Hidden Form Fields To Prevent Bot Spam


Augie (a creative real estate investor) presented a spam prevention method idea which we’ve been talking about under a previous post this past week: HowTo Eliminate WordPress Trackback Comment And Pingback Spam. The basic idea is to provide an extra input field which is hidden to a user when viewed normally from the browser. This means if you check your form data when a submission is being processed, you can determine if the field is still empty. If it is filled out, then a bot must have auto filled the field.

Spam Field Details

The naming convention used on a hidden field should be named “email” or “url” to trick the bot. Your real email field will then of course need to be named something else. A small price to pay for less house cleaning.

Another key to all of this is to wrap your trap (haha) in a DIV so that the a bot cant tell that the field is hidden. Marking it with type=”hidden” on the input tag itself is a bit of a giveaway. Assigning an id or class to the div and specifying display:none; would cause the bot a lot of extra work which most probably aren’t programmed for. You could also use a built in id or class directly on the div to specify it as a hidden field.

Hidden Input Field Code

Here is an example of what your code would look like:

  1. CSS code would look like this:
  2. #email {
  3. display: none
  4. }
  6. OR if you're doing it by the div:
  8. .specialfield {
  9. display: none
  10. }
  12. Your form would look something like this:
  13. <form method="post" action="yourformprocessor.php">
  14. <div class="specialfield"><input id="email" type="text"></div>
  15. <input id="realemail" type="text">
  16. </form>

Using Hidden Fields

It isn’t too much of a stretch to add this to a custom solution or implement it into a WordPress comments or form plugins because id’s and classes are assigned to input fields by default. If you’re not already using a form plugin check out:

cforms II or Contact Form 7 (my preference).

If I get enough requests I’ll write a post which explains how to implement this into WordPress comments in a similar manner in which I setup the Enhanced Numbered Equation CAPTCHA.

The More Spam Defense The Better

I don’t have a lot of experience in using spam bots, but this is a promising way to enhance our line of defense against spam. More importantly, its not intrusive on a users browsing experience. Unlike a CPATCHA, it requires a valid visitor to do nothing!

If you have any thoughts or comments, about this spam technique, leave them below.

Respond: Leave A Comment | Trackback URL

Entrupeners, Subscribe for the lastest tools, tips, and tutorials.

11 Responses to Hidden Form Fields To Prevent Bot Spam

  1. Pingback: WordPress Wednesday: Comment Spam |

  2. paddster7

    I have set up the hidden field. However, how do it I set it up for the field to be checked and, if there is data there, have the submission rejected?


  3. You’ll need to know a bit of PHP to do it. This post is not a full guide.

  4. hey paddster heres the code youre looking for
    hopefully it shows up doesnt get filtered out

  5. my first comment didnt work, but remove the slashes from the php tags and that is what youre looking for

  6. alan

    I was researching this topic because I’m getting a lot of spam form submissions. I thought about blocking the IPs, but they keep changing. Also, I thought it might be a legitimate indexer/crawler like Google or Yahoo so I don’t want to decrease the popularity of our site. I just don’t want the junk form submissions (feedback forms).

    This “hidden DIV” idea seems simple enough. As for checking for spambots, I’d just put in your target file (action=”…”) something like “if ($_POST["email"] != “”){ –action if it’s a bot–}”

    I thought about putting action in there to flag the IP address for an hour and block it and then have something in my header script check the current IP versus the blacklist, but there again, if it’s a legitimate indexer, I wouldn’t want that! I just don’t want all the junk form submits.

    So maybe the solution is “if ($_POST["email"]==”"){ run my form processing here }.

    • Hi Alan,

      As a general rule I’d always make email fields required. The problem is you cant easily take an email address and validate it’s existence on a server when a post is in the process of being submitted to your site.

      IP tables are a pain to manage. Services like Akismet already blacklist well known offenders by IP too.

      I’ve covered this topic extensively in the past and it all still applies:

      I use a combination of those on even high traffic volume sites and seldom have much spam maintenance to do.

  7. I’ve been trying my best to make a solution which goes a bit like

    code to post the email goes here

    I haven’t made it work yet (argh). But it basically uses PHP to say if “url” (my input field) is NOT set (!isset) then post the email. I’m not sure why it’s not working but it’s an idea for you peoples.

  8. leo

    although it may be true that bots can’t tell the difference between required and non-required fields, and they fill all the fields out…….what i don’t know is if bots do the following…

    let’s say a bot found a form before the hidden field was implemented, and that it has successfully spammed before, so that means the bot already knows about that form and will fill it out the same way each time. so if the form had 5 fields before then it will fill out those 5 fields only and skip any new fields. so what that means is this technique probably only works for new bots that haven’t found that form yet.

    does that sound like it could be possible?

    • Unless the bot was built specifically for that site (pretty uncommon) it is likely it is working from a blank slate every time.

      First off, imagine a bot spams you, they save the data, and then you decide to make a new, legitimate “required” field. eg, you decide to split up your required name field into first name and last name. This throws off their stored count and would prevent a bot from a successful submission. With that idea, your theory could work for or against bots. Since things are always changing and only a fraction of changes are likely the addition of a hidden field to catch spammers, then I would suspect this would be a poor design for a bot.

      In addition, programming a bot to keep track of fields on a per page basis sounds like something most developers would leave out because of the complexity (very unique markup/implementation for each form). They’d have far better luck trying different methods to detect that your form is actually hidden. eg, checking the inline styles for “display:none;”. Or going as far as reading the class/id of the input fields so that they could curl all the external CSS style sheets too and try to determine the fields display state. If I made my own bot, this is what I’d do if I wanted 100% accuracy. But at that rate, I’d be slowed down by the extra work as many sites have 5+ style sheets. Now, you could argue that this could be more or less efficient based on the programming language you use and how you thread the requests to a server, but at the end of the day, its going to be more load. There is likely a balance of accuracy to speed & luck for automated spam bots. Most webmasters leave their forms unprotected still, so speed probably wins out for the spammers over using detection methods. Therefore, if you have a form hidden via external CSS, I’d bet you’re safe… and I wouldn’t worry about new vs old fields as a factor.

Leave a Reply

Custom Theme by Rob Malon | Content & Design © 2010 - RobMalon.Com - Chicago, Illinois