Development Status
Work In Progress
Active Installs

Last updated: 2020-09-16

Works with CiviCRM 5.0 or higher.

Simple honeypot fields for CiviCRM Contribute forms. Useful for deterring bots, fraudsters, etc who have latched onto your CiviCRM Contribute pages.

When to use:

The intent of this extension is NOT to replace the reCaptcha option for Contribute pages! If you are having trouble with spam / malicious users and reCaptcha is not on, that option should be explored before installing this tool.

Use this extension when you need to deter a particularly persistent malicious person and/or bot testing credit card numbers on a donation page with different CC numbers, IP proxies, etc. Nonprofits are typically targets of this type of activity because their donate pages are as easy to submit as possible, in general. Holding banks (your account with payment processor) do not like to see this type of activity, and may give even a small organization trouble, so it's best to limit fraudulent transactions of this type as much as possible.

These tools will be especially useful when...

  • Your CMS security is compromised or misconfigured in some way and a user/bot can create malicious authenticated users, bypassing reCaptcha. This tool can trip them up to buy you time to find people and/or budget to figure out the CMS issue(s) and shut them down.
  • Your donation page is being targeted by a bot that can pass reCaptcha, or a real person simply answering reCaptcha and testing card numbers.


  • Classic hidden honeypot field, configurable name and id
  • Configure which Contribute forms to protect by form ID
  • Configurable velocity limiter for submissions - set the minimum number of seconds that must pass before you accept a form submission
  • IP Banning from protected forms based on manually entered list (Supports wildcard bans such as 198.168.0.*, 198.168.*, 198.* etc. Use with caution!).