Lurox 1.0 is live — visual page building for Magento 2. Read the guide
Magento 2 · Anti-Spam

Stop form spam. Invisibly. Free.

Honeypot sets an invisible trap on your Magento forms — contact, registration, login, newsletter and checkout. Bots walk right into it; real customers never see a thing. No CAPTCHA, no cookies, no friction — and it's free.

Free forever, every store Invisible no CAPTCHA, no puzzles 5 forms guarded independently No cookies no third-party calls
A Magento 2 form quietly trapping spam bots while a real customer passes straight through
Free foreverHyvä-readyMagento 2.4.xNo CAPTCHANo cookiesMulti-store

Spam protection your customers never feel.

Invisible to your customers

No puzzles, no checkboxes, no "select every traffic light." Real shoppers never see a thing — bots walk into a trap they can't detect.

No CAPTCHA, no friction

Nothing to solve means nothing to abandon. You stop spam without adding a single click to checkout, registration or contact.

Guards every form that matters

Contact, registration, login, newsletter and checkout — each protected independently, with a log of every bot it catches.

The Honeypot admin — independent toggles for contact, checkout, registration, login and newsletter forms

Protect every form, on your terms.

Turn honeypot protection on for exactly the forms you want. Each one is an independent switch, so you cover the spam magnets without touching anything else — and sensible defaults mean you're protected the moment it's installed.

  • Contact, customer registration, login, newsletter & checkout
  • Each form enabled or disabled on its own
  • Checkout is guarded server-side; the rest via a tiny injected field
  • Configurable per store view — protect one storefront or all of them
Read the guide

Two layers a bot can't beat.

A hidden trap field

An invisible field is added to your forms. Humans never fill it; bots that auto-complete every field give themselves away — and are blocked on the spot.

A too-fast tripwire

Bots submit in milliseconds. A configurable time threshold blocks anything sent faster than a human could type — and a missing timing token fails open, so real users are never caught.

Logged and reported

Every blocked attempt is recorded — form, IP, user agent, reason — in a filterable admin report with CSV export, auto-archived and pruned on your schedule.

The Honeypot general settings — hidden field name, time threshold and logging toggles

Set it once, forget it.

A handful of clear settings — nothing to babysit. Name the hidden field, set how fast is "too fast," and decide whether to log what you catch. Sensible defaults ship in the box.

  • Rename the hidden field to dodge bot fingerprinting
  • Set the minimum seconds a genuine submission takes
  • Turn on logging to see exactly what's being stopped
  • Test mode makes the trap visible while you verify it — never in production
Read the guide

Why it matters

Spam is a tax on your team.

Every fake signup, junk enquiry and bot order is time someone has to clean up — and noise that hides your real customers. Honeypot stops the bulk of it silently, for free, before it ever reaches your inbox or your database.

Get it free

Why merchants switch

The CAPTCHA way vs Honeypot

The CAPTCHA way

  • Shoppers solve puzzles to prove they're human
  • Friction on every form — some just give up
  • Loads a third-party script and its cookies

With Honeypot

  • Invisible — customers never see or do anything
  • Zero friction, zero abandonment added
  • No third-party scripts, no cookies, self-hosted

Free, forever

Real spam protection, $0.

Free for every store. Create a free account to download — no card, no catch.

Honeypot Anti-Spam

Free forever
$0 forever, per store
  • Two-layer honeypot — hidden field + time threshold
  • Protects contact, registration, login, newsletter & checkout
  • Silent to customers — no CAPTCHA, no cookies
  • Blocked-attempt logging with filterable reports & CSV export
  • Auto-archive & scheduled log cleanup
  • Works on Luma, Hyvä & Lurox · multi-store
Get it free
✓ Free forever✓ No credit card✓ No third-party services

The details.

Two layers

Hidden field + time threshold.

Zero friction

Invisible; no CAPTCHA, no cookies.

Logged

Reports + CSV, auto-archived.

Any theme

Luma, Hyvä & Lurox · multi-store.

Questions, answered.

CAPTCHA asks real people to prove they're human, adding friction (and a third-party script and cookies). A honeypot does the opposite — it sets an invisible trap that only bots fall for, so your customers see and do nothing. Many stores run both: honeypot silently removes the bulk of automated spam, so reCAPTCHA (if you use it) has far less to score.

It's built not to. The trap field is off-screen and marked so humans, screen readers and autofill leave it alone, and if the timing token is missing it fails open — it allows the submission rather than risk a false block. Only a filled trap field or an impossibly fast submission is stopped.

Contact, customer registration, customer login, newsletter and checkout — each toggled independently. Checkout is guarded server-side; the others via a tiny injected field. (Login ships off by default; turn it on if you need it.)

No. There's no third-party script, no external call and no cookie — just a hidden field and a timestamp. Checkout protection runs server-side, so there's nothing for a shopper to load or wait on.

Yes. Turn on logging and every blocked attempt is recorded — form, IP, user agent and reason — in a filterable admin report with CSV export. Logs auto-archive and prune on the retention period you choose (7 to 90 days).

It's free, forever, for every store. You create a free Cabbage Patch Studios account to download it — no credit card — and it keeps working whether or not you register a key.

Need spam protection we don't ship?

Honeypot covers the standard Magento forms out of the box. If you need something more — a custom form protected, a rate-limit rule, an allow-list, or a feed of blocked attempts into your own logging stack — tell us about your store and we'll scope it, usually within one business day.

We build these alongside Honeypot, so you keep the invisible protection and add exactly what you need.

We'll only use your details to reply to this enquiry.

Trap the bots. Spare your customers.

Invisible, two-layer honeypot spam protection for Magento 2 — no CAPTCHA, no cookies, no friction. Free for every store, live in minutes.

Get it free