WP-Safety

WP Armour – Honeypot Anti Spam Security & Risk Analysis

wordpress.org/plugins/honeypot

Fastest growing Anti Spam plugin. No API calls, subscriptions, captcha or puzzle. Full GDPR complaint. For comments, contact form, login, registration

300K active installs v2.3.04 PHP + WP 5.0+ Updated Dec 20, 2025
akismetanti-spamcomment-spamcontact-form-spamspam-protection
98
A · Safe
CVEs total2
Unpatched0
Last CVEMar 15, 2024
Plugin page Download
Safety Verdict

Is WP Armour – Honeypot Anti Spam Safe to Use in 2026?

Generally Safe

Score 98/100

WP Armour – Honeypot Anti Spam has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 15, 2024Updated 3mo ago
Risk Assessment

The "honeypot" plugin v2.3.04 exhibits a mixed security posture. While the static analysis reveals a remarkably small attack surface with zero identified entry points and no observed dangerous functions or raw SQL queries, there are notable concerns. A significant weakness lies in output escaping, with only 38% of outputs properly escaped, which can lead to cross-site scripting vulnerabilities if user-supplied data is not adequately sanitized before being displayed. The presence of two previous CVEs, including a past critical vulnerability, and a recent vulnerability in March 2024 is a significant red flag. Although no CVEs are currently unpatched for this version, the history suggests a recurring pattern of vulnerabilities, particularly Cross-site Scripting, indicating potential ongoing issues with input validation and output sanitization.

Overall, the plugin's lack of external interactions and file operations is positive. The presence of nonce and capability checks is also a good practice. However, the low percentage of properly escaped output and the historical vulnerability patterns, specifically the critical past CVE and the recurring XSS, are the primary drivers of risk. This suggests that while the plugin may have a small attack surface in terms of entry points, the handling of data that *does* enter the system may be insecure. Users should be aware of the past critical vulnerability and the ongoing risk of XSS due to insufficient output escaping.

Key Concerns

  • Insufficient output escaping
  • Past critical vulnerability history
  • Recurring Cross-site Scripting vulnerabilities
Vulnerabilities
2

WP Armour – Honeypot Anti Spam Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
1

2 total CVEs

CVE-2024-29091medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Armour – Honeypot Anti Spam <= 2.1.13 - Reflected Cross-Site Scripting

Mar 15, 2024 Patched in 2.1.14 (6d)
WF-2fd58397-7598-4d98-a6b3-c5837cb3b73e-honeypotcritical · 9.6Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Armour Honeypot Anti Spam <= 1.5.6 -Cross-Site Request Forgery to Arbitrary Options Update

Feb 8, 2021 Patched in 1.5.7 (1079d)
Code Analysis
Analyzed Mar 16, 2026

WP Armour – Honeypot Anti Spam Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
18
11 escaped
Nonce Checks
2
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

38% escaped29 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
wpa_save_settings (includes\wpa_functions.php:31)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Armour – Honeypot Anti Spam Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 27
actionbbp_new_topic_pre_extrasincludes\integration\wpa_bbpress.php:6
actionbbp_new_reply_pre_extrasincludes\integration\wpa_bbpress.php:7
actioncaldera_forms_pre_load_processorsincludes\integration\wpa_calderaforms.php:11
filterwpcf7_validateincludes\integration\wpa_contactform7.php:6
actiondf_before_processincludes\integration\wpa_diviengineform.php:28
actionelementor_pro/forms/validationincludes\integration\wpa_elementor.php:14
actionfluentform/before_insert_submissionincludes\integration\wpa_fluentform.php:15
filterfrm_validate_entryincludes\integration\wpa_formidable.php:6
actiongform_validationincludes\integration\wpa_gravityforms.php:6
filtercred_form_validateincludes\integration\wpa_toolsetform.php:6
filterpreprocess_commentincludes\integration\wpa_wpcomment.php:7
filterwpforms_process_beforeincludes\integration\wpa_wpforms.php:6
actionlostpassword_formincludes\integration\wpa_wplogin.php:10
actionwoocommerce_lostpassword_formincludes\integration\wpa_wplogin.php:11
actionlogin_formincludes\integration\wpa_wplogin.php:13
actionwoocommerce_login_formincludes\integration\wpa_wplogin.php:14
filterauthenticateincludes\integration\wpa_wplogin.php:28
actionlostpassword_postincludes\integration\wpa_wplogin.php:39
actionregister_formincludes\integration\wpa_wpregistration.php:6
filterregistration_errorsincludes\integration\wpa_wpregistration.php:11
actionadmin_noticesincludes\views\wpa_notice.php:3
actionwp_dashboard_setupincludes\wpa_dashboard_widget.php:3
actioninitwp-armour.php:17
actionwp_enqueue_scriptswp-armour.php:39
actionlogin_enqueue_scriptswp-armour.php:40
actionadmin_menuwp-armour.php:41
actionwpa_handle_spammerswp-armour.php:42
Maintenance & Trust

WP Armour – Honeypot Anti Spam Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 20, 2025
PHP min version
Downloads4.5M

Community Trust

Rating100/100
Number of ratings1,330
Active installs300K
Alternatives

WP Armour – Honeypot Anti Spam Alternatives

humanID – Anti-Spam Comment Filter

humanID – Anti-Spam Comment Filter

humanid-spam-filter

A
100

Replace ReCAPTCHA with a faster, user-friendly solution and block spammers & bots permanently

0 No CVEs
Antispam Bee

Antispam Bee

antispam-bee

A
100

Sophisticated antispam plugin for effective daily comment and trackback spam-fighting. Built with data protection and privacy in mind.

700K 1 CVE
CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

A
100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs
Stop Spammers Classic

Stop Spammers Classic

stop-spammer-registrations-plugin

A
89

A simplified, restored, and preserved version of the original Stop Spammers plugin.

30K 8 CVEs
Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

gdpr-compliant-recaptcha-for-all-forms

A
99

Anti-spam - CAPTCHA that protects all forms against spam and brute-force. Invisible and GDPR-compliant.

4K 1 CVE
Developer Profile

WP Armour – Honeypot Anti Spam Developer Profile

Dnesscarkey

5 plugins · 535K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
474 days
View full developer profile
Detection Fingerprints

How We Detect WP Armour – Honeypot Anti Spam

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/honeypot/css/wpa.css/wp-content/plugins/honeypot/js/wpa_vanilla.js/wp-content/plugins/honeypot/js/wpa.js
Version Parameters
honeypot/js/wpa.js?ver=honeypot/js/wpa_vanilla.js?ver=honeypot/css/wpa.css?ver=

HTML / DOM Fingerprints

Data Attributes
wpa_field_namewpa_field_valuewpa_add_test
JS Globals
wpa_field_info
FAQ

Frequently Asked Questions about WP Armour – Honeypot Anti Spam