Honeypot seems to have stopped working

Same for me. Now it has stopped working altogether.

Same here.

Hi Andy and Li-An. Very strange, there’s been no change to how the Honeypot field validates to stop spam bots. @sandyme, I think your issue is a different one, based on what you described here.

Can you provide any more details about your Honeypot field settings? Have you tried renaming the Honeypot’s NAME field to something other than the default — or more specifically something a bot might want to fill out: e.g. call it “website-555” or something.

Bots will evolve, and the popularity of this plugin and other similar plugins may be incentive enough for spambot developers to create smarter bots that look for certain indicators that a field is a honeypot trap and not a legitimate field.

I’ve not noticed an increase in spam on the various sites I use the plugin, but I do have some updates planned that might help block more bots. I don’t have a schedule for the updates yet though, as it relies on me finding time to code/test/release.

I changed the field name several times ?? I have to find an alternative method for the moment.

Can confirm this has stopped working on all my clients sites using the Honeypot plugin. They are receiving Russian spam even with a renamed honeypot field.

Stopped working on all sites too ??

I think that bots caught up to the style attribute:

style="display:none !important; visibility:hidden !important;"

Maybe try outputting the CSS in the HEAD tag (as a style element, so it works right away) & target the wrapper with the honeypot’s name field CSS class?

• This reply was modified 6 years, 10 months ago by Chris Trynkiewicz (Sukces Strony).
• This reply was modified 6 years, 10 months ago by Chris Trynkiewicz (Sukces Strony).

Stopped working here as well. I guess about a week ago lot’s of our customers who have the Honeypot plugin installed are experiencing more and more spam.

It would be nice if this problem could be verified. Are the robots getting smarter? Is there a solution inbound for this?

Thanks

I haven’t tested this thoroughly but part of the problem is that the honeypot field isn’t required. So when bots send post requests without the honeypot key it validates ok.

Perhaps a fix such as this would work for the wpcf7_honeypot_filter function ?
if ( $value != ” ) {
replace with:
if ( $value != ” || !isset( $_POST[$name] ) ) {

I have to activate another antispam system. It becomes impossible to manage.

@antonynz — clever, I hadn’t considered that vector.

As I’m not being hit with spam like some of you discussed above, it’s difficult for me to test if @antonynz’s fix might help solve this. Is anyone willing to test this and see if it helps before this is rolled out in a new version?

If so, you simply need to replace your [WORDPRESS INSTALL]/wp-content/plugins/contact-form-7-honeypot/honeypot.php file with the one here: https://gist.githubusercontent.com/nocean/5623db16cf21a946445c66009c551070/raw/612ff4f8a84e6d755576c8c72b10965c16fab411/honeypot

FYI, @eclare — I’m considering ways to implement your suggestion in a backwards compatible way.

I make a test.

A new spam today – but only one. With the modified file.

• This reply was modified 6 years, 9 months ago by Li-An.

OK, again the same amount of spams.

Thanks for adding and trialing the code. The above patch would definitely stop the spam I have been getting looking at the post requests I logged.

Unfortunately I’m not getting hit with much spam either so haven’t come across other attack vectors yet.