Lurox 1.0 is live — visual page building for Magento 2. Read the guide
Honeypot User Guide

Honeypot User Guide

Invisible spam & bot protection — no CAPTCHA, no friction for real customers.

An invisible bot trap

The Honeypot stops form spam and bot signups without ever bothering a real customer. It adds a decoy field that humans never see but automated bots — which blindly fill every field — will complete. It also times how long a form takes to submit. When a submission trips either check, it's quietly rejected. Unlike a CAPTCHA, there's no puzzle, no image grid, and nothing for your genuine shoppers to do.

How it works

Two lightweight checks run on every protected form:

  1. The decoy field. A hidden field is added to the form. It's positioned off-screen and marked so screen readers and keyboard navigation skip it entirely. A real person never sees or fills it; a bot that auto-completes the page does — and that submission is blocked.
  2. The timing check. A genuine person needs a few seconds to read and complete a form. If a submission arrives implausibly fast (under a configurable threshold), it's treated as automated and blocked.

It's deliberately fail-safe: if the timing data is missing for any reason, the submission is allowed and simply logged — the system always errs toward letting real traffic through.

Which forms are protected

Contact form, customer registration, checkout and newsletter signup are protected by default. Customer login is available too, but off by default — switch it on only if you see targeted login-bot activity.

Configuration

Stores → Configuration → Cabbage Patch Studios → Honeypot Anti-Spam.

SettingWhat it doesDefault
Enable HoneypotMaster on/off.Yes
Time Threshold (seconds)Minimum time a real submission should take. Submissions faster than this are blocked.3
Enable LoggingRecord blocked attempts for review.Yes
Protected formsToggle protection per form: Contact, Registration, Checkout, Newsletter, Login.All on except Login
Auto-Archive & RetentionCompress and age out old logs automatically (7–90 days).On / 14 days

There is also an administrator-only debug mode that temporarily reveals the trap for testing. It is for setup verification only and must be turned off again before customers use the site.

The Honeypot Anti-Spam admin configuration screen.
The configuration screen — general settings, the per-form protection toggles, and log management. (The hidden field’s name is redacted here; yours stays private.)

Setting up & checking it works

  1. Open Honeypot Anti-Spam and confirm Enable Honeypot is Yes.
  2. Leave the protected forms at their defaults (Contact, Registration, Checkout, Newsletter on).
  3. Keep the Time Threshold at 3 seconds — comfortable for people, fatal for bots. Don't drop it below 1 second.
  4. Make sure Logging is on so you can see what's being caught.
  5. Submit a protected form normally — it should go through without any extra step.

To see what's being stopped, open Marketing → Honeypot → Spam Reports: a filterable, exportable log of blocked submissions with the form, time-to-submit, IP and user agent. Patterns there tell you whether to tighten the threshold or enable login protection.

Accessibility & false positives

False positives are very rare by design. The decoy field is hidden from assistive technology and keyboard navigation, and browser autofill doesn't touch hidden fields — so a real customer can't stumble into it. Because the timing check fails safe (missing data → allow + log), legitimate shoppers are never locked out. This is the key advantage over CAPTCHA: protection with zero friction and no accessibility barrier.

FAQ

Will customers ever see a challenge? No. There's nothing to solve and, in normal operation, nothing visible at all.

Do I still need a CAPTCHA? The honeypot handles the bulk of automated spam invisibly. You can run it alongside other protections, but for most stores it removes the need to put a CAPTCHA in front of customers.

The logs are growing — is that a problem? No. Auto-archive compresses them daily and retention ages them out (default 14 days); raise the retention if you want a longer audit trail.

Changelog

This guide is itself a Lurox page. Every revision is a published version in Lurox's built-in content history, so we can roll any guide back to an earlier version at any time. The public changelog below tracks what changed and when.

Version 1.1

30 June 2026

  • Added an annotated screenshot of the configuration screen.
Version 1.0

30 June 2026

  • Initial publication: how the honeypot works, protected forms, configuration, verification, accessibility and FAQ.

Explore the rest of the library

Browse every Cabbage Patch Studios user guide in one place.

All User Guides