Top Lines

Concrete5: Prevent Spam through your Contact Forms with a Honeypot

Dave Reeder

by Dave Reeder , 18 July 2018

Concrete5: Prevent Spam through your Contact Forms with a Honeypot
Spam is really annoying and can cripple your inbox. Adding something called a honeypot helps prevent automated spam coming from bots before the form even gets submitted.

We'll modify the standard Concrete5 form block to add a new hidden field that users won't complete because they can't see it, but spam bots will because they complete every field in the form.

Because we know that only spam bots are going to complete that field, we can use that to our advantage and prevent submission of the form if that field is completed.

Create overrides for view.php and controller.php.

We assume we are working in Concrete5 v8, but you could make similar changes in older versions of Concrete5.

In your site, browse to /concrete/blocks/form/ and copy controller.php and view.php to /application/blocks/form/.  You will need to create the form folder in /application/blocks/, unless you have already got an override in place.

This creates overrides of those two files.  This means we can edit them in /application/blocks/form/ without having to edit the core files.  This is good because we won't lose our changes when we upgrade Concrete5 in the future.

Modifying controller.php

Open your controller.php override and change the line that says namespace Concrete\Block\Form;
to namespace Application\Block\Form;

This is an essential change, if you don't do this you'll get an error when you view your site.  This is because you have moved the controller file so it needs it's namespace updated.

Next, find the line that says: 

function action_submit_form($bID = false)

This is the function that submits the form and created the database entry in the form reports section.  Add the following as the first thing in the function:

if (isset($_POST['nocomplete']) && $_POST['nocomplete']) {
   $honey = $_POST['nocomplete'];

This gets the value posted from our honeypot field and assigns it to the variable $honey.  We will add this new honeypot field in our view file below.

Then wrap the rest of the function in an if statement:

if(empty($honey)) {

The ... is where the existing function code resides.  This new if conditional ensures that the form submit function only goes ahead and submits the form if there is nothing in our new honeypot field.

Modifying the view.php File

Open your view.php override and find the following hidden input:

<input name="qsID" type="hidden" value="<?php echo $qsID; ?>" />. 

On a new line above this, add our new honeypot field.  Go ahead and add the following:

<div style="display:none"><input type="text" name="nocomplete" id="nocomplete" value="" /></div>

Note how it is hidden from users because it sits inside a container with display: none set on it.

On the opening form tag itself, add the attribute autocomplete="off".  This prevents autocomplete, which would be a problem if the browser decides to add a value to our hidden field.  We wouldn't want this because it would mean genuine users can't submit our form!

Save all changes and that's it!  
This should stop some spam bots from sending forms and give you one less thing to deal with!

Make sure you test your form so you know you still receive emails and entries in the form reports section of the dashboard too.

Join the Discussion...

Back to Blog

Get Essential News & Offers

Enter your email to receive monthly news and special offers from Made Simple Media:

You can unsubscribe at any time, please read our privacy policy for more information.

Call free on 01403 730080