Does your contact form get dozens of spam messages every day? Ad links, nonsense text, bots offering jobs — these are all sent by automated scripts. CAPTCHA is one solution, but it annoys users. Honeypot is invisible but works as a trap for bots.
How honeypot works
You add a normal field to the form, for example named "website" or "phone_number". You hide it with CSS using display:none or position it off-screen. A real user doesn't see it and writes nothing. A bot enters the form and fills every field — bots are blind, they read HTML code, not visible rendering. On the server side you check: if the hidden field is not empty, it's a bot, reject the message.
Technical implementation
In HTML add input: name="website" type="text" tabindex="-1" autocomplete="off". In CSS hide with position:absolute, left:-9999px or display:none. On the PHP side, when receiving the POST request, first check this field. If filled, silently stop or return "thank you, message received" and do nothing. The bot thinks submission succeeded.
Choosing the field name
The honeypot field name matters. Bots look for common names: email, name, phone, website, url, address. Pick one of these — bots will fill it instantly. Don't name it "honeypot" or "trap" — modern bots recognize and skip these. Best choices are "website" or "homepage" because these appear in real forms and bots don't suspect.
Extra protection layers
Honeypot works best combined with other methods. Time check: if form is filled in less than 2 seconds, it's a bot. JavaScript token: page load adds a hidden token via JS, server verifies — bots usually don't run JS. IP rate-limit: more than 3 submissions per minute from one IP gets blocked.
Sayt.uz practice
Every site built with Sayt.uz constructor automatically gets honeypot protection on contact forms. Spam drops 90-95%, users notice nothing. Time check and IP rate-limit add extra layers. Constructor starts at 49,000 UZS, honeypot and other protections included.