Honeypot: An alternative spam prevention for Perch

I recently blogged about Perch, my very favourite CMS platform. If you use any of Perch addons such as Perch Forms or Perch Blog you will notice the only spam protection that is included is Akismet.

Why not Akismet?

There is nothing wrong with Akismet except that it is a subscription based service. I'm a bit of a cheapskate and know that there are many effective and free solutions for stopping spam dead in its tracks.

What's my alternative?

One such method is honeypot traps. These act simply as a trip wire to spam bots who try to fill in every single form field. By simply including an extra form field that is hidden from human users we can detect if it is a spambot that is filling in the form.

I have written a few minor changes to the Perch core that allow us to easily implement honeypot traps in Perch forms and posted these instructions to the Perch forums.

Does it work?

Yes. It works very effectively on this website. When first launched, the blog comments began to receive high amounts of spam that needed to be manually approved or trashed.

Manually shifting through a mess of spam comments become a hassle so I decided implement a honeypot trap within Perch. I poked around in the validation code for submitted forms and found that it was really easy to add my own conditions.

What's the catch?

The Perch team do not recommend modifying the Perch core so use the following code at your own risk. It was said that they won't provide support to those who do, but honestly how will they know? 

How to implement?

The instructions below are based on Perch v2.1.3 but they should apply to other versions as long as you find the correct location to insert the code.

  1. Open PerchAPI_SubmittedForm.class.php, you will find this in: perch/core/lib/api
  2. On line 84, insert the following code: (warning: the line may change in different versions of Perch)
    // CUSTOM
    if ($Tag->honeypot()) {
       if (isset($_POST[$incoming_attr]) && $_POST[$incoming_attr] !== '') {
          $valid = false;
          $Perch->log_form_error($this->formID, $Tag->id(), 'honeypot');
       if (isset($_GET[$incoming_attr]) && $_GET[$incoming_attr] !== '') {
          $valid = false;
          $Perch->log_form_error($this->formID, $Tag->id(), 'honeypot');
    // CUSTOM
  3. Save the file.
  4. To add a honeypot to a form template in perch, use a tag like this:
    <perch:input type="text" id="subject" honeypot="true" label="Spamtrap" />
  5. Hide the input "#subject" with CSS.

Example: (using "subject" as an alias)

<div class="subject" <perch:error for="subject" type="honeypot">style="display:block!important;"</perch:error>>
   <perch:label for="subject">Subject:</perch:label>
   <perch:input type="text" id="subject" honeypot="true" label="Spamtrap" />
   <perch:error for="subject" type="honeypot">You have triggered the spam trap, please ensure 'Subject' is blank.</perch:error>

This is hidden with ".subject {display:none;}" in the CSS unless the form has been submitted and tripwire triggered, then it is displayed with an error message (in the unlikely scenario a valid user triggered it).


  • Tim

    08 Oct 2014 21:55:25

    Not cheapskate at all. There is just no reason to use subscription services, neither is there no longer a need for a CAPTCHA. It’s surprising how many people have yet to realise that.

    Anyway, much thanks for your “Honeypot fix”. It will be very useful for me!

    Best regards,
    Tim Base

Leave a comment