need a bot? I don’t know how to get one and not sure if it would remain under my control. Seriously though, any ideas about how to test?

    • The plugin doesn’t actually differentiate between bot and regular visitor, it simply doesn’t display the honeypot form element to regular visitors, and thus they would have no reason to fill it in. Bots, which generally ignore CSS style in their reading of a page, will assume the form field needs to be filled out, and thus trigger the trap. Obviously there are ways to get around this, and as bots mature, prevention techniques will also need to evolve to keep up.

  7. Very interesting. My Really Simple Captcha gets cached by W3 Total Cache, and W3 has highest priority for our blog.

    So I installed this and generated the code.

    For example :

    [honeypot honeypot-123]

    I need clarification on what you mean by this :

    “Recommended: change the honeypot element’s ID”

    So do I change 123 to any number like 555 ?


    • Hi Joe, the element’s ID is the ID of the HTML element in the final rendered page. The ID takes its value from the “honeypot-123” part of the shortcode [honeypot honeypot-123], so changing that whole value to something that doesn’t advertise “honeypot” to the spambots is a good idea. I suggest changing it to something tasty to spambots (url-123, email-123, etc.) so as to encourage catching them with the honey.

  8. Ryan,
    Is there a way to integrate this into a typical WP comment system (My Site My Way Infocus Theme, overall plain vanilla WP)so that the post-level comments are being honeypotted?

    • Hi Gerard, this was specifically designed to be a plugin for CF7, so won’t work with the standard WP comment form, but it wouldn’t be hard to make a plugin that does. I am pretty sure one exists already though, so you might want to check the plugin directory at wordpress.org.

  9. Excellent stuff Ryan, thanks for making this. Any plans on updating the WP compatibility in the Plugin Database? Probably get more installs that way.

    Thanks again. I am testing this for a week or two.


    • Thanks Roger. Just updated — one of those things I should be quicker at 🙁

  10. Apparently Honeypot Contact 7 is not working on my site. Many the generated tag is wrong or I am not embedding some more short tags in the form.

    Help Please.


    • Hi Ed — it looks like you’re using the wrong CF7 Honeypot shortcode: [spambotpot-545]

      This honeypot plugin uses [honeypot THEID] — where THEID is a uniquely generated ID.

  11. Hi,

    just saw that it seems stopped working for me.

    Tried it with new ids. The form was sentable without being protected.

    Could it be because I updated wordpress today?


    • Hi wolle, I just checked with the latest version of WP and it appears to be working fine. To test the honeypot, you’ll need to insert a value into the honeypot input (using a dev tool like Firebug, or just the stock DOM inspector in your browser).

      • Hi Ryan,

        thank you for the fast reply.

        After sleeping some hours I looked over it again. Okay, you won’t be able to reproduce it because I’ve got two blogs running on the same server and on one blog everything workds like a charm.

        The one which is running crazy doesn’t give me the “tag opportunity” in the contact form section at all. So I’m not able to generate a honeypot id at all.

        (I’m still thinking that I was able to do so before I went to sleep but sometimes I’m a bit confused. ;))

        I will have a look where are the differences between installed plugins on both blogs.

        I also do not think that it’s a question of the used language in both blogs. (One is in english and one in german.)

        I think you can’t do that much for me at the moment because of my individual konfiguration and it’s working on one blog.

        It’s sick that this “tag dropdown” is missing and the settings page of contact form 7 looks that much different on both blogs.

        Okay, I shut up now and will look where’s the point. 😉


  12. It’s me again.

    The tag-generator is in the sources of the page of the admin section of contact form. There is also honepot in it.

    That’s why I think my fault hasn’t anything to do with honeypot.

    I’m sorry for wasting your time.

  13. All of a sudden I’m getting spam emails from my Contact Form 7 that’s protected with your honeypot, probably two dozen in the last 12 hours and still coming. The code on the pages looks good to me ( and ) for the two versions of the form I have on my WP site.

    You said “To test the honeypot, you’ll need to insert a value into the honeypot input (using a dev tool like Firebug…” I have Firebug installed and can find the honeypot line of code in Firebug, but don’t know how to enter a value into that field. Can you explain how?

    • Hi Malcolm — you’ll need to right click the input code and edit it:
      <input class="wpcf7-text" type="text" name="email-wpcf7-hp" id="email-wpcf7-hp" value="" size="40" tabindex="3">

      Then add a value to the “value” attribute — something like:
      <input class="wpcf7-text" type="text" name="email-wpcf7-hp" id="email-wpcf7-hp" value="something" size="40" tabindex="3">

      Then, fill out the form as you normally would and see if you can submit it. It should return an error, because validation should not allow the submission through if that field has a value.

      • Thanks, Ryan, that worked fine and did produce the validation error.

        So, any ideas about stopping the flood of spam that’s getting through 🙂

      • The first thing I would do is change all the names of the various input fields in the contact form. I would also suggest getting a captcha (such as reCaptcha) installed in the form.

  14. I used this in addition to the honeypot
    [checkbox* humancheckbox label_first “Please Check the box if your human”]

    i was getting some spam that got through but now none since i added that line.
    Thanks for a great plugin..i hope this will help someone that is still getting a little spam..

    • In case you miss it, change that code to:
      [checkbox* humancheckbox label_first “Please Check the box if you’re human”]

      The difference between ‘your’ and ‘you’re’ is pretty huge.

  15. The flood of spam I was getting through the honey pot protection stopped about as suddenly as to began. For several weeks now, I’ve only had maybe one or two spam messages per week. I didn’t put in any additional protection.

  16. Thank you, thank you! Honeypot for Contact Form 7 has just stopped the spambots in their nasty little tracks. Yesterday I got slammed with more than 100 bot-generated spams on a contact form at our site… installed Honeypot and the spams have stopped cold. Not a single one since, but legit inquiries are getting through. I no longer dread checking the inbox!

  17. I think I’m going to use this to replace the Captcha plugin for my Contact Form. Do you have the same solution for Jetpack contact form plugin?

  18. Is there a way for me to view the changes this plugin makes? It looks like it does something with CSS. I chose View Page Source & found my entry, but was just curious if I could see the field it adds. Also, I have heard that some tablets & phones are able to see these types of honeypot text. Are you aware of anything like this & does this plugin prevent that? Thanks

    • You’ll have to view the changes in the source of the page with the form on it. The element is hidden using CSS, but easily viewable in the source. As for tablets/phones — shouldn’t be a problem assuming it’s a modern browser being used. If you’re viewing the site (and form) on an old mobile phone browser that doesn’t load CSS, then the honeypot element would be visible. I would assume though that visitors using old phones like that are going to be a very very very small percentage of visitors. It will work in all typical smart phone browsers.

  19. Just installed it today – within 10 minutes I was hit by a literal *barrage* of bot-generated spam messages…

    Is there any particular tweak I should be aware of?
    Could someone be targeting precisely this plugin in order to succeed in its efforts?

    Your opinion is kindly appreciated


    • I can’t think of a reason a form using a honeypot field would be targeted, as it certainly doesn’t open up a vulnerability to the form. If the spammer is smart, it can be avoided, but that wouldn’t be a target-like criteria. I checked the form on your site, did you disable the plugin? I couldn’t find any indication that it was active in the form.

      • Hi there. They are indeed activated (both CF7 + the HP plugin).
        Good news is that after that initial surge nothing has filtered through.
        The initial wave of emails appears to originate from Gmail accounts; if you’re interested I could forward you the incriminated addresses (for your spam databases, etc).
        Kind regards

      • Hi Paul — I took another look at your site just to confirm. Assuming that the form you’re talking about is the contact form in the sidebar, there’s no sign of the Honeypot field there. Are you sure you’ve added it to the form? See steps 3-5 in the Installation section above. If I’ve got it wrong, or its another site you’re referencing, please disregard.

  20. HI Ryan,
    Great plugin. Works very well with our CF7 forms.

    I need to add Honeypot to another theme however, I have to insert the code instead Tag in a .php form. Is there a way to do it? That would be fantastic.

    • Hi Gil. The plugin is specifically built for CF7 forms, so it currently can’t be used outside of that. Of course, if you’re building a custom form, you can just build a honeypot into it yourself. It’s a pretty simple premise, and just requires that you have an extra input that is hidden using CSS and is checked before form submission to see if a value has been added to it.

  21. Hello. I cannot find the generate code dropdown. It should be where I create new contact 7 forms? I’m using WordPress 3.3.2. And the 1.1 version of honeypot downloaded at wordpress.org.

    Please help.

    • Yes, it is in the CF7 creator/editor page, in the same place as where all fields for CF7 are generated.

  22. Hi Ryan, I’m working on a site and wondered if I just copy and paste the code [honeypot email-123] , anywhere in the form? Do I have to add any tags that are shown in the form that’s generated? I’m relatively new to WP and have been searching for tutorials but no-one seems to elaborate on it as I saw something on inline css or hidden fields? Any advice appreciated

    • Hi Rich, yep, that should do. Just add that [honeypot email-123] tag anywhere in your form editor box and you should be all set.

  23. I have one web page with two Contact Form 7 forms. During testing, I set the “value” attribute of the honeypot input to something non-null, and it stops the form from being submitted as it should. But when I try the same thing for the other form, it doesn’t prevent the form from being submitted. Does your honeypot plugin only work on one CF7 form on a page?

    • @Forrest — I’ve never tried using it with two forms on the same page, but can’t think of why this wouldn’t work. All elements of an individual form should only relate to that form. It could be that CF7’s Ajax validation is getting tripped up. I’ll have to do some more testing to see.

  24. I just installed it, and then tested it twice by replacing a contact form7 with the honey pot on a new post, and a page that I knew spambots were sending their messages to my email from. Usually, any change to a post or page will trigger at least 20 or 30 immediate spambot nonsense messages. But not this time. So I decided to do a more extensive update on a page that I had posted photos of artwork, but little commentary. I wrote more about the subject, so that the spambots would be sure to be triggered, installed the edited contact form 7 with the honeypot, sent myself a test message to make sure the contact from was functional. And my message came through, but no spamalamdingdong….yet. But so far, so good. Thank you.

  25. I have two Contact Form 7 forms on a page (one on the main page, one in the sidebar), both protected by the honeypot. I just tested sending messages from both and they both work.

  26. Hi, first of all, thanks for this plugin – and for the latest update (1.3). I was running into validation errors since multiple use of on id, but that was solved now.

    Some improvements I like to see is a filter-hook for the “wpcf7_honeypot_shortcode_handler”, to change the output. I’d like to be able to choose if I use a css class for hiding the input.

    Another point is that the current version (1.3) outputs a label with for-attribute but missing an id for the input.

    Thanks again,

    • Hey Daniel, finally found some time to fix/add these features. See version 1.5 released today. I’ve added unique ID and FOR attributes to the input and label, and I’ve also added a filter hook which should give you the control you’re looking for (see the plugin instructions for details). If you’re able to test and confirm that the filter is working as expected, it’s very much appreciated (as was the coffee donation, thanks!).

  27. Seems there’s an issue with the latest version of Contact Form 7, v3.6 The honeypot shortcode is not getting converted and it just shows up on the page. Will this be addressed or is there a fix?

    • Hi Matt & Travis, this was due to a change in the most recent version of CF7. If you update your CF7 Honeypot plugin to the latest version (1.4 — now in the repository, so your WP update screen should indicate it), it should solve the problem for you.

      • Do you have a URL? Feel free to send me via the contact form on the Contact page (link up at the top of the page).

      • Your version of CF7 is way out of date. Try updating that. I’d also update WordPress asap, as you’re a number of significant versions behind, and there have been a number of security patches since then. If for some strange reason you can’t update anything, you’ll need to use an older version of the Honeypot plugin.

  28. Hiya,

    Thanks for such a valuable plugin.

    Can you just confirm for me which message is shown to the spambot when they are caught in the honeypot?

    I ask as I would like to specify my email address for the user in the “Sender’s message was failed to send” field – but only if this message is not going to be shown to a spambot.


    • Hi James, as of version 1.6 (releasing in the next 10 minutes or so), the message is the “# Submission was referred to as spam” error message.

  29. WP 3.8 + CF 7 3.6 + CF 7 honeypot 1.6

    after i inserted the fiel into the form;

    (with javascript disabled)

    no honeypot field is created.

    • Saw your follow-up. Sounds like you got it working. In case anyone else wanders by here, no javascript should be needed.

  30. Hi,
    I have installed Contact Form 7.3.2 and Honeypot 1.6, but the honeypot shortcode shows up in the form.

  31. Hey, I have added the code, for example [honeypot honeypot-112] however all that is outputted onto the page is [honeypot honeypot-112] and not the html version, what would be the reason for this?

    • The only reason I can think of is that the plugin hasn’t been installed/enabled under the Plugins section of the WordPress admin area.

  32. Unfortunately the honeypot still shows in the form of one of my sites.
    It is strange because in another site the problem does not occur.

    I use the latest version 1.6 of the Honeypot plugin, version 7.3.2 of Contact Form 7 and WordPress 3.8.1.

    Please let me know if you need any additional information to solve this problem.


    • Hi Yannis, if you can send me a URL to the page, I’ll take a look. Contact me here

  33. Hi Ryan,

    When I install the plugin and add the Honeypot tag to my contactform the contactform breaks and doesn’t show any more on the page.

    Any idea what this can be?

    I’m on WP 3.8.2
    Contact Form 7 3.3.1
    Honeypot 1.6



  34. I generated the tag (and renamed it contact-us, which generated [honeypot contact-us] however if I put this in it made the entire form disappear from the page.

    When i changed to [contact-us] the page showed up again. Have I installed honeypot properly?

  35. I installed the plugin and did not have the option to add the honeypot tag. I do see an “enable anti-spam honeybot” option under form settings>form options. Our contact form is actually built on eloqua but incorporated onto our wordpress site. If that “enable honeybot” option is there, does it mean it is compatible for the plugin?

    • Hi Gina, this plugin is strictly for use in conjunction with Contact Form 7. If you are using a different plugin to generate your contact form, this is not the plugin for you.

    • Hi Gina, this plugin is strictly for use in conjunction with Contact Form 7. If you are using a different plugin to generate your contact form, this is not the plugin for you.

  36. It is so nice to see info about a plugin where someone actually answers the questions!! Thank you!

    My question – when I use the code from the “Generate Tag” drop down in my contact form, the form on the website now is gone and says this …

    Fatal error: Class ‘WPCF7_Shortcode’ not found in /home/burnsciv/public_html/wp-content/plugins/contact-form-7-honeypot/honeypot.php on line 59

    My code looks like this …

    Your Name (required)
    [text 1=”your-name” 2=”24″ language=”*”][/text]

    Your Email (required)
    [email* your-email 24/]

    Your Phone #
    [text 1=”24″ language=”your-phone”][/text]

    Your Message
    [textarea your-message 20/]

    [submit class:submitbutton “Send”]

    [honeypot lame-637]

    The website is http://www.armedsecuritywi.com/

    • Hi Jen, first thing to check is if WP core, CF7 and this plugin are all right up to date. If not, you’ll need to take a look at this plugin’s WordPress page for information about confirming you’re using the right version of this plugin with the right version of CF7 (sometimes there are significant changes in CF7 which require an equally significant/non-backwards-compatible change in this addon). Your error would seem to indicate this is the problem.

  37. I have a Contact Form 7 on my home page at the bottom and on the right column of all other pages. When I add the code [honeypot honeypot-49]to my Contact forms above the submit, my form vanish from my website. When I remove the code, the forms reappear. Any thoughts would be appreciated.

  38. hi, i just downloaded honeypot cf7, activated it – but i cannot find how to edit the form on my theme.

    i have no clue where this part is:
    Choose “Honeypot” from the Generate Tag dropdown. Recommended: change the honeypot element’s ID.

    thank you!

  39. Does this plugin still work on the latest version of WordPress and CF7? It doesn’t seem to have done anything to stop the spam.

    • I just rolled out a new version. There was a change with CF7 that killed the honeypot validation. All fixed now.

  40. So if I just the honeypot tag in front of the standard email tag it will work automagically?

    • You can put the honeypot tag anywhere in your form, there’s really no restriction.

  41. I don’t see the “Honeypot” item on the “Generate Tag” menu of CF7.

    • Hi Kyle, can you confirm that you have enabled the Honeypot plugin and are using the latest versions of CF7, CF7 Honeypot and WordPress?

  42. The honeypot code contains attribute autocomplete=”nope” which gives error when page is validated. Is there a way to fix it to autocomplete=”off”?

  43. Your first FAQ item has a misspelling: additonal

    missing the “i” : additional

  44. Hi, there is no tag generator in contact form 7 5.1.3.
    How do I add the honeypot tag?

    • Are you using the most recent version of the CF7 Honeypot plugin? I haven’t noticed any problems. Maybe check your Inspector console and see if there are any javascript errors from other plugins that might be causing the problem.

  45. Hi!
    I installed Honeypot and I added in my form the Honeypot tag, but when I test my Form I get an error “One or more fields have an error. Please check and try again”.
    Why is it happening this? What can I do?

Say something...

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Return to Top ▲Return to Top ▲