Invisible defense. Silent kill.
15 layers of spam protection your users never see.
No CAPTCHA. No friction. No configuration.
GPL-2.0 · Free · No account required
Image puzzles increase form abandonment. Your real customers leave. Bots with vision AI stay.
Static hidden fields with predictable names are on every bot's blocklist. They skip them instantly.
Spam emails still reach your server and your inbox. Classification happens after the damage is done.
Puppeteer and Playwright execute JavaScript, fill fields, and solve challenges — just like humans.
Each layer scores the submission independently. The combined score triggers our 3-Tier Triage System to handle spam without affecting legitimate users or bloating your database.
Blocks non-JS bots instantly. Tokens are fetched via REST API.
Decoy fields with cryptographically derived names that change per session.
HMAC-SHA256 signed tokens that detect tampering, forgery, and reuse.
Detects inhuman submission speed while exempting legitimate browser autofill.
SHA-256 cryptographic puzzle that forces CPU cost on bots via Web Crypto API.
Measures real interaction patterns — movement, keystrokes, scrolling — with integrity verification.
Scores submissions based on Chrome version age. Bots often use hardcoded, outdated User-Agent strings.
Server-side check instantly blocks known headless browsers (Puppeteer, Selenium, etc.).
Client-side detection of automated browser environments (webdriver, plugin count).
Per-source submission throttling with IPv6 /64 normalization.
Atomic token consumption (INSERT IGNORE). Every token works exactly once.
Block known spam sources by IP or CIDR range directly from the admin panel.
Flags messages stuffed with links — a hallmark of SEO spam campaigns.
Catches forum-style spam syntax ([url=...]) that bots inject into form fields.
Syncs with WordPress's built-in Disallowed Comment Keys for site-specific rules.
Activate the plugin. Done. All Contact Form 7 and WPForms forms are protected automatically. No shortcodes, no form editing.
Blocked Tier 2 submissions are saved to a lightweight local table (max 1,000 records, FIFO). Review false positives easily from the admin panel.
Unlike other plugins, Samurai Honeypot prevents Silent-Killed spam from bloating Flamingo's database, letting you safely use Flamingo as a CRM.
Tier 3 bots (score 100+) are immediately dropped from memory. Zero database writes. Protects your server during mass bot attacks.
Zero cookies. Zero external requests. No PII stored. IP addresses are one-way hashed before storage. No cookie consent banner needed.
Tokens are fetched via REST API — not embedded in HTML. Works perfectly with WP Super Cache, W3 Total Cache, and Cloudflare.
| Samurai Honeypot | reCAPTCHA | Akismet | Basic Honeypot | |
|---|---|---|---|---|
| No user interaction | ✓ | ✗ | ✓ | ✓ |
| Proof of Work & Behavior | ✓ | ✗ | ✗ | ✗ |
| 3-Tier Triage (Pass/Log/Drop) | ✓ | ✗ | ✗ | ✗ |
| DDoS DB Protection (Drop) | ✓ | ✗ | ✗ | ✗ |
| Quarantine Log Included | ✓ | ✗ | Partial | ✗ |
| Flamingo DB Protection | ✓ | ✗ | — | ✗ |
| Silent Kill (No Errors) | ✓ | ✗ | ✗ | ✗ |
| Full-page cache safe | ✓ | ✓ | ✓ | Partial |
| No cookies / No external APIs | ✓ | ✗ | ✗ | ✓ |
Upload the plugin or install from WordPress.org. Click "Activate."
Every Contact Form 7 and WPForms form on your site is now protected by 15 layers of invisible defense.
Fine-tuning available under Settings → Samurai Honeypot if you want it. You probably won't need it.
Samurai Honeypot blocks bots before the email sends. It works alongside your existing security stack — not against it.
15-layer behavioral & cryptographic scoring. Blocks the majority of bots silently at the form level.
Google's invisible page-level risk scoring. Adds an independent signal without conflicting with our logic.
Cloud-based content filter. Catches anything that slips through with pattern matching and ML classification.
Yes. Tokens are fetched dynamically via the REST API, not embedded in cached HTML. It's fully compatible with WP Super Cache, W3 Total Cache, Cloudflare, and any other full-page caching solution.
Yes. For Contact Form 7, add skip_samhp: on to the form's Additional Settings tab. For WPForms, go to Settings > Samurai Honeypot > Rules & Access, and enter the form IDs you want to skip.
We actively protect Flamingo! Samurai Honeypot prevents blocked spam (Tier 2 and Tier 3) from being saved to Flamingo's database. Legitimate messages are saved normally, meaning your Flamingo Inbox stays clean and your database won't bloat.
Submissions flagged as Tier 2 are saved in our built-in Quarantine Log (Settings > Quarantine Log). You can review the score, reasons, and full form data here. (Note: Tier 3 bots are completely dropped to protect your server).
No. The plugin does not store any PII. IP addresses are one-way hashed with a site-specific salt before being used internally. Raw IPs are never written to the database. No cookies are set. No data is sent to external services.
Yes. Enable "Whitelist logged-in users" in the settings, and all scoring is skipped for authenticated users.
Follow these steps to identify and block datacenter-based bots:
[_remote_ip] and [_user_agent] to your CF7 mail template to log the IP address and User-Agent of every submission.35.72.0.0/13) for a bulk block (Tier 3 Drop).For advanced administrators: If possible, blocking datacenter IPs at the WAF (e.g. Cloudflare, Sucuri) or .htaccess level is even more effective. These blocks are applied before WordPress and PHP are loaded, meaning zero server resources are consumed by blocked requests — unlike plugin-level blocking, which still requires a full WordPress bootstrap for every request.
Free, open source, and ready in 30 seconds.
Download on WordPress.org