WP Armour adds honeypot fields to WordPress forms. A honeypot is a hidden form field that humans cannot see (hidden via CSS) but that bots fill in automatically because they process all fields. When WP Armour detects a filled honeypot field, it rejects the submission as spam. No cloud service, no data transfer, no CAPTCHA friction for users.
Why Honeypots Work (and Why They Sometimes Don’t)
Most WordPress form spam comes from bots that crawl the web, find form fields, and submit them automatically. These bots process HTML fields without rendering CSS – so they fill in every field they find, including hidden ones.
Honeypots fail against: human-operated spam (a person manually filling out your form will not see or fill the hidden field, but they are a real person), and sophisticated bots that render CSS before processing forms (uncommon but exists). For automated bot spam – which is the vast majority of WordPress form spam – honeypots are highly effective.
What WP Armour Covers
WP Armour adds honeypot fields to:
- WordPress comment forms
- WordPress registration and login forms
- Contact Form 7 forms
- WPForms
- Gravity Forms
- Ninja Forms
- Formidable Forms
- WooCommerce checkout and registration
- bbPress registration
WP Armour Extended (premium, around $25) adds support for more form plugins and additional protection mechanisms.
Setup
Install from WordPress.org. Activate. Done. WP Armour adds honeypot fields automatically – no configuration required. Go to Settings -> WP Armour to see which form types are protected and to configure any optional settings.
The optional extended settings allow you to:
- Add a time-based check (similar to Antispam Bee’s comment time filter)
- Enable logging of blocked submissions
- Configure which form types to protect
Need help configuring this on your site? Describe your setup and get a free estimate from a vetted WordPress developer.
Using WP Armour Alongside Other Anti-Spam Plugins
WP Armour pairs well with other anti-spam approaches because honeypot is an orthogonal technique. Running WP Armour with Antispam Bee gives you both honeypot protection and IP/timing analysis with zero data leaving your server – a strong privacy-compliant combination.
Using WP Armour with Akismet or CleanTalk catches spam at two layers: bots that fill the honeypot are rejected locally before even hitting the cloud API, reducing API calls and potentially reducing costs on usage-based plans.
Verifying the Honeypot Is Working
You cannot see the honeypot field visually – it is hidden. To verify it is present in your form, view the page source (right-click -> View Page Source) and search for hp_ or armour. You should find a hidden input field. If you are testing in browser DevTools, look in the form element for an input with display:none or visibility:hidden.