Uniform spam problem



There is a uniform contact form on one of my pages that keeps receiving spam, even though I implemented the required code.
Since there is even another form on the same website - the only difference is that it is not called a contact form - I am honestly clueless about what the problem might be. The plugin folder is intact and Honeypot and CSRF are drawn correctly on the website - that is, they are actually there.

I’d post some code, but I have no idea where the problem could be to begin with.
Is there anything I am missing? Do I have to implement something more?


The honeypot doesn’t prevent spam in general, it only aims to prevent auto-filling of forms by bots etc. that fill in any field and thus go into the trap. So if it is real people filling the form, there is no real way to prevent that unless they are coming from an IP range you could generally block. And more clever bots probably won’t go into the honeypot either…

Check if you really need the form. Do you get real messages through the form at all? If not, remove the form.

You could of course implement Captchas or quizzes, to discourage people to fill in the forms (might also stop real contact from filling in the form though).

Or analyze the spam messages:

  • are they very short? (=> implement minimum character count)
  • do they contain typical words (=> check content for words)


I’ve also noticed an increasing amount of spam on sites with Uniform and its honeypot for a few months. I think spam bots have become a tiny bit smarter, and only fill required fields. As a honeypot field can’t be required, this approach doesn’t seem to really help anymore.
So I’m also looking for another approach, but also try to avoid captchas as I find them ugly and annoying. I haven’t found any magic solution so far.


I am seeing this too. I might introduce a simple math problem to the form but I would really rather not. I guess you could detect key presses to know its a real person because a bot probably pastes it in, but I don’t how foolproof that would be.


You also risk to mark as spam people who use browser autocomplete or other ways to fill in the content.


Sure but you could just do it on a “your message” textarea field that is going to be unique. The other route is to block access from the spam bots them selves through .htaccess.


I looked into the new ReCAPTCHA version which seems to be completely straightforward: just mark the box, and there you go. I also read that they are going to implement a completely invisible version of it, which just checks for user behavior on the contact form. I will use ReCAPTCHA I think.


I like the captcha they have on GitHub when you create a new account.


Just for the record, Uniform also supports the calc and reCAPTCHA guards which can be enabled instead of or in addition to the honeypot. The reCAPTCHA still needs to be updated for Kirby 3, though.