Honeypot not showing

Hey @netzwerkstatt – Thanks for contacting us!

The anti-spam feature in WPForms verifies a token that our plugin adds to each form.

The token is a time-sensitive cryptographic string that’s very hard to guess or fake. This allows us to halt form submission processing if there’s no token, or if the token has expired or is invalid. For more details, please see our guide here.

Kindly,

Hi Prashant, thanks for getting back at me!

Could you please elaborate? I only found this in my form: <form id="wpforms-form-6673" class="wpforms-validate wpforms-form" data-formid="6673" method="post" enctype="multipart/form-data" action="/kontakt/" data-token="6c61eccebcaffde0045470ad764461f0">

Is this the token you’ve ment?

Hey @netzwerkstatt – Thanks for following this ticket!

That’s correct – the data token is the forms token I was referring to. When you get a chance, can you please check the documentation I shared above and let me know if I can share more details?

Kindly,

Yes please, help me out. I’ve checked to docs and have already enabled the anti-spam-protection in my form. You can take a look at it here: https://www.die-netzwerkstatt.de/kontakt/

I see the data-token=”…” in the markup as described in my previous comment.

However, if I disable the spam-protection, the data-token=”…” still shows up in the markup, I’ve already cleared the cache and verified having a current version of the page in my browser (I have now enabled the spam-protection again).

My conclusion is, that changing the spam-protection option has no effect (the token should only appear if the spam-protection is enabled but also shows if it is disabled).

I’ve also checked that my custom theme is not doing any changes to the plugin via functions.php – it does not. I’m using WPForms Lite 1.7.7.1

I digged into the plugin code and searched for the “antispam”, since the backend has a <input type="checkbox" id="wpforms-panel-field-settings-antispam" name="settings[antispam]" class="" value="1"> which lead me to the validate and verify-functions inside of /src/Forms/Token.php that are checking some time-related stuff.

I’m being honest to state I’m not quite sure how this time-based validation is supposed to prevent spam but I’m aware of how a honeypot is supposed to work:

1. Add a field the bots/spammers will fill out.
2. Hide that field from the regular users.
3. Identify spam via the filled out honeypot field.

That was my initial request “How is the honeypot supposed to work?” and I’ve already found some code in the lite-version:

1. /src/Forms/Honeypot.php with a render-function and $form_data['settings']['honeypot']

2. /includes/admin/builder/panels/class-settings.php which renders the backend-form (see screenshot from docs) with

if ( ! empty( $this->form_data['settings']['honeypot'] ) ) {
				wpforms_panel_field(
					'toggle',
					'settings',
					'honeypot',
					$this->form_data,
					esc_html__( 'Enable anti-spam honeypot', 'wpforms-lite' )
				);
			}

which is the only field that has a if-statement before it …

I’ve also checked the rendered HTML to make sure it doesn’t get caught up in translation mismatches but I have no entries after searching for “honey” in my WPForms backend.

After digging deeper I seem to have found the reason for my confusion, the honeypot has been deprecated in version 1.3.7?

From /includes/class-frontend.php:

/**
	 * Anti-spam honeypot output if configured.
	 *
	 * @since 1.0.0
	 *
	 * @param array $form_data   Form data and settings.
	 * @param null  $deprecated  Deprecated in v1.3.7, previously was $form object.
	 * @param bool  $title       Whether to display form title.
	 * @param bool  $description Whether to display form description.
	 * @param array $errors      List of all errors filled in WPForms_Process::process().
	 */
	public function honeypot( $form_data, $deprecated, $title, $description, $errors )

Sooo, if you’re still with me I’ll try to summarize:

1. There is no honeypot, it’s deprecated.
2. The data-token attribute shows in the frontend, no matter the setting inside the form.
3. Could you tell me a way to manually verify the token-based spam-protection is working? Or better said “how can I trigger the anti-spam protection?”

Thanks for your efforts, let me know if I need to provide you with further information!

• This reply was modified 2 years, 1 month ago by netzwerkstatt. Reason: markup/code cleanup

Hey @netzwerkstatt – Thanks for following up on this ticket!

Let me just check with the team to get some additional context and I’ll circle back to notify you with an update.

Kindly,

Hey @netzwerkstatt – Thanks for the patience and I apologize for the delay in getting back to you.

Your assessment is right about the use of the honeypot input being deprecated and is now replaced with the antispam token.

The Antispam feature uses server validation to handle the validity of tokens and if it doesn’t exist or it’s different from the unique tokens that we generate then the submission will fail. The anti-spam measure will only block bots that try to submit a POST request without ever loading the form. The loading process of the form is when the token is generated. In order to verify that it works, you can enable logging for all events including spam submissions. This will make it possible to view any submissions that were blocked as spam.

I hope this helps! Could you please let me know if I can provide you with more details?

Kindly,

Hi @prashantrai, thanks for the insights, that helps me ??

Best wishes from Germany!

Hey @netzwerkstatt – You’re most welcome, and if you have any questions, please feel free to reach out.

Kindly,