reCpatcha v3 remains hidden and only challenges “dodgy” IPs/Behaviour.
Anyway, as for setting up a Honeypot. It seems pretty straight forward according to this article. Just create a dummy form for the bot. However, I imagine that would also mess with a customers’ form autofill.
Tricking Spambots with a Smarter Honeypot
It’s time to step up our game, programmers! Here’s a combination of spam thwarting techniques that makes a great spambot-proof form:
- Create a honeypot with the same name as one of the default fields. Make it look legit with a label. If you are using bootstrap, make it look perfectly legit with label and icon. We don’t want to alert the bot in any way that this field is special.
- Place the honeypot in the form in a random location. Keep moving it around between the valid fields. We don’t want the spambot writer to simply ignore the same field based on index.
- Rename your default fields to something random. Keep in mind you have to convert it back to its proper name on the server side. By naming the default fields to something random, the valid fields now begin to look like honeypots to the spambot.
- Add an expiration to your form. This will keep spambots from using the same fields and submitting the form later.
- Hide your form. You have to hide the honeypot to keep the valid users from filling it out. In my form, I hide the honeypot with JavaScript. It is still valid for you to hide this field with CSS. If you use CSS, your best bet is to use a class that contains a random word. In other words, if you call it “hide”, then the spambot author will pick it out easily.
Just a case of doing some custom development of the existing checkout.
It’s also possible that Cloudflare would pick up on this behaviour too, as their DNS blacklists “dodgy” traffic before they can even get to your site.